Crowdsec + PG on K8S: agent can’t connect lapi
Hi, once configured to use a PG instance (schema is correctly created), the LAPI pod is in Running state, but all the agents are stuck with such errors in logs:
CAPI whitelist
Hi!
Multiple of our customers complained that an external resource (YouTrack) couldn't reach our SMTP server.
After hours of research we found out that the whole /16 supernet of IPs - that they are using a small portion of - are in the CAPI blocklist.
Before that, we tried whitelisting. We have a postoverflow whitelist that reads from a file. It's been working great.
It was after this that I found out about CAPI blocklists....
Uptime-kuma baremetal
Im running uptime-luma baremetal from proxmox helper scripts. Can my acquis.yaml look like this?
```yaml
#Generated acquisition file - wizard.sh (service: ssh) / files :
journalctl_filter:...
k8s Traefik bouncer: decision not applied
Hi,
On a running k8s v1.28 + Traefik 3.3 existing cluster, I’m trying to integrate Crowdsec and its Traefik bouncer as traefik plugin.
I see traefik log acquisition is correctly done on the agent:
...
false positive wordpress
Hello. I have a false positive on my WordPress site. I tried uploading images, but it banned me. When I check the logs, I see requests with status 404. Also, the upload happens in the wp-admin section. So far, this is normal and fits the "http-admin-interface-probing" scenario. However, I don't understand why it's returning a 404 error. I have a question: To avoid the ban happening again, is it better to whitelist the IP address or the event? Or is there something else I should do? I'm open to ideas. Has this happened to others as well? I’ll share the alert.
```
- ID : 153685
- Date : 2025-03-23T19:58:05Z...
CrowdSec NGINX Bouncer internal server error
After upgrading from 1.0.9 to 1.1.0 I started getting intermittent http 500 errors. The bouncer worked fine for a few hours until I started to get intermittent notification that some of my services were down (with an http 500 error code).
```
2025/03/24 09:31:51 [error] 960177#960177: *12552450 lua entry thread aborted: runtime error: /usr/lib/crowdsec/lua/crowdsec.lua:305: Failed to create the timer: too many pending timers
stack traceback:...
Error messages after updating to latest Crowdsec
error msg="Failed to bind json: json: cannot unmarshal object into Go struct field AllMetrics.remediation_components.feature_flags of type []string" func=UsageMetrics
Please advise....
Nginx bouncer log spam
After upgrading to 1.0.9 I'm getting some very bad log spam with every single request in my error log:
...
2025/03/19 15:14:05 [info] 712618#712618: *44739 [lua] stream.lua:146: stream_query(): startup: false, context: ngx.timer, client: 0.0.0.0, server: 0.0.0.0:443
2025/03/19 15:14:04 [info] 712618#712618: *44723 [lua] crowdsec.lua:339: allowIp(): stream mode, client: 0.0.0.0, server: example.com, request: "GET / HTTP/1.1", host: "example.com"
2025/03/19 15:14:05 [info] 712618#712618: *44739 [lua] stream.lua:146: stream_query(): startup: false, context: ngx.timer, client: 0.0.0.0, server: 0.0.0.0:443
2025/03/19 15:14:04 [info] 712618#712618: *44723 [lua] crowdsec.lua:339: allowIp(): stream mode, client: 0.0.0.0, server: example.com, request: "GET / HTTP/1.1", host: "example.com"
JWT Auth timeout
Hello,
I deployed Crowdsec using helm chart (version 0.25.0) on our GKE cluster.
I noticed that logs from my custom parser are parsed, but on my Grafana Dashboard it isn't displayed (but the custom parser is classified as ok parser on grafana)....
CloudPanel Dependency Issue: Lua Module for CrowdSec Nginx remediation component Installation
Hi everyone,
I'm encountering a dependency issue while trying to install CrowdSec with its Nginx Lua remediation component. When I run:
sudo apt install nginx lua5.1 libnginx-mod-http-lua luarocks gettext-base lua-cjson...
can restore old blocked ip ?
Is it possible to reauthorize old ip addresses that have been blocked after a certain time, if so, how to proceed?
regards...
Setting up captcha once per x time
Hello everyone,
Until now I’ve been banning everything that triggers crowdsec for 24 hours. However I’ve come to the conclusion that http crawl and http non static get triggered a lot, most of the time false. Disabling them feels like something I shouldn’t do. But I also want to make sure my users don’t get banned from loading my webpages. (Tips are welcome)
I was thinking of configuring crowdsec in such a way to utilise captchas via cloudflare for these specific filters, instead of issuing a ban. But, I want it to only trigger once per x time, I think…...
Question about notifications
Does crowdsec offer what domain is being targeted for its notifications? Using npmplus the logs are now combined into one access.log making it impossible too know what’s being targeted and causing the ban
bouncer testing access forbidden - wordpress
I set up a multi-server environment: Server A and Server B. On my Server B, I have a WordPress site. I added the CrowdSec plugin to WordPress and created the bouncer on Server A. I added the API key and the URL, but when I test it, I get this message:
Technical error while testing bouncer connection: Unexpected response status code: 403. Body was: {"message":"access forbidden"}
However, I do have access to the alerts and decisions on Server B. Has this happened to anyone else, or did I forget to do something?...
Cloudflare tunnel -> traefik -> crowdsec
Hi, would it be possible to obtain the true IP of the user if I'm using cloudflare tunnel? I've got a traefik setup with a cloudflare tunnel and noticed in the access.yml it saves the local IP of the cloudflare tunnel not the true IP of the user. Any recommendations or documentation regarding this?
Machine registration on a different @ip range.
Hello, is it possible to register a server on another server with a different @ip range? I am currently trying to register a server (public exposure) on another one, but I am getting this error:
...
user@srv01:/etc/crowdsec# cscli lapi register -u http://149.0.0.1:6666 --machine srv01
Error: api client register: api register (http://149.0.0.1:6666/): Post "http://149.0.0.1:6666/v1/watchers": dial tcp 149.0.0.1:6666: i/o timeout
user@srv01:/etc/crowdsec# cscli lapi register -u http://149.0.0.1:6666 --machine srv01
Error: api client register: api register (http://149.0.0.1:6666/): Post "http://149.0.0.1:6666/v1/watchers": dial tcp 149.0.0.1:6666: i/o timeout
help with the crowdsec unifi collection
is there a way too get the collection too work for a UDM-SE they have API access now.
Wrong Grok Pattern for Custom Parser
Hi !
I created a custom parser that have to match 2 log templates :
This one:
10.6.0.1 - - [28/Feb/2025:09:20:15 +0000] "GET /health HTTP/1.1" 200 3 "-" "kube-probe/1.30" "-" "10.6.0.1" 107 0.000 - - - - - - - "- -”
...