CrowdSec

C

CrowdSec

CrowdSec: IDS/IPS/WAF Community

Join
Willpower
Willpower
View on Discord
2/25/2025

Console_management is disabled

What does this do and how do I enable it?
No description
cookiemonster5680
cookiemonster5680
View on Discord
2/21/2025

crowdsec-haproxy-bouncer is failing to spot attempted intrusions. Parser failures maybe.

Hello. I installed the crowdsec-haproxy bouncer on OPNSense using both the docs and the blog about it. I did adjust the instructions on the docs to the file locations for freeBSD. It appears operational, sometimes but rarely there are bans appearing. I have set up for turnstile captcha and bans although I think is only triggering bans. I however see a lot of intrusion attempts on the haproxy logs that seem to NOT have triggered any action from crowdsec. Digging into it as far as I am able to, it appears to me that the included haproxy parser is failing most of the time. I've done a 'cscli explain --file /var/log/haproxy/latest.log --type haproxy' and please see the examples: line: <134>1 2025-02-21T19:26:40+00:00 OPNsense.moomooland haproxy 70406 - [meta sequenceId="1071"] 18.97.5.91:33064 [21/Feb/2025:19:26:40.414] 0_SNI_frontend SSL_backend/SSL_server 1/0/90 7 -- 2/2/1/1/0 0/0...

failures

alendroit
alendroit
View on Discord
2/20/2025

Haproxy bouncer try to pull expired decisions from LAPI

Hello, I have crowdsec api error with haproxy bouncer. Here is the log 
time="2025-02-20T10:04:03+01:00" level=error msg="unable to query expired decision for 'node01-haproxy' : expired decisions: unable to query"
time="2025-02-20T10:04:09+01:00" level=warning msg="QueryExpiredDecisionsWithFilters : context canceled"
time="2025-02-20T10:04:03+01:00" level=error msg="unable to query expired decision for 'node01-haproxy' : expired decisions: unable to query"
time="2025-02-20T10:04:09+01:00" level=warning msg="QueryExpiredDecisionsWithFilters : context canceled"
...
j0nny54l1v3
j0nny54l1v3
View on Discord
2/19/2025

A little randomly, Crowdsec's main website will not be reachable

My guess is, some component of the "https://app.crowdsec.net/" is not able to load, possibly the first/primary part and according to Chrome's DevTools, it is - nothing loads Attached a screenshot of my Uptime - Kuma for Crowdsec behind my OPNSense that is my Multi-site LAPI - this tracks for my Chrome browser too - if I switch on my phone to 5G, it loads no problem Is there anything we would need to do to prevent CDN/Cloud/Crowdsec IPs from getting on our/your lists? This is my guess that it is Crowdsec blocking Crowdsec, but it might be my Pihole+Unbound config, but, AFAIK your primary domain has never found itself on the Adblock lists....
No description
PintjesBier
PintjesBier
View on Discord
2/19/2025

Openresty bouncer not working?

Since discovering that my bouncer wasn't properly working yesterday I've completly reworked my reverse proxy setup. Now I'm using an Ubuntu 22.04 machine running openresty. Yet I can't seem to get the bouncer working with my LAPI (LAPI says bouncer never pulled info from API). I have the include line in the nginx.conf. This is my config:...
alukas
alukas
View on Discord
2/18/2025

whitelist from file

Hi all! I have a custom script modifying a whitelist file that can be downloaded from a website. I have set a whitelist up with the data attribute (source_url, dest_file, type) and I'm wondering if it automatically downloads the file periodically, or only whenever crowdsec restarts. Any help is much appreciated....
PintjesBier
PintjesBier
View on Discord
2/18/2025

Whitelist not working?

Hi all, it seems like I've been getting my own IP banned even though I have a whitelist in place... My whitelist is placed in postoverflows is that still ok? As I don't see it popping up in the metrics of my LAPI. I also have the whitelist installed on all servers in the distributed server setup, is that needed? Thanks!...
FoxxMD
FoxxMD
View on Discord
2/17/2025

Hardware Performance Guidance and Bottleneck Debugging

Background I'm currently running CS in docker containers on a Raspberry Pi 5. Rough overview: * CS primary container - CAPI, LAPI, used by nginx bouncer (remote on another machine)...
Sich
Sich
View on Discord
2/17/2025

XML syntax error

Hi, Recently I have found thoses errors in my logi files : ```...
MTRYLA
MTRYLA
View on Discord
2/14/2025

Import scenarios from files using helm chart

Hello ! I installed Crowdsec with the helm chart in version 0.14.1 in my GKE cluster. It is deployed through FluxCD. I saw that we specify the yaml definition of the scenario in the values.yaml file under the scenarios field....
GNU Plus Windows User
GNU Plus Windows User
View on Discord
2/13/2025

CrowdSec Hub "Show more" button broken

The Show More button at this page https://app.crowdsec.net/hub/author/crowdsecurity/collections/base-http-scenarios does nothing
Revers
Revers
View on Discord
2/12/2025

Suricata scenario and slow scan

I just install crowdsec on my homelab. I just run some service for the family with traefik I don't send many alert to crowdsec because I have some geoip protection, oisd unboud protection etc. My goal is to send some alert to crowdsec. I want participate 🙂 I just install crowdsec on my opnsense firewall. I enable suricata on the wan...
b_d0n
b_d0n
View on Discord
2/11/2025

Crowdsec docker_host

How does one confirm crowdsec can see my containers via dockersocket? Do I still have to list them via acquis.yaml? For example I added the radarr-bf and radarr parser I can see it listed in metrics but it’s not parsing??
XTROIL
XTROIL
View on Discord
2/11/2025

Bouncer unknown version?

Hey, I'm getting unknown version for the firewall bouncer, any idea why?
No description
b_d0n
b_d0n
View on Discord
2/9/2025

npmplus parsing

i recently migrated from npm to npmplus and it appears the logs arent being parsed?
No description
MTRYLA
MTRYLA
View on Discord
2/6/2025

Custom scenario not triggering neither alert nor decision

Hello ! I installed Crowdsec with helm on my Google Kubernetes Cluster with this chart version : 0.14.1 I also deployed my custom parser, custom scenario (named crowdsecurity/compte_xxx_login_error) and custom profile....
vedtoto
vedtoto
View on Discord
2/6/2025

[appsec] - misleading error log

Hello, crowdsec version: 1.6.5~rc4 crowdsec-openresty-bouncer: 1.0.2 ...
vedtoto
vedtoto
View on Discord
2/5/2025

Crowdsec docker - alert notifications to STDOUT

Hello, I want to use filebeats docker input to ingest alerts from crowdsec. Is there anyway i can redirect alert notifications to stdout? https://www.elastic.co/guide/en/beats/filebeat/7.17/filebeat-input-docker.html...
b_d0n
b_d0n
View on Discord
2/4/2025

Tracking nginx host not being banned

I’m trying too figure out why host 62 isn’t banning from failed login attempts this host does not fall under my Authentik. Here is the acquisition metrics
No description
pokeghost
pokeghost
View on Discord
2/3/2025

Chaining bouncer inside access_by_lua_block

Hi everyone! I'm setting up an OpenResty bouncer but I need it chain it before a different module (which is a custom DDoS protection script) so that the module that follows after the bouncer is the final one that completes the request. My access_by_lua_block is roughly as follows: ```lua -- snip local bouncer = require "lua/bouncer"...
PreviousNext