CrowdSec

C

CrowdSec

CrowdSec: IDS/IPS/WAF Community

Join
b_d0n
b_d0n
View on Discord
4/3/2025

trying too figure out why all notifications point to my WAN

as the title says 99% of my blocks show my target_fqdn as my public WAN. i did a cscli expain to the most recent log and here is the results
No description
MTRYLA
MTRYLA
View on Discord
4/3/2025

Zero Prometheus metrics parser ok but parser is considered as ok

Hello, I created a custom parser (named compte-xx-fr)that succeeds in reading lines (I see it by running cscli metrics command). But on my grafana dashboard, there is 0 peak for this custom parser, even though it is in the "parser ok" grafana panel (as attached). ...
No description
ook
ook
View on Discord
4/2/2025

k8s traefik bouncer + cscli manual decision: disappear after some minutes

Hi, on my k8s Crowdsec setup with traefik bouncer: scenarios decisions are correctly automaticly created. But when I ban manually by hand, I see them for some minutes in cscli decisions list then it disappears. For the record, I use that line to ban: cscli decisions add --ip 2a00:23c8:be88:ff00:c4a9:5800:90c3:10dd --type ban --duration 48h --reason Site/CommentsSpoof...
j0nny54l1v3
j0nny54l1v3
View on Discord
4/1/2025

Have a working Traefik, trying to enable CrowdSec Appsec feature, need help

The CrowdSec Appsec feature is running in the same bouncer that is reading the Traefik logs, it might be neat to have Appsec running in the main LAPI, but it seems this is not how you are best to configure it. There are two Traefik environments: 1 - Natural Port Forwarded from OPNSense Router to DMZ "ep" Traefik container w/its own Redis/Crowdsec 2 - CloudFlare Tunneled to DMZ "cf" Traefik container w/its own Redis/Crowdsec...
light
light
View on Discord
3/31/2025

IP blocked despite whitelisting

Hi I have an IP that keeps getting blocked despite being whitelisted
ook
ook
View on Discord
3/28/2025

Traefik logs parsing name=child-crowdsecurity/traefik-logs stage=s01-parse

Hello, I see that traefik logs are parsed pretty well, but I see plenty of these errors as well: ``` __time="2025-03-28T17:29:45Z" level=error msg="UnmarshalJSON : invalid character '.' after top-level value" line="47.242.222.214 - - [28/Mar/2025:17:29:45 +0000] "HEAD /de/language/bearbeiten?de=%2Fde%2Fmodell-3d%2Fverschiedene%2Fprueba-de-conector-para-tubo-silicona%2Fkommentare&en=%2Fen%2F3d-model%2Fverschiedene%2Fprueba-de-conector-para-tubo-silicona%2Fcomments&es=%2Fes%2Fmodelo-3d%2Fverschiedene%2Fprueba-de-conector-para-tubo-silicona%2Fcomentarios&fr=%2Ffr%2Fmod%25C3%25A8le-3d%2Fversch" time="2025-03-28T17:29:45Z" level=warning msg="failed to run filter : invalid character '.' after top-level value (1:1)\n | UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "traefik") in ["", nil]\n | ^" id=icy-grass name=child-crowdsecurity/traefik-logs stage=s01-parse time="2025-03-28T17:29:46Z" level=error msg="UnmarshalJSON : invalid character '.' after top-level value" line="202.41.171.9 - - [28/Mar/2025:17:29:45 +0000] "GET /en/users/sign-in HTTP/2.0" 200 68409 "-" "-" 1450942 "cults"...
ook
ook
View on Discord
3/28/2025

Crowdsec + PG on K8S: agent can’t connect lapi

Hi, once configured to use a PG instance (schema is correctly created), the LAPI pod is in Running state, but all the agents are stuck with such errors in logs:
alukas
alukas
View on Discord
3/27/2025

CAPI whitelist

Hi! Multiple of our customers complained that an external resource (YouTrack) couldn't reach our SMTP server. After hours of research we found out that the whole /16 supernet of IPs - that they are using a small portion of - are in the CAPI blocklist. Before that, we tried whitelisting. We have a postoverflow whitelist that reads from a file. It's been working great. It was after this that I found out about CAPI blocklists....
DJKatastrof
DJKatastrof
View on Discord
3/26/2025

Uptime-kuma baremetal

Im running uptime-luma baremetal from proxmox helper scripts. Can my acquis.yaml look like this? ```yaml #Generated acquisition file - wizard.sh (service: ssh) / files : journalctl_filter:...
No description
ook
ook
View on Discord
3/25/2025

k8s Traefik bouncer: decision not applied

Hi, On a running k8s v1.28 + Traefik 3.3 existing cluster, I’m trying to integrate Crowdsec and its Traefik bouncer as traefik plugin. I see traefik log acquisition is correctly done on the agent: ...
bbuddha
bbuddha
View on Discord
3/24/2025

false positive wordpress

Hello. I have a false positive on my WordPress site. I tried uploading images, but it banned me. When I check the logs, I see requests with status 404. Also, the upload happens in the wp-admin section. So far, this is normal and fits the "http-admin-interface-probing" scenario. However, I don't understand why it's returning a 404 error. I have a question: To avoid the ban happening again, is it better to whitelist the IP address or the event? Or is there something else I should do? I'm open to ideas. Has this happened to others as well? I’ll share the alert. ``` - ID : 153685 - Date : 2025-03-23T19:58:05Z...
GNU Plus Windows User
GNU Plus Windows User
View on Discord
3/24/2025

CrowdSec NGINX Bouncer internal server error

After upgrading from 1.0.9 to 1.1.0 I started getting intermittent http 500 errors. The bouncer worked fine for a few hours until I started to get intermittent notification that some of my services were down (with an http 500 error code). ``` 2025/03/24 09:31:51 [error] 960177#960177: *12552450 lua entry thread aborted: runtime error: /usr/lib/crowdsec/lua/crowdsec.lua:305: Failed to create the timer: too many pending timers stack traceback:...
SShizn
SShizn
View on Discord
3/23/2025

Error messages after updating to latest Crowdsec

error msg="Failed to bind json: json: cannot unmarshal object into Go struct field AllMetrics.remediation_components.feature_flags of type []string" func=UsageMetrics Please advise....
GNU Plus Windows User
GNU Plus Windows User
View on Discord
3/19/2025

Nginx bouncer log spam

After upgrading to 1.0.9 I'm getting some very bad log spam with every single request in my error log: 
2025/03/19 15:14:05 [info] 712618#712618: *44739 [lua] stream.lua:146: stream_query(): startup: false, context: ngx.timer, client: 0.0.0.0, server: 0.0.0.0:443
2025/03/19 15:14:04 [info] 712618#712618: *44723 [lua] crowdsec.lua:339: allowIp(): stream mode, client: 0.0.0.0, server: example.com, request: "GET / HTTP/1.1", host: "example.com"
2025/03/19 15:14:05 [info] 712618#712618: *44739 [lua] stream.lua:146: stream_query(): startup: false, context: ngx.timer, client: 0.0.0.0, server: 0.0.0.0:443
2025/03/19 15:14:04 [info] 712618#712618: *44723 [lua] crowdsec.lua:339: allowIp(): stream mode, client: 0.0.0.0, server: example.com, request: "GET / HTTP/1.1", host: "example.com"
...
MTRYLA
MTRYLA
View on Discord
3/18/2025

JWT Auth timeout

Hello, I deployed Crowdsec using helm chart (version 0.25.0) on our GKE cluster. I noticed that logs from my custom parser are parsed, but on my Grafana Dashboard it isn't displayed (but the custom parser is classified as ok parser on grafana)....
No description
Giovanni
Giovanni
View on Discord
3/16/2025

CloudPanel Dependency Issue: Lua Module for CrowdSec Nginx remediation component Installation

Hi everyone, I'm encountering a dependency issue while trying to install CrowdSec with its Nginx Lua remediation component. When I run: sudo apt install nginx lua5.1 libnginx-mod-http-lua luarocks gettext-base lua-cjson...
Sir Valen le Juste
Sir Valen le Juste
View on Discord
3/16/2025

can restore old blocked ip ?

Is it possible to reauthorize old ip addresses that have been blocked after a certain time, if so, how to proceed? regards...
Quafley
Quafley
View on Discord
3/14/2025

Setting up captcha once per x time

Hello everyone, Until now I’ve been banning everything that triggers crowdsec for 24 hours. However I’ve come to the conclusion that http crawl and http non static get triggered a lot, most of the time false. Disabling them feels like something I shouldn’t do. But I also want to make sure my users don’t get banned from loading my webpages. (Tips are welcome) I was thinking of configuring crowdsec in such a way to utilise captchas via cloudflare for these specific filters, instead of issuing a ban. But, I want it to only trigger once per x time, I think…...
b_d0n
b_d0n
View on Discord
3/12/2025

Question about notifications

Does crowdsec offer what domain is being targeted for its notifications? Using npmplus the logs are now combined into one access.log making it impossible too know what’s being targeted and causing the ban
Muffin.
Muffin.
View on Discord
3/8/2025

Trying to install scenarios, says there isn't any.

HMA5d2O.txt

PreviousNext