CrowdSec

C

CrowdSec

CrowdSec: IDS/IPS/WAF Community

Join
GNU Plus Windows User
GNU Plus Windows User
View on Discord
4/11/2025

Old decisions with long duration are eventually lost

My active decisions hovers at around 100 and old decisions with long duration are removed before they're expired. OS: Ubuntu 24.04 LAPI Version: 1.6.8 Number of Agents: 9...
j0nny54l1v3
j0nny54l1v3
View on Discord
4/10/2025

looking into appsec setup, looks like some cvs are disabled, should i enable / update and how

Ran this command and found there are few diabled, and if I manually update it, it seems to stay disabled ``` docker exec crowdsec cscli appsec-rules list -a | grep disabled crowdsecurity/vpatch-CVE-2021-43798 🚫 disabled 0.3
crowdsecurity/vpatch-CVE-2023-0600 🚫 disabled 0.1 ...
vedtoto
vedtoto
View on Discord
4/9/2025

crowdsec appsec - access User-Agent header within hooks

Hello! We use hooks to evaluate requests and add exceptions, currently the documentation is rather slim on this area. Is the any way to access "User-Agent" header for evaluation? Example how we use it to check a request uri (appsec config)...
bbuddha
bbuddha
View on Discord
4/9/2025

detect ddos attack

Hello, is there a way to detect DDoS attacks with CrowdSec? I was attacked, but there was no detection on the CrowdSec side.
Gunnar
Gunnar
View on Discord
4/7/2025

Delete decision doesn't work on the site

Hi, Not sure if this works for anyone else but for me it doesn't work to delete decisions on the site. It just keeps spinning and the decision is not removed. The desicions can be removed with 'cscli decisions'. This works fine....
No description
PintjesBier
PintjesBier
View on Discord
4/7/2025

Safely update openresty?

Can we safely do sudo apt upgrade to update openresty without breaking the bouncer? I am getting this error and don't want to break anything... ``` You might want to run 'apt --fix-broken install' to correct these....
martin.schaible
martin.schaible
View on Discord
4/6/2025

Attack via URL

We experience sometimes very CPU consuming attacks on the URL from websites. I counted around 20 attacks per second. I don't think, that Crowdsec is able to combat these. Is this right? If i have to create a scenario i would trigger "%2F%2A%2A%2F" in the URL one time and then say goodbye to the attacking IP-Address. Is this a good way? Thanks!...
Antwan
Antwan
View on Discord
4/6/2025

Docker

I’m looking at adding crowdsec to my home setup. I have traefik and Authentik using cloudflare tunnels. Can anyone point me / help me properly setup my crowdsec container?
b_d0n
b_d0n
View on Discord
4/3/2025

trying too figure out why all notifications point to my WAN

as the title says 99% of my blocks show my target_fqdn as my public WAN. i did a cscli expain to the most recent log and here is the results
No description
MTRYLA
MTRYLA
View on Discord
4/3/2025

Zero Prometheus metrics parser ok but parser is considered as ok

Hello, I created a custom parser (named compte-xx-fr)that succeeds in reading lines (I see it by running cscli metrics command). But on my grafana dashboard, there is 0 peak for this custom parser, even though it is in the "parser ok" grafana panel (as attached). ...
No description
ook
ook
View on Discord
4/2/2025

k8s traefik bouncer + cscli manual decision: disappear after some minutes

Hi, on my k8s Crowdsec setup with traefik bouncer: scenarios decisions are correctly automaticly created. But when I ban manually by hand, I see them for some minutes in cscli decisions list then it disappears. For the record, I use that line to ban: cscli decisions add --ip 2a00:23c8:be88:ff00:c4a9:5800:90c3:10dd --type ban --duration 48h --reason Site/CommentsSpoof...
j0nny54l1v3
j0nny54l1v3
View on Discord
4/1/2025

Have a working Traefik, trying to enable CrowdSec Appsec feature, need help

The CrowdSec Appsec feature is running in the same bouncer that is reading the Traefik logs, it might be neat to have Appsec running in the main LAPI, but it seems this is not how you are best to configure it. There are two Traefik environments: 1 - Natural Port Forwarded from OPNSense Router to DMZ "ep" Traefik container w/its own Redis/Crowdsec 2 - CloudFlare Tunneled to DMZ "cf" Traefik container w/its own Redis/Crowdsec...
light
light
View on Discord
3/31/2025

IP blocked despite whitelisting

Hi I have an IP that keeps getting blocked despite being whitelisted
ook
ook
View on Discord
3/28/2025

Traefik logs parsing name=child-crowdsecurity/traefik-logs stage=s01-parse

Hello, I see that traefik logs are parsed pretty well, but I see plenty of these errors as well: ``` __time="2025-03-28T17:29:45Z" level=error msg="UnmarshalJSON : invalid character '.' after top-level value" line="47.242.222.214 - - [28/Mar/2025:17:29:45 +0000] "HEAD /de/language/bearbeiten?de=%2Fde%2Fmodell-3d%2Fverschiedene%2Fprueba-de-conector-para-tubo-silicona%2Fkommentare&en=%2Fen%2F3d-model%2Fverschiedene%2Fprueba-de-conector-para-tubo-silicona%2Fcomments&es=%2Fes%2Fmodelo-3d%2Fverschiedene%2Fprueba-de-conector-para-tubo-silicona%2Fcomentarios&fr=%2Ffr%2Fmod%25C3%25A8le-3d%2Fversch" time="2025-03-28T17:29:45Z" level=warning msg="failed to run filter : invalid character '.' after top-level value (1:1)\n | UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "traefik") in ["", nil]\n | ^" id=icy-grass name=child-crowdsecurity/traefik-logs stage=s01-parse time="2025-03-28T17:29:46Z" level=error msg="UnmarshalJSON : invalid character '.' after top-level value" line="202.41.171.9 - - [28/Mar/2025:17:29:45 +0000] "GET /en/users/sign-in HTTP/2.0" 200 68409 "-" "-" 1450942 "cults"...
ook
ook
View on Discord
3/28/2025

Crowdsec + PG on K8S: agent can’t connect lapi

Hi, once configured to use a PG instance (schema is correctly created), the LAPI pod is in Running state, but all the agents are stuck with such errors in logs:
alukas
alukas
View on Discord
3/27/2025

CAPI whitelist

Hi! Multiple of our customers complained that an external resource (YouTrack) couldn't reach our SMTP server. After hours of research we found out that the whole /16 supernet of IPs - that they are using a small portion of - are in the CAPI blocklist. Before that, we tried whitelisting. We have a postoverflow whitelist that reads from a file. It's been working great. It was after this that I found out about CAPI blocklists....
DJKatastrof
DJKatastrof
View on Discord
3/26/2025

Uptime-kuma baremetal

Im running uptime-luma baremetal from proxmox helper scripts. Can my acquis.yaml look like this? ```yaml #Generated acquisition file - wizard.sh (service: ssh) / files : journalctl_filter:...
No description
ook
ook
View on Discord
3/25/2025

k8s Traefik bouncer: decision not applied

Hi, On a running k8s v1.28 + Traefik 3.3 existing cluster, I’m trying to integrate Crowdsec and its Traefik bouncer as traefik plugin. I see traefik log acquisition is correctly done on the agent: ...
bbuddha
bbuddha
View on Discord
3/24/2025

false positive wordpress

Hello. I have a false positive on my WordPress site. I tried uploading images, but it banned me. When I check the logs, I see requests with status 404. Also, the upload happens in the wp-admin section. So far, this is normal and fits the "http-admin-interface-probing" scenario. However, I don't understand why it's returning a 404 error. I have a question: To avoid the ban happening again, is it better to whitelist the IP address or the event? Or is there something else I should do? I'm open to ideas. Has this happened to others as well? I’ll share the alert. ``` - ID : 153685 - Date : 2025-03-23T19:58:05Z...
GNU Plus Windows User
GNU Plus Windows User
View on Discord
3/24/2025

CrowdSec NGINX Bouncer internal server error

After upgrading from 1.0.9 to 1.1.0 I started getting intermittent http 500 errors. The bouncer worked fine for a few hours until I started to get intermittent notification that some of my services were down (with an http 500 error code). ``` 2025/03/24 09:31:51 [error] 960177#960177: *12552450 lua entry thread aborted: runtime error: /usr/lib/crowdsec/lua/crowdsec.lua:305: Failed to create the timer: too many pending timers stack traceback:...
PreviousNext