Openresty bouncer not working?
Since discovering that my bouncer wasn't properly working yesterday I've completly reworked my reverse proxy setup.
Now I'm using an Ubuntu 22.04 machine running openresty. Yet I can't seem to get the bouncer working with my LAPI (LAPI says bouncer never pulled info from API). I have the include line in the nginx.conf.
This is my config:...
whitelist from file
Hi all!
I have a custom script modifying a whitelist file that can be downloaded from a website.
I have set a whitelist up with the data attribute (source_url, dest_file, type) and I'm wondering if it automatically downloads the file periodically, or only whenever crowdsec restarts.
Any help is much appreciated....
Whitelist not working?
Hi all,
it seems like I've been getting my own IP banned even though I have a whitelist in place... My whitelist is placed in postoverflows is that still ok? As I don't see it popping up in the metrics of my LAPI. I also have the whitelist installed on all servers in the distributed server setup, is that needed?
Thanks!...
Hardware Performance Guidance and Bottleneck Debugging
Background
I'm currently running CS in docker containers on a Raspberry Pi 5. Rough overview:
* CS primary container - CAPI, LAPI, used by nginx bouncer (remote on another machine)...
Import scenarios from files using helm chart
Hello !
I installed Crowdsec with the helm chart in version 0.14.1 in my GKE cluster. It is deployed through FluxCD.
I saw that we specify the yaml definition of the scenario in the values.yaml file under the scenarios field....
CrowdSec Hub "Show more" button broken
The
Show More button at this page https://app.crowdsec.net/hub/author/crowdsecurity/collections/base-http-scenarios does nothingSuricata scenario and slow scan
I just install crowdsec on my homelab.
I just run some service for the family with traefik
I don't send many alert to crowdsec because I have some geoip protection, oisd unboud protection etc.
My goal is to send some alert to crowdsec. I want participate 🙂
I just install crowdsec on my opnsense firewall. I enable suricata on the wan...
Crowdsec docker_host
How does one confirm crowdsec can see my containers via dockersocket? Do I still have to list them via acquis.yaml? For example I added the radarr-bf and radarr parser I can see it listed in metrics but it’s not parsing??
Custom scenario not triggering neither alert nor decision
Hello !
I installed Crowdsec with helm on my Google Kubernetes Cluster with this chart version : 0.14.1
I also deployed my custom parser, custom scenario (named
crowdsecurity/compte_xxx_login_error) and custom profile....[appsec] - misleading error log
Hello,
crowdsec version: 1.6.5~rc4
crowdsec-openresty-bouncer: 1.0.2
...
Crowdsec docker - alert notifications to STDOUT
Hello,
I want to use filebeats docker input to ingest alerts from crowdsec. Is there anyway i can redirect alert notifications to stdout?
https://www.elastic.co/guide/en/beats/filebeat/7.17/filebeat-input-docker.html...
Tracking nginx host not being banned
I’m trying too figure out why host 62 isn’t banning from failed login attempts this host does not fall under my Authentik. Here is the acquisition metrics
Chaining bouncer inside access_by_lua_block
Hi everyone! I'm setting up an OpenResty bouncer but I need it chain it before a different module (which is a custom DDoS protection script) so that the module that follows after the bouncer is the final one that completes the request. My
access_by_lua_block is roughly as follows:
```lua
-- snip
local bouncer = require "lua/bouncer"...Active bans with Prometheus
Hi, I have set up crowdsec with Prometheus metrics and it is working fine.
I am trying to understand how to monitor active bans using the exposed Prometheus metrics.
From what I understand, I can use
cs_active_decisions which shows a gauge per scenario and cs_alerts which also is a gauge of the number of alerts (excluding CAPI). But I don't understand the values of these gauges, what do they represent ?
For example, I have this metrics exposed cs_active_decisions{action="ban",origin="CAPI",reason="crowdsecurity/http-admin-interface-probing"} 320 but using cscli decisions list there are only two bans actives for this scenario. How to interpret the number 320 ?
Thanks for your help !...appsec ip
maybe im confued but what does the ip for appsec need to be? i keep getting bind errors... im on unraid but localhost:port doesnt seem to work?
Injection of a banned IPv4
Hello,
We have more than 100,000 IPv4s in a list that we want to ban. At the moment I'm running a python script but it's very time-consuming. Is there any other way of injecting?
Script python made in chatgpt :...
CrowdSec Mikrotik Bouncer fails to add banned ip to address list
it mainly works but but every few hours some banned address is not added to address list, until I manually reboot the docker container, then it appears. What could be the culprit?
here's an example of failed add: the event was not logged at all in the mikrotik container, here's an extraction at ban's time
`crowdsec_mikrotik | {"level":"info","time":"2025-01-20T13:00:31Z","message":"removed decisions: IP: 164.163.25.225 | Scenario: crowdsecurity/netgear_rce | Duration: -11s | Scope : Ip"}...