CrowdSec for CloudPanel/WordPress websites
Hi All - I am new to CrowdSec. I am running WordPress sites on the CloudPanel (Ubuntu 24.04 LTS server). I have installed CrowdSec on it by following the installation guide https://docs.crowdsec.net/u/getting_started/installation/linux. I have also enrolled the engine to the CrowdSec console. Is this enough for the setup or I am missing something else? Please guide.
Further, In the community edition of CrowdSec, I can subscribe to 3 blocklists. Can you please suggest the relevant blocklists to subscribe to?
Thank you for the support!...
NPMplus won’t connect to api
I have an unraid server with a reverse proxy setup with NPMplus, a fork of NPM with a built in bouncer. I have a custom docker network setup and I’ve generated an api key and put it in the crowdsec.conf file within the app data of npmplus. It’s also worth noting I’m using cloudflare proxy with real ip passthrough setup in nginx. The ports are all right from what I can see and so is the api key. Blocked IPs still connect and the bouncer metrics list never updates. Trying to curl from the npmplus container to the crowdsec container gives me an error 401… I see a similar 401 error in the crowdsec container log coming from the correct ip.
I’m a bit stumped on what to try next...
how to get notification variables
I'm trying to wrap my head around the syntax of notification variables, please be patient
"title": "{{.Type }} {{ .Value }} for {{.Duration}}",
I was reading this documentation but I do not understand how to map the parsed values to the notification variables, in order to create custom messages, can someone please show me some example?...Ban all IPs parsed from a specific acquisition
I'm trying to find the best way to create a trigger scenario where all detected IPs from aquis.d/myacquis.yaml, that collects nginx logs, are banned.
What's the cleanest way to achieve that? Should I add a label in the aquisition file and create a scenario where I filter by that?
I'm reading the documentation and watching academy videos, but I would appreciate a syntax kickstart, thank you...
Inactive bouncers
Hi, I opened my console yesterday and saw this. I didnt do anything to my setup.
Somehow my CF and Traefik bouncers went inactive and active again. I also see the IP addresses now at the end of the bouncer names.
What could be the cause and how to remove the inactive bouncers?...
Instant attack notification stays disabled
Hi all,
On the Alerts page it's not possible to activate the Instant attack notification. It first says Enabled 'v', but when returning to the Alerts page it's off.
Under Activity it says "Am I Under Attack? feature has been disabled.". ...
Max number of machines a LAPI can handle
Hi.
Just wondering if there is an upper limit on the number of machines a single LAPI can handle? For example, if I'm reselling VPS WordPress hosting to clients I could eventually end up with hundreds of machines. Ideally they'd all connect to a single LAPI so they can use a single shared db. Could it handle that kind of load?
Cheers...
Query local api for scenario containing http
Hi,
I have read the documentation here : https://docs.crowdsec.net/docs/next/local_api/bouncers/
I see that we can query the LAPI for a specific IP, but not for scenario containing something, like "http" or "appsec"....
Docker Compose Crowdsec Cloudflare Bouncer on Free Cloudflare account
Heh, overloaded my 10000 item list lists and this isn't very well documented, but I had to:
Then to re-setup my lists (as I had changed from challenge to block, this was expecially necessary:
...
docker compose exec crowdsec-cloudflare-bouncer crowdsec-cloudflare-bouncer -d
docker compose exec crowdsec-cloudflare-bouncer crowdsec-cloudflare-bouncer -d
docker compose exec crowdsec-cloudflare-bouncer crowdsec-cloudflare-bouncer -s
docker compose exec crowdsec-cloudflare-bouncer crowdsec-cloudflare-bouncer -s
Seafile Creating Http-probing
Hi,
Can anyone help me figure out what needs to be done so that Seafile doesn't trigger http-probing anymore ?
Thank you...
Enable appsec only for specific NGINX locations
Hi. Is there a way to only enable the WAF (appsec) for certain NGINX locations? I'm reverse proxying different locations to different backends and I don't want the WAF applied to all of them.
Multi-server setup, database, should we comment out the db config for all the nodes
When you setup a multi-server setup, have a main LAPI w/DB backend, does each log processor/client need its own DB (otherwise it gives an error about the DB) or can you comment that out of the config.yaml for the clients (leaving it configured for the main LAPI/main-server)?
Cloudflare Worker : error 1001
Hi,
I try to setup the crowdsec cloudflare worker bouncer, but when I run the command generator I've got this error :
command : ...
Help me update my possibly outdated crowdsec setup.
Hello everyone,
It has been a while since I last worked with crowdsec, a lot seems to have changed, and I am lost. My personal setup has changed as well, I was using authelia as my auth service, but I've moved over to authentik.
That's also where my first question lies, I used to have authelia setup. With the collection
LePresidente/authelia
...
Bad IP lists in open source (free) version
Hi guys
I'm confused regarding the sources of bad IPs in the open souce (free) version. Does everyone get access to the crowdsourced IP list? (the list of bad IPs collected from all the other Crowdsec instances out there). Or is that only available as a paid blocklist?...
cloudflare worker & pricing
Hi,
I'm currently looking at the cloudflare worker bouncer.
The cloudflare documentation say that request to "static asset" are free.
But it seem you have to setup some route for that....
Need an insight for cloudflare tunnels --->> Nginx ---->> Website
Everything is working perfectly but alerts are not pop up.
SystemOS- Ubuntu 24.04
Nginx version is 1.26.2...
Testing AppSec rules with POST body contents
I'm testing whether my AppSec component blocks in case one of the rules of the virtual patching collection is being hit. I'm using CVE-2024-29824 as an example: https://app.crowdsec.net/hub/author/crowdsecurity/appsec-rules/vpatch-CVE-2024-29824. According to the rule a POST request to a URL ending in
/wsstatusevents/eventhandler.asmx and containing xp_cmdshell should trigger the rule. When I'm simulating such a request, it's not blocked, though.
As far as I know this is an in-band rule, so it should react immediately. I have successfully tested with GET /rpc2, so the AppSec component itself seems to be functioning. POST requests that only consider headers being set seem to be result in the expected response too.
When I check the (debug) logs I see this:...file.yaml doesn't work
Hello, I noticed that the file.yaml file initially created for integration with SIEM is not working. I am using Wazuh, and the logs are not being forwarded. I suggest modifying it as follows.
before :
```yaml
Don't change this...
Permanent ban for IPs and ASNs
Is there an existing feature or pattern for proactively blocking IP blocks and ideally, IP blocks associated with an ASN? Was going to implement a cron job of sorts that manages a decision on the LAPI but was wondering if there's a builtin solution for this first.