CrowdSec

C

CrowdSec

CrowdSec: IDS/IPS/WAF Community

Join
EazyDoesIt
EazyDoesIt
View on Discord
9/2/2025

Does the Appsec WAF component support Traefik or is it only for nginx?

Unfortunately your docs on this subject are confusing, there's multiple sets of setup docs for AppSec/WAF and only one of them mentions that it's currently only supported for NGinx so can you please clarify before I put more work into Traefik? Thanks!...
thatwhiff
thatwhiff
View on Discord
9/2/2025

Best way to add dynamic UptimeRobot IP whitelist in CrowdSec?

Hi all, I have a question about handling allowlists/whitelists in parsers. I’d like to whitelist the IPs from UptimeRobot (list here: https://cdn.uptimerobot.com/api/IPv4andIPv6.txt). I see in the docs that data: can be used in a parser definition like this:...
Devilkin
Devilkin
View on Discord
9/2/2025

No alerts sent to central dashboard - lite community blocklist

Hi, I not-so-recently added crowsec to my caddy reverse proxy, but at that time I had yet another thing in front of it so it never really saw the public ip addresses. I've since fixed this, and i'm trying to get it off of the lite blocklist. CAPI and LAPI looks correct...

log.txt

bearded
bearded
View on Discord
9/1/2025

ingress nginx kubernetes + custom logs

The logs are being parsed, but no further events occur. Nginx has custom logs, but I created a parser. Could you please advise me on how to resolve this issue?...
No description
_KaszpiR_
_KaszpiR_
View on Discord
8/31/2025

database disk image is malformed

Looks like sqlite + unclean system shutdown corrupted the db
gut4767
gut4767
View on Discord
8/31/2025

Difficulty Whitelisting AppSec CRS False Positives in Traefik Bouncer

Hi CrowdSec Team, I need help configuring a whitelist for the AppSec component in Traefik Bouncer. Despite testing multiple filter expressions, I can’t stop legitimate traffic from being blocked. Environment Traefik v3 (Docker) CrowdSec Agent: latest (Docker)...
Alfredo Borges
Alfredo Borges
View on Discord
8/27/2025

problem timeout nginx + plguin lua

Hello! I'm getting LAPI timeouts in my Kubernetes setup. Error: live_query(): ... timeout Troubleshooting done: - Network is OK: curl from Nginx pod to LAPI's /health endpoint works fine....
SenseiMarv
SenseiMarv
View on Discord
8/27/2025

Blocklist unsubscribe not working

Hey all, thanks for the great product! I wanted to swap out one of my subscribed blocklists. On one of my two in total security engines, this worked flawlessly with the next pull. However, on the other, even after 24 hours, the blocklist was still active, preventing me from enabling the other blocklist I want to activate. I then found a similar support request that had already been resolved: https://discord.com/channels/921520481163673640/1391559703724687390. I followed the recommendations there, e.g. looking up the blocklist name in the Local API Decisions when running cscli metrics and then running cscli decisions delete --scenario "firehol_cybercrime". The list disappeared from the metrics, so I waited for the next pull. After the next pull, I saw this in the logs: ``` time=2025-08-27T12:13:05+02:00 level=info msg=Starting community-blocklist update...
No description
martin.schaible
martin.schaible
View on Discord
8/27/2025

Scenario not working

Hello Some time ago, I created a scenario designed to stop SQL attacks in the URL. It's actually a copy of your "http-sqli-probing" scenario. Unfortunately, my scenario doesn't work. First, I added the website log folders to acquis.xml:...
Danimal91
Danimal91
View on Discord
8/27/2025

Crowdsec Blocking Large File Upload - Immich

Hello. I am running NPMPLUS with Crowdesc enabled and trying to use Immich. All the uploads are working fin except for videos over about 1 minute. I am getting the below error, I believe it is crowdsec that is blocking it but I have been unable to fine any config file / setting for this crowdsec | time="2025-08-27T09:25:47+02:00" level=warning msg="Disrupting transaction with body size above the configured limit (Action Reject)" 55 [lua] crowdsec.lua:642: Allow(): [Crowdsec] denied 'XXX' with 'ban' (by appsec), client: XXX, server: XXX request: "POST /api/assets HTTP/1.1", host: XXX ...
mss-cyclist
mss-cyclist
View on Discord
8/25/2025

freebsd firewall bounce metrics missing

Hello, I have installed two bouncer for freebsd pf firewall. Both have version 0.0.32 The lapi has version 1.6.9 Alerts are send to the crowdsec console. However it does not show metrics....
-_-;.....
-_-;.....
View on Discord
8/25/2025

Is it possible to set remediation to false for specific ip adresses?

I have several IPs and ranges that I want to continue monitoring, but which must not be banned. Only a notification should be sent for these IPs. I built my own threat intelligence system for this purpose. The whitelist parser prevents any notification for listed IP's. ...
Jack74r
Jack74r
View on Discord
8/25/2025

Selfhosted cloudflare tunnel + crowdSec?

Hi Before cloudflare tunel i was using crowSed alone but i set cloudflare tunnel to hide my public IP and filter request before hit my server with CF policies I'm not a expert , but i have somes self hosted service can acces on the web with cloudflare tunnel. It's working , i add some policies to autorize only IP from my country....
PintjesBier
PintjesBier
View on Discord
8/25/2025

Syslog not getting parsed...

Hi all, for some odd reason my syslog (and some others) are not getting parsed... The syslog is passed fine to the container (as I can cat the syslog file and see it being updated. acquis:...
GNU Plus Windows User
GNU Plus Windows User
View on Discord
8/24/2025

firewall bouncer stops grabbing new decisions after a while

I've been having some intermittent issues with the CrowdSec iptables bouncer where it'll stop bouncing after a few days. When I restart the bouncer everything works fine, but after a while it just stops bouncing. I don't see any errors in the log files that give a hint as to what might be the problem and I can clearly see that it's querying the LAPI with no problem, so the issue has to be with the bouncer itself. this is my config file: ``` mode: iptables...
martin.schaible
martin.schaible
View on Discord
8/23/2025

AlmaLinux 10: Update or Install fails

I wanted to run a simple "dnf update" which failed. I got this message: `[SKIPPED] crowdsec-1.6.11-1.el9.x86_64.rpm: Already downloaded
error: Verifying a signature using certificate 9082D8CACBBEB0DAB218BAB04C3D386C3CDF0DB4 (Crowdsec Rpm Archive <support@crowdsec.net>): 1. Certificiate 4C3D386C3CDF0DB4 invalid: certificate is not alive...
Xander
Xander
View on Discord
8/19/2025

Installed on OPNsense and blocking unraid community store

Like it says in the title. I have crowdsec installed on OPNsense and have been running it for a while. Yesterday it began blocking the Community appstore and I could no longer check for updates on my dockers or plugins on my unraid server. I would like to fix this and the only way I have so far is disabling crowdsec. I could use some help. Thanks
ook
ook
View on Discord
8/19/2025

ban disappeared before expiration

Yesterday, I manually added a decision about the IP 190.108.82.105 for 960h. I checked it was correctly displayed in CrowdsecSec decisions. Some minutes ago I got hit by my CEO because the hacker used that IP again today. I checked the traefik bouncer was effective by banning myself for 15min with success. Why the 960h ban disappeared in less than 24h ? Thank you....
Gunnar
Gunnar
View on Discord
8/19/2025

ngx.timer error when loading decisions

Yesterday we've updated the Nginx ingress controller and Crowdsec on AKS. Nginx ingress 12.1 by mmetc: https://github.com/crowdsecurity/cs-openresty-bouncer/issues/60 We had already tested this with a free account without issues on a low traffic staging site. ...
No description
bbuddha
bbuddha
View on Discord
8/18/2025

How to do without a service key and HTTP value?

Hello, I’m facing an issue: I have a LAMP server (Apache + PHP) on which I have two bouncers (PHP and iptables). I have CrowdSec installed with AppSec, and I also installed ModSecurity to strengthen detection, along with the ModSecurity collection to combine the two solutions. I configured the iptables bouncer with scenarios_not_containing: ["http"] so that only the PHP bouncer can handle HTTP blocking. However, this does not work when a ModSecurity scenario is triggered. After investigating, I found the reason: when I inspect the scenario in detail, I notice that the service key with the value http is missing (or something else, I’m not sure if it should be there). Consequently, I cannot make it so that this is handled by the PHP bouncer....
PreviousNext