CrowdSec

CrowdSec: IDS/IPS/WAF Community

CrowdSec

CrowdSec: IDS/IPS/WAF Community

9/15/2025

"crowdsec init: while initializing LAPIClient: authenticate watcher (docker1old): API error: missing

Hi I am getting following error when i try to start Crodsec and have it connect to my LAPI. "crowdsec init: while initializing LAPIClient: authenticate watcher (docker1old): API error: missing: invalid character '\x1f' looking for beginning of value"...

🅱🅱🆄🅳🅳🅷🅰

9/15/2025

How to prevent DDoS attacks

Hello, this morning we had an incident on one of our servers, a large DDoS attack. Their common point was that the user-agents corresponded to old UAs like Macintosh, Windows 95, etc. Also, there were suspicious dates like this one: Mozilla/5.0 (X11; Linux x86_64; rv:1.9.7.20) Gecko/6496-09-22 17:26:38.382965 Firefox/3.6.7. I quickly created a scenario to block all old UAs; the scenario worked and there were alerts/decisions everywhere, it was impressive. But the problem is that I felt CrowdSe...

llp

9/15/2025

duration_expr not working in profiles.yaml

Hello, I just installed crowdsec with apt and I want to enable increasing durations for ban decisions. In /etc/crowdsec/profiles.yaml, I tried uncommenting the included duration_expr string but it causes crowdsec to fail to start with this error ...

alukas

9/15/2025

cscli decisions list -a and -i flag not working at the same time

Hi! Just a minor inconvenience, but we've found that when searching for IPs with the --ip flag, we cannot use -a at the same time. The IP search just gets ignored, and all decisions are listed. Is this by design? Of course we can get around it using grep, but it'd much faster to filter in the cscli. As far as I've tested, it works flawlessly with cscli alerts list though....

Yannick

9/13/2025

log acquisition

With the recent addition of https://docs.crowdsec.net/docs/log_processor/data_sources/docker/#swarm I wondered what would be the recommended way to acquite logs from traefik and bouncer: https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin . Questions: - Should I use a bind mounts or use the new api to read logs directly from the Docker Data Source. - What are tradeoffs? (pros/cons)...

🅱🅱🆄🅳🅳🅷🅰

9/12/2025

probing or probbing ?

Hello, I’m French and not very good at English, but isn’t there a mistake in this scenario?

light

9/12/2025

nginx lua bouncer crashes if it cannot reach out to LAPI even momentarily

This is not desirable especially when a remote LAPI reachable over https://crowdsec.local.example.com is involved that might go down momentarily while tinkering with proxy settings etc. I submitted a pull request - https://github.com/crowdsecurity/cs-nginx-bouncer/pull/94 that I've been testing in my setup that should mitigate this issue

killmasta93

9/11/2025

question on issue reading logs from bunkerweb

Hi Currently we configured bunkerweb with crowdsec, and it seems to be working when we manually add the IP address in the crowdsec lapi but it seems to be an issue reading the logs not sure what would be the issue in the parsing

image: tag: "v1.6.11"...

NeroNine

9/11/2025

Gotify shows me the ban, but crowdsec dashboard not

Hey community, I got a notification from gotify, crowdsec sucessfully bans 2 IPs, but I don't see it on my dashboard. at /decisions I don't see the banned IP's Why?...

privinc

9/10/2025

Get alerts linked to a fqdn

Hi everyone, I use Crowdsec on a NginX reverse proxy hosting around 2000 vhosts, and it works like a charm, thank you! The question I often get from customers is "my website blahblah.com is not online", with no IP address. To track false positives, I'm looking for a way to get Crowdsec's decisions related to this blahblah.com website. If there is only one IP I'm sure this is the customer's IP, otherwise I'm often able to tell which IP is the right one with the AS number. ...

IgnacioSeijo

9/10/2025

Crowdsec FW bouncer with nftables configured but I think It’s not working

Hello everyone I have a caddy + Coraza + Crowdsec with docker compose working fine and reporting to the console. My OS is raspian which is based on Debian 12 (bookworm)...

2br-2b

9/9/2025

Newcomer's guide feedback

Hello! I'm looking at this thru my eyes a few months back, when I vaguely knew what Traefik is and before I had Crowdsec set up to help give feedback. First off, thank you for making this guide! Things like this are always super helpful to help newbies (like myself) learn what the heck is going on! For context: I've got some websites listed on local k3s, exposed by cloudflare tunnels. Now, they're accessed via traefik with a crowdsec bouncer....

vedtoto

9/9/2025

Use of nginx variables with AppSec

Hello, do you have any practical examples on how to utilize these? https://docs.crowdsec.net/u/bouncers/openresty#nginx-variables I tried setting for example within a specific location in my openresty config. But it does not disable appsec (still getting banned) - Maybe i have gotten this wrong? set $disable_appsec 1...

Streilinger

9/9/2025

Why is there no decision to this appsec alert

Shouldn't there be a decisions / remidiation for this alert? ``` cscli alert inspect 6844 ################################################################################################...

se7entynine

9/8/2025

Appsec whitelist #2

I have a similar issue like @PerryCox007 from the latest post "AppSec whitelist? Ignoire vpatch-git-config when matching?" https://discord.com/channels/921520481163673640/1413237394647552121 I try to allow .env and .git files on my nextcloud instance. My ../crowdsec/acquis.d/appsec.yaml:...

Pat

9/8/2025

Traefik, Bouncer plugin and firewall bouncer issues

Hi, I have been trying for a while and I cannot figure out where I am going wrong. I am running traefik in a container with docker compose, I wanted to add crowdsec to it, it was working when I fiddled with some options but I am not a 100% sure why and when. I cannot get the firewall bouncer to work at all and I seem to have lost the ability to get the traefik bouncer plugin to work now as well, I am getting 403s everywhere. I am attaching all my config files/logs. ...

crowdsec.zip

jjg23

9/8/2025

Cant list allowlists?

I tried to list allowlists with 'cscli allowlist list' and get the following error: Error: Get "http://localhost:8080/v1/allowlists?with_content=true": API error: ent: machine not foun I'm using cscli from the LAPI pod on 1.6.11. I was able to create and add IPs to an allowlist but can't list them. I also can't 'cscli allowlist inspect <my list>'. Any ideas?...

orangepeel

9/8/2025

How to allow bots access to some URLs but not others

I have a site behind haproxy / crowdsec-spoa-bouncer I would like to ban known bad IP addresses across the board. For bots I would like to allow some url paths but not others, for the resource intensive url paths I would like to present a captcha. Is it possible to configure behaviour by URL and, if so, where should this be configured / is there an example config ?...

se7entynine

9/8/2025

Update chocolatey packages

Hey I just noticed that the chocolatey package of the cs windows firewall bouncer and crowdsec are outdated in the chocolatey package repository. The updates are available through winget but not chocolatey. Btw crowdsec 1.7.0 is missing the detect.yaml on windows ( for cscli setup ). Bouncer: Version: 0.0.3...

PintjesBier

9/8/2025

Priority tag before syslog line...

Hi, I'm in the process of setting up a syslog server and I chose Vector for this. However it seems like they add a <priority> tag before every syslog line... Like so: ``` <86>Sep 8 09:50:30 Tower sshd-session[2240196]: pam_unix(sshd:session): session opened for user root(uid=0) by (uid=0)...

Previous Next

Gaming

Programming

CrowdSec

CrowdSec: IDS/IPS/WAF Community

CrowdSec

CrowdSec: IDS/IPS/WAF Community