Setting up captcha once per x time
Hello everyone,
Until now I’ve been banning everything that triggers crowdsec for 24 hours. However I’ve come to the conclusion that http crawl and http non static get triggered a lot, most of the time false. Disabling them feels like something I shouldn’t do. But I also want to make sure my users don’t get banned from loading my webpages. (Tips are welcome)
I was thinking of configuring crowdsec in such a way to utilise captchas via cloudflare for these specific filters, instead of issuing a ban. But, I want it to only trigger once per x time, I think…...
Question about notifications
Does crowdsec offer what domain is being targeted for its notifications? Using npmplus the logs are now combined into one access.log making it impossible too know what’s being targeted and causing the ban
bouncer testing access forbidden - wordpress
I set up a multi-server environment: Server A and Server B. On my Server B, I have a WordPress site. I added the CrowdSec plugin to WordPress and created the bouncer on Server A. I added the API key and the URL, but when I test it, I get this message:
Technical error while testing bouncer connection: Unexpected response status code: 403. Body was: {"message":"access forbidden"}
However, I do have access to the alerts and decisions on Server B. Has this happened to anyone else, or did I forget to do something?...
Cloudflare tunnel -> traefik -> crowdsec
Hi, would it be possible to obtain the true IP of the user if I'm using cloudflare tunnel? I've got a traefik setup with a cloudflare tunnel and noticed in the access.yml it saves the local IP of the cloudflare tunnel not the true IP of the user. Any recommendations or documentation regarding this?
Machine registration on a different @ip range.
Hello, is it possible to register a server on another server with a different @ip range? I am currently trying to register a server (public exposure) on another one, but I am getting this error:
...
user@srv01:/etc/crowdsec# cscli lapi register -u http://149.0.0.1:6666 --machine srv01
Error: api client register: api register (http://149.0.0.1:6666/): Post "http://149.0.0.1:6666/v1/watchers": dial tcp 149.0.0.1:6666: i/o timeout
user@srv01:/etc/crowdsec# cscli lapi register -u http://149.0.0.1:6666 --machine srv01
Error: api client register: api register (http://149.0.0.1:6666/): Post "http://149.0.0.1:6666/v1/watchers": dial tcp 149.0.0.1:6666: i/o timeout
help with the crowdsec unifi collection
is there a way too get the collection too work for a UDM-SE they have API access now.
Wrong Grok Pattern for Custom Parser
Hi !
I created a custom parser that have to match 2 log templates :
This one:
10.6.0.1 - - [28/Feb/2025:09:20:15 +0000] "GET /health HTTP/1.1" 200 3 "-" "kube-probe/1.30" "-" "10.6.0.1" 107 0.000 - - - - - - - "- -”
...
crowdsec-haproxy-bouncer is failing to spot attempted intrusions. Parser failures maybe.
Hello. I installed the crowdsec-haproxy bouncer on OPNSense using both the docs and the blog about it. I did adjust the instructions on the docs to the file locations for freeBSD. It appears operational, sometimes but rarely there are bans appearing. I have set up for turnstile captcha and bans although I think is only triggering bans.
I however see a lot of intrusion attempts on the haproxy logs that seem to NOT have triggered any action from crowdsec. Digging into it as far as I am able to, it appears to me that the included haproxy parser is failing most of the time.
I've done a 'cscli explain --file /var/log/haproxy/latest.log --type haproxy' and please see the examples:
line: <134>1 2025-02-21T19:26:40+00:00 OPNsense.moomooland haproxy 70406 - [meta sequenceId="1071"] 18.97.5.91:33064 [21/Feb/2025:19:26:40.414] 0_SNI_frontend SSL_backend/SSL_server 1/0/90 7 -- 2/2/1/1/0 0/0...
Haproxy bouncer try to pull expired decisions from LAPI
Hello, I have crowdsec api error with haproxy bouncer. Here is the log
...
time="2025-02-20T10:04:03+01:00" level=error msg="unable to query expired decision for 'node01-haproxy' : expired decisions: unable to query"
time="2025-02-20T10:04:09+01:00" level=warning msg="QueryExpiredDecisionsWithFilters : context canceled"
time="2025-02-20T10:04:03+01:00" level=error msg="unable to query expired decision for 'node01-haproxy' : expired decisions: unable to query"
time="2025-02-20T10:04:09+01:00" level=warning msg="QueryExpiredDecisionsWithFilters : context canceled"
A little randomly, Crowdsec's main website will not be reachable
My guess is, some component of the "https://app.crowdsec.net/" is not able to load, possibly the first/primary part and according to Chrome's DevTools, it is - nothing loads
Attached a screenshot of my Uptime - Kuma for Crowdsec behind my OPNSense that is my Multi-site LAPI - this tracks for my Chrome browser too - if I switch on my phone to 5G, it loads no problem
Is there anything we would need to do to prevent CDN/Cloud/Crowdsec IPs from getting on our/your lists? This is my guess that it is Crowdsec blocking Crowdsec, but it might be my Pihole+Unbound config, but, AFAIK your primary domain has never found itself on the Adblock lists....
Openresty bouncer not working?
Since discovering that my bouncer wasn't properly working yesterday I've completly reworked my reverse proxy setup.
Now I'm using an Ubuntu 22.04 machine running openresty. Yet I can't seem to get the bouncer working with my LAPI (LAPI says bouncer never pulled info from API). I have the include line in the nginx.conf.
This is my config:...
whitelist from file
Hi all!
I have a custom script modifying a whitelist file that can be downloaded from a website.
I have set a whitelist up with the data attribute (source_url, dest_file, type) and I'm wondering if it automatically downloads the file periodically, or only whenever crowdsec restarts.
Any help is much appreciated....
Whitelist not working?
Hi all,
it seems like I've been getting my own IP banned even though I have a whitelist in place... My whitelist is placed in postoverflows is that still ok? As I don't see it popping up in the metrics of my LAPI. I also have the whitelist installed on all servers in the distributed server setup, is that needed?
Thanks!...
Hardware Performance Guidance and Bottleneck Debugging
Background
I'm currently running CS in docker containers on a Raspberry Pi 5. Rough overview:
* CS primary container - CAPI, LAPI, used by nginx bouncer (remote on another machine)...
Import scenarios from files using helm chart
Hello !
I installed Crowdsec with the helm chart in version 0.14.1 in my GKE cluster. It is deployed through FluxCD.
I saw that we specify the yaml definition of the scenario in the values.yaml file under the scenarios field....
CrowdSec Hub "Show more" button broken
The
Show More button at this page https://app.crowdsec.net/hub/author/crowdsecurity/collections/base-http-scenarios does nothingSuricata scenario and slow scan
I just install crowdsec on my homelab.
I just run some service for the family with traefik
I don't send many alert to crowdsec because I have some geoip protection, oisd unboud protection etc.
My goal is to send some alert to crowdsec. I want participate 🙂
I just install crowdsec on my opnsense firewall. I enable suricata on the wan...