#📑・support - CrowdSec

No notification after certain amount of bans

se7entynine12/14/25, 11:23 AM

Hey I connected crowdsec with ntfy and get DOUZENS of notifications from the same IP. The questionsable IP is currently banned for 4000 hours.
I tried no log opnsense firewall rules but crowdsec is triggered before them.

Is there a good way to stop getting notifications after an IP got banned x times? I got around 200 notifications today

Alert example if thats helpful:

################################################################################################

ID : 12861
Date : 2025-12-14T10:57:52Z
Machine : opnsense
Simulation : false
Remediation : true
Reason : firewallservices/pf-scan-multi_ports
Events Count : 27
Scope:Value : Ip:45.141.233.37
Country : BG
AS : MEVSPACE sp. z o.o.
Begin : 2025-12-14T10:56:54Z
End : 2025-12-14T10:57:52Z
UUID : 09b48c5e-a853-4730-988c-77d5e0bd2faf

╭───────────────────────────────────────────────────────────────────────────╮
│ Active Decisions │
├──────────┬──────────────────┬────────┬─────────────┬──────────────────────┤
│ ID │ scope:value │ action │ expiration │ created_at │
├──────────┼──────────────────┼────────┼─────────────┼──────────────────────┤
│ 28286093 │ Ip:45.141.233.37 │ ban │ 4007h36m24s │ 2025-12-14T10:57:52Z │
╰──────────┴──────────────────┴────────┴─────────────┴──────────────────────╯

Thanks in advance!

Empty acquisition metrics from lapi container

donut platoon12/14/25, 12:27 AM

I'm running helm crowdsec in k3s. I spent a bit of time trying to figure out why returned an empty table. Turns out this works if I run this against an agent container instead of the lapi container.

This was very non-obvious to me, although is this expected behavior?

No active alerts after test

dffvb12/12/25, 6:06 PM

Hi there, I have setup cs now three times, (Ubuntu, Debian and Fedora), also had snapshots before installling the bouncer / remediation to install iptables and nftabes. However whenever I use the test or test agaisnt it from a different VM I get "no active alerts". I went through the whole trouble shooting, evering there. Parser, logs sshd etc. so not sure. Only thing I could imagine: Its from a private IP, are these excluded by default?

NPM / NextCloud Connection

gamgeemoo12/11/25, 5:41 AM

Hello,

I am running into an issue setting up my Nextcloud server and NPM server protected by CrowdSec.

I am hoping to have a setup where repeated failed POST login attempts to public servers would be blacklisted by CrowdSec.

As far as I can tell, I have followed guides to configure the server to be connected with NPM, however I have a hard time determining whether the whitelisting or blacklisting is working.

As for Nextcloud, as soon as I attempt to follow the guide and set up the acquis.yaml file according to this article:
https://app.crowdsec.net/hub/author/crowdsecurity/collections/nextcloud

My crowdsec server crashes abruptly after restart.

I have the collection added to Crowdsec (screenshot)

as well as the parser (screenshot)

But the server repeatedly crashes.

Collections, AppSec Rules & Configurations | CrowdSec Hub

Manage collections, configurations, remediation components, and AppSec rules with CrowdSec Hub. Streamline security with tools and integrations for enhanced protection.

Debian with preinstalled ufw

dffvb12/10/25, 4:06 PM

Hi if I have ufw already installed and install the crowdsec bouncer with iptables, this shouldnt be a problem as UFW is like a wrapper for iptables right? Bonus question: If I install this on a naked debian, does it install iptables as Debian by defsult comes without a firewall? Many TIA

Vaultwarden logs can't be parsed

Peronia12/10/25, 8:36 AM

Hi, I`m new to Crowdsec. I have installed a lapi with a firewall bouncer. Now I want to connect my first machine to it, parsing the Vaultwarden logs.
So far it is connected and I installed the collection for it: https://app.crowdsec.net/hub/author/Dominic-Wagner/collections/vaultwarden
But when I have a wrong login, it seems to have problems with the log line. I use journalctl and the same setting as provided in the link:

---
source: journalctl
journalctl_filter:

"SYSLOG_IDENTIFER=Vaultwarden"
labels:
type: Vaultwarden

But I can't see any parsed logs: cscli metrics output nothing. In my journalctl I see this: Dez 10 09:08:39 host vaultwarden[141613]: [2025-12-10 09:08:39.285+0100][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 192.168.230.166. Username: rr@gg.de.
So the logging from Vaultwarden is correct (I also added the %z in the options). I found this issue: https://github.com/crowdsecurity/hub/issues/988 and when I compre my string and that one metioned in the issue, it looks the same.

I don't find the failure in there. Can you help me to identify it?

Collections, AppSec Rules & Configurations | CrowdSec Hub

Manage collections, configurations, remediation components, and AppSec rules with CrowdSec Hub. Streamline security with tools and integrations for enhanced protection.

GitHub

Vaultwarden parser doesn't handle time zones · Issue #988 · crowd...

Description Dominic-Wagner/vaultwarden parser doesn't handle time zones. The pattern for parsing the timestamp [%{DATE_YMD:date} %{TIME:time}] assumes that the logs will be written in UTC. But...

0.0.0.0 in free_proxies list

charlocharlie12/9/25, 6:35 PM

I noticed issues with my bouncer not taking new rules around December 9, 2025, and it turns out it was due to 0.0.0.0 being added to the free_proxies list. Not sure who manages the list, but 0.0.0.0 is not a valid destination and cannot be blocked.

Any way to update the free proxies scraper so 0.0.0.0 can't be included?

Free proxies list | Blocklist

CrowdSec scrapper aggregates almost all free proxies IPs.

Crowdsec not blocking brute-force login attempts to docker containers behind NTMplus

mman322212/8/25, 8:11 PM

I have NPMplus installed with Crowdsec. Everything is working fine. I can see decisions being made in the Crowdsec log based on IPs.

I have 12 services running behind NPMplus. If I visit subdomain.mydomain.com, I can see the IP appear in the Crowdsec log.

I installed the bouncer: crowdsec-firewall-bouncer-iptables

If I go to the Crowdsec terminal and type in cscli metrics, I see npmplus/nginx/acess.log being parsed. I also see the cs-firewall-bouncer listed under the Bouncer section.

However, if I try to login to any of my 12 services (all docker containers) and the logins fail, I am not being banned. I am trying from a VPN IP address to login.

The ONLY docker container that will ban failed logins is NPMplus. All my other containers that are behind NPMplus never fail. I can keep trying to login forever. All the docker containers are in network: host mode.

If I try to brute foce login to any of my other docker containers like Radarr, Sonarr, Change Detection, Jackett, etc., none of them will ban the IP address like the NPMplus docker container does. All of the docker containers are in network_mode: host.

Crowdsec is somewhat working because I see another foreign IP address in the screenshot above that is not from me that got banned.

It appears everything is working fine, EXCEPT the brute force login for my various other containers. Is there maybe something different I need to do with my other containers? Or should the NPMplus traffic and logs be enough for Crowdsec?

Attached are a couple screenshots:

decisions list. It is banning IPs.
Screenshot of my docker log for the Crowdsec container

I'm also attaching my docker-compose.yaml file for NPMplus.

I asked Zoey, the creating of NPMplus, but she thinks it's a Crowdsec issue. Here is what she said in our Github converstaion: crowdsec firewall bouncer saves its blacklist inside ipset lists

Any help would be appreciated. Thank you!

docker-compose.yaml_for_NPMplus.txt17.68KB

AppSec CRS out-of-band nextcloud exclusion

enspiro12/8/25, 6:22 PM

Hi CrowdSecTeam,
i have running the AppSec on a nginx and added to my installation the appsec-crs collection and the crs-exclusion for nextcloud.
Unfortunately there are still connections blocked coming e.g. from the nextcloud agent.
I have attached a screen shot.
The matching rule is 941100 and 941130.
I was not able to find that rules in the exclusion config.

Create a local collection

Pierre HUBERT12/8/25, 10:37 AM

Hello, I am trying to create a local collection (to take into account local scenario), but unfortunately it does not work (the scenarios of collection are ignored for log processing).

My collection appear in the list of collections () but its details are incomplete with .

Here is my collection ( is a custom scenario that I created based on ):

Here is the output of the :

And the output of : (dependencies are empty, but it should not)

What should I do to address this?

Thank you in advance for your help!

No detections of repeted port 80 connections

gabe_fr12/8/25, 9:27 AM

Hello,

A number of IP addresses originating from IP networks in Brazil and Russia, for example, are initiating TCP connections on port 80.

Log example: (850,000 same lines over 24 hours)
IN=eno1 OUT= MAC=aa:ee:11:dd:55:dd:84:b8:02:f0:78:67:08:00 SRC=193.164. 16.166 DST=1.2.3.4 LEN=60 TOS=0x00 PREC=0x00 TTL=247 ID=7835 DF PROTO=TCP SPT=10011 DPT=80 WINDOW=51894 RES=0x00 SYN URGP=0

Despite being blocked by the firewall, Crowdsec does not detect these attacks despite tens of thousands of “DENY” lines.

Do you also detect this type of attack?
How can Crowdsec automatically block them? Thank you.

How can I add an IP address to the decisions list without using cscli?

svm12/7/25, 1:51 PM

I’m using a Docker container and have my own list of IP addresses to block or display captchas on. I need to add them to CrowdSec from another container. I’ve only found a way to grant another container permissions to docker.sock, which I don’t really like. Are there any other options besides this? Thanks.

ssh allowlist

liil'boo12/6/25, 8:52 PM

Hi,

is there a way to setup an ssh allowlist ?
So that my public keys do not trigger false positives

keeping crowdsec up to date docker (swarm)

Yannick12/5/25, 5:46 PM

Is there a recommended way to keep CrowdSec collections, scenarios, and AppSec rules up-to-date automatically, instead of having to manually run ?

Are there any built-in or best-practice methods for automating rule updates within CrowdSec deployments?

Recreating the container updates those rules if I am not mistaken.
Does this also happen with persisted container data?

pfSense bouncer not pulling decisions?

sikita12/4/25, 9:19 PM

Hi, I have full of
"GET /v1/decisions/stream?additional_pull=false&community_pull=false HTTP/1.1 200 77.717412ms "crowdsec-firewall-bouncer/v0.0.33-freebsd-cb8b3e3c\
in crowdsec_api.log

cscli lapi status:
Loaded credentials from /usr/local/etc/crowdsec/local_api_credentials.yaml
Trying to authenticate with username pfsense on http://127.0.0.1:8088/
You can successfully interact with Local API (LAPI)

cscli bouncers list:
pfsense-firewall 127.0.0.1

2025-12-04T21:13:48Z crowdsec-firewall-bouncer v0.0.33-freebsd-cb8b3e3c api-key

No bouncer metrics found.

crowdsec_blacklists is empty

cscli decisions add -t ban -d 2m -i IP adds IP to crowdsec_blacklists but it is not blocked unless firewall rule to block crowdsec_blacklists

Any help to correct setup? Thanks...

Distribution mode cross region

Mr. SSD12/3/25, 8:29 AM

I set up distribution mode with a single LAPI (server) and multiple Openresty bouncer + Appsec (agents). If the agent was in the same AZ region as server there is no issue. But if the agent was in difference AZ regions e.g. US-SG there was issue as bellow:

-crowsec.log (agent) :
time="2025-12-03T08:03:34Z" level=error msg="Error checking auth for API key: Head "http://51.xxx.xxx.xxx/v1/decisions/stream\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)" name=CDN-WAF type=appsec
time="2025-12-03T08:03:34Z" level=error msg="Unauthorized request from '127.0.0.1:38654' (real IP = xx.xxx.xxx) invalid API key" name=CDN-WAF type=appsec

bouncer log:
2025/12/03 08:03:34 [error] 9726#9726: *2 [lua] crowdsec.lua:560: AppSecCheck(): Unauthenticated request to APPSEC, client: xxx.xxx.xxx

I tried to check any firewall or network restriction but there is no.

Could you please help guide?

Thank

Posting multiple URLs in a forum triggers an anomaly

Wobak12/1/25, 4:23 PM

Hello,

I'm not sure on how to tell crowdsec that something is normal behaviour. I have a forum on which I setup crowdsec to avoid crawlers & such, and now that I have it setup, when I try to post a topic / post, I'll get a 403 whenever I put multiple URLs in the post :

How can I tell crowdsec to not trigger a 403 in that scenario?

Any way to make CrowdSec monitor private ips?

Original message was deleted

quick question- which is correct env variable for CTI - CROWDSEC_CTI_API_KEY or CTI_API_KEY

hhf11/30/25, 12:51 PM

Error log

Accessing my VPS outside using my phone

Jerz11/30/25, 3:26 AM

Hello, how to avoid being blocked by Crowdsec? I was away from home and accessing my VPS, but it seems like my carrier IP was blocked. It happened twice, how to avoid it happening again. There are times when I need to access my VPS outside of my home. Thank you!