false positive wordpress
Hello. I have a false positive on my WordPress site. I tried uploading images, but it banned me. When I check the logs, I see requests with status 404. Also, the upload happens in the wp-admin section. So far, this is normal and fits the "http-admin-interface-probing" scenario. However, I don't understand why it's returning a 404 error. I have a question: To avoid the ban happening again, is it better to whitelist the IP address or the event? Or is there something else I should do? I'm open to ideas. Has this happened to others as well? I’ll share the alert.
```
- ID : 153685
- Date : 2025-03-23T19:58:05Z...
CrowdSec NGINX Bouncer internal server error
After upgrading from 1.0.9 to 1.1.0 I started getting intermittent http 500 errors. The bouncer worked fine for a few hours until I started to get intermittent notification that some of my services were down (with an http 500 error code).
```
2025/03/24 09:31:51 [error] 960177#960177: *12552450 lua entry thread aborted: runtime error: /usr/lib/crowdsec/lua/crowdsec.lua:305: Failed to create the timer: too many pending timers
stack traceback:...
Error messages after updating to latest Crowdsec
error msg="Failed to bind json: json: cannot unmarshal object into Go struct field AllMetrics.remediation_components.feature_flags of type []string" func=UsageMetrics
Please advise....
Nginx bouncer log spam
After upgrading to 1.0.9 I'm getting some very bad log spam with every single request in my error log:
...
2025/03/19 15:14:05 [info] 712618#712618: *44739 [lua] stream.lua:146: stream_query(): startup: false, context: ngx.timer, client: 0.0.0.0, server: 0.0.0.0:443
2025/03/19 15:14:04 [info] 712618#712618: *44723 [lua] crowdsec.lua:339: allowIp(): stream mode, client: 0.0.0.0, server: example.com, request: "GET / HTTP/1.1", host: "example.com"
2025/03/19 15:14:05 [info] 712618#712618: *44739 [lua] stream.lua:146: stream_query(): startup: false, context: ngx.timer, client: 0.0.0.0, server: 0.0.0.0:443
2025/03/19 15:14:04 [info] 712618#712618: *44723 [lua] crowdsec.lua:339: allowIp(): stream mode, client: 0.0.0.0, server: example.com, request: "GET / HTTP/1.1", host: "example.com"
JWT Auth timeout
Hello,
I deployed Crowdsec using helm chart (version 0.25.0) on our GKE cluster.
I noticed that logs from my custom parser are parsed, but on my Grafana Dashboard it isn't displayed (but the custom parser is classified as ok parser on grafana)....
CloudPanel Dependency Issue: Lua Module for CrowdSec Nginx remediation component Installation
Hi everyone,
I'm encountering a dependency issue while trying to install CrowdSec with its Nginx Lua remediation component. When I run:
sudo apt install nginx lua5.1 libnginx-mod-http-lua luarocks gettext-base lua-cjson...
can restore old blocked ip ?
Is it possible to reauthorize old ip addresses that have been blocked after a certain time, if so, how to proceed?
regards...
Setting up captcha once per x time
Hello everyone,
Until now I’ve been banning everything that triggers crowdsec for 24 hours. However I’ve come to the conclusion that http crawl and http non static get triggered a lot, most of the time false. Disabling them feels like something I shouldn’t do. But I also want to make sure my users don’t get banned from loading my webpages. (Tips are welcome)
I was thinking of configuring crowdsec in such a way to utilise captchas via cloudflare for these specific filters, instead of issuing a ban. But, I want it to only trigger once per x time, I think…...
Question about notifications
Does crowdsec offer what domain is being targeted for its notifications? Using npmplus the logs are now combined into one access.log making it impossible too know what’s being targeted and causing the ban
bouncer testing access forbidden - wordpress
I set up a multi-server environment: Server A and Server B. On my Server B, I have a WordPress site. I added the CrowdSec plugin to WordPress and created the bouncer on Server A. I added the API key and the URL, but when I test it, I get this message:
Technical error while testing bouncer connection: Unexpected response status code: 403. Body was: {"message":"access forbidden"}
However, I do have access to the alerts and decisions on Server B. Has this happened to anyone else, or did I forget to do something?...
Cloudflare tunnel -> traefik -> crowdsec
Hi, would it be possible to obtain the true IP of the user if I'm using cloudflare tunnel? I've got a traefik setup with a cloudflare tunnel and noticed in the access.yml it saves the local IP of the cloudflare tunnel not the true IP of the user. Any recommendations or documentation regarding this?
Machine registration on a different @ip range.
Hello, is it possible to register a server on another server with a different @ip range? I am currently trying to register a server (public exposure) on another one, but I am getting this error:
...
user@srv01:/etc/crowdsec# cscli lapi register -u http://149.0.0.1:6666 --machine srv01
Error: api client register: api register (http://149.0.0.1:6666/): Post "http://149.0.0.1:6666/v1/watchers": dial tcp 149.0.0.1:6666: i/o timeout
user@srv01:/etc/crowdsec# cscli lapi register -u http://149.0.0.1:6666 --machine srv01
Error: api client register: api register (http://149.0.0.1:6666/): Post "http://149.0.0.1:6666/v1/watchers": dial tcp 149.0.0.1:6666: i/o timeout
help with the crowdsec unifi collection
is there a way too get the collection too work for a UDM-SE they have API access now.
Wrong Grok Pattern for Custom Parser
Hi !
I created a custom parser that have to match 2 log templates :
This one:
10.6.0.1 - - [28/Feb/2025:09:20:15 +0000] "GET /health HTTP/1.1" 200 3 "-" "kube-probe/1.30" "-" "10.6.0.1" 107 0.000 - - - - - - - "- -”
...
crowdsec-haproxy-bouncer is failing to spot attempted intrusions. Parser failures maybe.
Hello. I installed the crowdsec-haproxy bouncer on OPNSense using both the docs and the blog about it. I did adjust the instructions on the docs to the file locations for freeBSD. It appears operational, sometimes but rarely there are bans appearing. I have set up for turnstile captcha and bans although I think is only triggering bans.
I however see a lot of intrusion attempts on the haproxy logs that seem to NOT have triggered any action from crowdsec. Digging into it as far as I am able to, it appears to me that the included haproxy parser is failing most of the time.
I've done a 'cscli explain --file /var/log/haproxy/latest.log --type haproxy' and please see the examples:
line: <134>1 2025-02-21T19:26:40+00:00 OPNsense.moomooland haproxy 70406 - [meta sequenceId="1071"] 18.97.5.91:33064 [21/Feb/2025:19:26:40.414] 0_SNI_frontend SSL_backend/SSL_server 1/0/90 7 -- 2/2/1/1/0 0/0...
Haproxy bouncer try to pull expired decisions from LAPI
Hello, I have crowdsec api error with haproxy bouncer. Here is the log
...
time="2025-02-20T10:04:03+01:00" level=error msg="unable to query expired decision for 'node01-haproxy' : expired decisions: unable to query"
time="2025-02-20T10:04:09+01:00" level=warning msg="QueryExpiredDecisionsWithFilters : context canceled"
time="2025-02-20T10:04:03+01:00" level=error msg="unable to query expired decision for 'node01-haproxy' : expired decisions: unable to query"
time="2025-02-20T10:04:09+01:00" level=warning msg="QueryExpiredDecisionsWithFilters : context canceled"
A little randomly, Crowdsec's main website will not be reachable
My guess is, some component of the "https://app.crowdsec.net/" is not able to load, possibly the first/primary part and according to Chrome's DevTools, it is - nothing loads
Attached a screenshot of my Uptime - Kuma for Crowdsec behind my OPNSense that is my Multi-site LAPI - this tracks for my Chrome browser too - if I switch on my phone to 5G, it loads no problem
Is there anything we would need to do to prevent CDN/Cloud/Crowdsec IPs from getting on our/your lists? This is my guess that it is Crowdsec blocking Crowdsec, but it might be my Pihole+Unbound config, but, AFAIK your primary domain has never found itself on the Adblock lists....
Openresty bouncer not working?
Since discovering that my bouncer wasn't properly working yesterday I've completly reworked my reverse proxy setup.
Now I'm using an Ubuntu 22.04 machine running openresty. Yet I can't seem to get the bouncer working with my LAPI (LAPI says bouncer never pulled info from API). I have the include line in the nginx.conf.
This is my config:...