CrowdSec

C

CrowdSec

CrowdSec: IDS/IPS/WAF Community

Join
ColouredCats
ColouredCats
View on Discord
8/10/2025

AppSec ignores X-Crowdsec-Appsec-Ip header from Caddy bouncer, uses connection source IP instead

Hi šŸ‘‹ I'm trying to track down what's going on between Caddy and AppSec and could use a suggestion for where to look next. I've documented my issue and findings on hslatman/caddy-crowdsec-bouncer, and ruled it out a plugin issue - https://github.com/hslatman/caddy-crowdsec-bouncer/issues/91 Let me know if anyone has a suggestion for where to dig next....
joshward9182
joshward9182
View on Discord
8/9/2025

Collection Not Banning

I'm just getting into Crowdsec and installed on my Unraid server, with Traefik as my reverse proxy. I followed an Ibracorp tutorial for help. Multiple collections don't seem to be parsing the logs correctly. One example being LePresidente/overseerr-logs....
No description
XTROIL
XTROIL
View on Discord
8/9/2025

Same IP banned twice 2 hours apart?

I've seen the same IP getting banned twice 2 hours apart, not sure how it's possible? My default bans are for longer, so it shouldn't be possible, I do see the active decision for that IP, so I wonder if I'm missing something? Thanks....
No description
JaimeZX
JaimeZX
View on Discord
8/8/2025

Re: the 6 Aug announcement about updating

I ran the curl -s https://install.crowdsec.net/ | sh with sudo and got back "this script must be run as root." What am I missing? Thanks!
-_-;.....
-_-;.....
View on Discord
8/8/2025

prevent notifications for manual add ip/range or use own custom blocklist

Hello, and apologies if this has already been asked and answered. I have a self-maintained blacklist that I would like to use with Crowdsec. My first approach was to use cscli to add the IPs and ranges, as well as a reason. However, this resulted in the reports being duplicated via notification....
carrotcakee
carrotcakee
View on Discord
8/8/2025

Helm chart add allowlist

Is it possible to add IPs to a allowlist from the helm values? I saw that whitelist is deprecated and i've managed to create it using the documentation and cscli but im running without persistent storage so on pod deletion the config is lost...
Dimitar
Dimitar
View on Discord
8/6/2025

Openresty bouncer disconnects from CrowdSec

Hi team, need support hence joining the channel here, need to admit this is my fist post here... Our setup: We are using the drop-in replacement of Nginx Proxy Manager (lepresidente/nginxproxymanager) runnign in Docker of course, CrowdSec is also running in Docker. ...

message.txt

Willpower
Willpower
View on Discord
8/6/2025

Docker based log parser not connecting to Opnsense running LAPI

I am working on setting up crowdsec on my second network and im running into issues getting another machine connected to the LAPI running on opnsense. My opnsense crowdsec config can be see in the attached picture as well as the firewall rule on the LAN interface that allows the docker machine (an unraidbox) to connect to port 8080 on the router. When running the sudo cscli lapi register -u http://192.168.20.1:8080 command on my crowdsec docker it says its successful and saves the creds into local_api_credentials.yaml. I then stopped the docker and edit config.yaml in the docker server and disable the server api. On the Opnsense lapi i validate the machine. now whenever trying to start the crowdsec docker it will not start successfully. It gets stuck in a loop of crashing over and over. This can be found in the logs: ...
No description
Mesaque Silva
Mesaque Silva
View on Discord
8/6/2025

About Hub collections

on https://app.crowdsec.net/hub/collections?filters=search%3Dwordpress we have two colletions : cscli collections install crowdsecurity/wordpress cscli collections install crowdsecurity/appsec-wordpress...
Streilinger
Streilinger
View on Discord
8/6/2025

cscli alerts list -i not showing all alerts

Maybe there is a misunderstanding on my side but it looks like cscli alerts list -i is not showing all alerts for the provided ip. `cscli alerts list ā”‚ ID ā”‚ value ā”‚ reason [...] ...
Unavi
Unavi
View on Discord
8/6/2025

Ban immediately after scenario is triggered

I adapted one of the scenarios to immediately ban an IP when it requests files like .env or wp. It bans the IP after some time when the url was called but always with a delay. How can I ban immediately? I don't want the requests to reach my server. Is that even possible? because crowdsec would have to read the log and by the time the log is written, it is probably to late. Additional info: When I call domain.tld/.env the alert and the decision are created right away but I can still browse around on the website and open other pages for half a minute until I get banned and when unbanning it always takes half a minute to be unbanned, if that is relevant. ``` name: http-sensitive-files-local...
Mesaque Silva
Mesaque Silva
View on Discord
8/5/2025

LAPI whitelist

Hi, I have at least 60 servers running CrowdSec, all connected to a single LAPI. They are trying to ban an IP that I want to whitelist. ...
Streilinger
Streilinger
View on Discord
8/5/2025

No target_host in AppsecAlerts

I am running CrowdSec on a nginx reverse-proxy. So AppSec is running for a lot of vhosts. However in most (all?) of the AppSec-alerts I don't get a target_host in the context. So I can't really tell which vhost was hit by the alert. ...
jjg23
jjg23
View on Discord
8/4/2025

Viewing / deleting decisions with cscli

When I check cscli decisions list I see one decision, related to my earlier testing. If I cscli decisions delete <id> it says the decision was deleted, then when i check the list again there's a new decision in the list with a decremented ID number. Seems like there were ~19 from one run with nikto. Is it normal to not see all decisions in the list? Is there a way to view / delete them all?
jjg23
jjg23
View on Discord
8/4/2025

Remove allow list for local addresses?

It looks like by default Crowdsec has an allowlist for RFC1918 / private address ranges. I'm testing primarily within a local network on 10.0/8. Is there a way to temporarily disable this allow list? I don't see it un der 'cscli allowlist list'.
DJKatastrof
DJKatastrof
View on Discord
8/4/2025

Is my caddy setup missing anything?

Hey again, When running cscli metrics I can't see any scenario metrics while on my other machines it works just fine. is this a normal behavior? I know that caddy bouncer don't have metrics atm, is this why its emtpy?...
No description
seannob86
seannob86
View on Discord
8/2/2025

Unmarshal JSON warnings

Just noticed these unmarshalJSON warnings/errors by executing docker logs -f crowdsec ``` time="2025-08-02T19:12:53+10:00" level=warning msg="failed to run filter : unexpected end of JSON input (1:1)\n | UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, "traefik") in ["", nil]\n | ^" id=falling-water name=child-crowdsecurity/traefik-logs stage=s01-parse time="2025-08-02T19:12:53+10:00" level=error msg="UnmarshalJSON : invalid character 'u' looking for beginning of value" line="uestMethod":"POST","RequestPath":"/plugins/unassigned.devices.preclear/include/Preclear.php","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"apollo@file","ServiceAddr":"10.0.0.100:8088","ServiceName":"apollo@file","ServiceURL":"http://10.0.0.100:8088/\",\"StartLocal\":\"2025-08-02T19:12:53.673292055+10:00\",\"TLSCipher\":\"TLS_AES_128_GCM_SHA256\",\"TLSVersion\":\"1.3\",\"entryPointName\":\"https\",\"level\":\"info\",\"msg\":\"\",\"time\":\"2025-08-02T19:12:53+10:00\"}"...
python252
python252
View on Discord
8/1/2025

2FA-Authentifizierung

Hello, I have lost my 2FA authentication and cannot remember when I last logged in.
alukas
alukas
View on Discord
8/1/2025

Inconsistencies between web, cscli, and ipset

Hi there! Lately we've been getting a lot of complaints from customers that Microsoft tools can't reach their pages (bingbot). We've been hacking away at it for days now, and we've found the root of the issue (or at least we think so, nonetheless it is a problem). These are the IP ranges used by bingbot: https://www.bing.com/toolbox/bingbot.json...
Ritte
Ritte
View on Discord
8/1/2025

Console-connection gets stalled when container is restarted

I've noticed that if I restart the crowdsec-container, I get issues with the connection to the console. It doesn't update anymore and I need to re-enroll. I've mounted /var/lib/crowdsec/datato my host and I have no issues with crowdsec in generall surviging restarts of the container. It's just the console that resets and looses the connection to the conolse. It doesn't tell me that it lost the connection when I run cscli console status but when I log into the console I see it's complaining and that I have no updates in the console where the LAPI has updates. From what I've read, the path above is the only one of interest to survivie restarts, thus I'm unsure why this happens....
PreviousNext