CrowdSec

CrowdSec: IDS/IPS/WAF Community

CrowdSec

CrowdSec: IDS/IPS/WAF Community

7/24/2025

Vaultwarden: `cscli explain` matches, but `metrics` disagree

I'm trying to integrate this collection: https://app.crowdsec.net/hub/author/Dominic-Wagner/collections/vaultwarden. I've hit the login endpoint with bad user info hundreds of time and see logs like the following. From cscli explain --file /logs/vaultwarden.log --type Vaultwarden: line: [TIMESTAMP][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 111.111.111.111. Username: user@example.com. ├ s00-raw...

Paul Carton

7/22/2025

No decisions and no alerts in the console

I have a problem with a server setup as it does not show any decisions made nor does it show any alerts on the console. Please see the attached text for a full description of the situation. Thanks in advance for any help offered.

Dave_94

7/21/2025

Filtering specific URI in CrowdSec profile

Hi, I'm trying to fine-tune my CrowdSec profile to avoid false bans caused by Immich (self-hosted photo manager), which triggers http-crawl-non_statics due to many API calls like /api/album/. My current profile: ...

Xovan

7/21/2025

im using tailscale tunnel and got locked

just as i say in the title

treech35_42315

7/21/2025

Debian apt install - How not to install discovered collections automatically

Hello, I install Crowdsec via apt package(https://docs.crowdsec.net/docs/getting_started/install_crowdsec/#install-the-security-engine) and everything is installed/configured via an Ansible role. When the installation is complete, I realize that some collections are automatically installed....

Nicollas

7/21/2025

New to crowdsec: next steps

Hi! i'm new to crowdsec and i dont known to do after the instalation to start blocking ips, lol can someone help me?...

alukas

7/21/2025

A few questions about metrics

Hi there! A while ago we set up metrics collection using Prometheus and visualization using Grafana. We set the prometheus level to "full", and we've only just noticed - using a network monitoring tool - that some of our machines (the ones running ispconfig, and configured to read each and every log of all the websites) are basically constantly sending 5-10Mbps of traffic to our Prometheus server. Because we run well over a hundred machines, this means that the gigabit connection on our monitoring server gets overwhelmed. For example, on a machine that's been running for a while, the metrics are ~300MB....

nferch

7/21/2025

postoverflows and 1.6.10

Have been trying to figure out why my custom postoverflow doesn't work on 1.6.10. It shows in the log as being loaded (as it does in 1.6.9) but doesn't have any effect or debug output. I've noticed that the 1.6.10 container by default includes CDN and SEO whitelist nodes but don't see how those could interfere....

Sir Valen le Juste

7/19/2025

problem enroll

hello i can't enroll with this comamnd :"sudo cscli console enroll -e context cljr4jq2f0000la0877idaaaa ", for example the yaml configuration files changed ,and cscli comand too . I have this feedback :"alexandre@ubuntu:~$ sudo cscli console enroll -e context cljr4jq2f0000la0877idaaaa FATA[0000] unknown shorthand flag: 'e' in -e
alexandre@ubuntu:~$ sudo cscli console enroll FATA[19-07-2025 18:53:23] accepts 1 arg(s), received 0 ...

Emeric

7/19/2025

Transfering enterprise plan from personal to organization

Hi, I did subscribe an enterprise plan (personal use / one person) , then, I did create an organization (personal use / one person) So now I'd like to transfert my enterprise plan to the organization plan as this is the same "one person" behind I did found how to transfert the security engine but not plan...

qamarulhassan

7/18/2025

Logs Not Being Parsed

Hi - I'm running CrowdSec on my CloudPanel VPS (Ubuntu 24.04 LTS) and noticed that none of my logs are being parsed, even though lines are being read. Screenshots are attached for reference. The CrowdSec engine and firewall bouncer are running fine. Following is the sample log format in /var/log/auth.log file: 2025-07-18T21:57:39.443985+05:00 MY-SERVER sudo: pam_unix(sudo:session): session opened for user root(uid=0) by USERNAME(uid=XXXX)...

PintjesBier

7/17/2025

Bouncers mixed up?

Hi all, I have 1 crowdsec LAPI, and 2 nginx (openresty) instances. However it seems like the names of the instances are getting mixed up... In the alerts, the last 700+ alerts were from nginx-2, when I look at the remidiation components; it says nginx-2 has been inactive for 3 days (thus the alerts from today should be from nginx-1, no?...

Paul Carton

7/17/2025

NPMplus and Crowdsec as per the instructions posted by Zoey on the Crowdsec site

Hi, I am very much a newbie on this so if the question seems rather stupid, please do have patience with me. I have installed NPMplus and Crowdsec as per the instructions posted by Zoey on the Crowdsec site and it has all worked well, is up and running. Only thing I don't see is how I connect with the Crowdsec Console as both NPMplus and Crowdsec are in docker containers and I don't know where to issue the cscli command. Could anybody be of assistance on this. Thanks in advance. Paul

7/17/2025

Discord Notification Not Send

anyone fact this issue before? please help. time="2025-07-18T00:38:23+08:00" level=info msg="cti call for 178.128.33.253" type=crowdsec-cti time="2025-07-18T00:38:24+08:00" level=debug msg="request for 178.128.33.253 took 777.407736ms" type=crowdsec-cti time="2025-07-18T00:38:24+08:00" level=info msg="received signal for discord config" @module=http-plugin...

neur0

7/17/2025

Crowdsec makes my server crash

I've set up Crowdsec and it works well until it randomly starts making my server crash. When it does, I need to reboot it, then simply not launch Crowdsec and it works. The moment I start the crowdsec container it crashes again. I've checked the logs of the container and couldn't find anything in them, maybe a bad config on my end ?...

Christopher c

7/16/2025

Gpg key error on debaun 12 404 no key found. Trying to update

nightcall

7/16/2025

How to temporarily disable for a while?

I want to disable CrowdSec for a while to verify if other firewall setup is working correctly. Is it just simple as execute this command? systemctl stop crowdsec...

2kybe3

7/15/2025

is there a way to disable emails for incremental bans.

Hi! I’m using OPNsense and Proxmox with CrowdSec (Proxmox being the one hosting the LAPI) and have the firewallservices/pf-scan-multi_ports scenario active. The issue is that a persistent IP keeps scanning, and each incremental ban triggers an email. Is there a way to suppress emails for incremental bans, so I only get notified the first time or if it got unbanned and then banned again? Any help would be greatly appreciated!...

swayy

7/15/2025

Pfsense Blocked IPs Disappear from Alias/Table After a While

I'm currently using pfSense version 2.7.2 and have installed CrowdSec version 1.6.9. The integration is mostly working , I’ve successfully customized a scenario and can see IPs being banned using cscli decisions list. These IPs are reflected in the corresponding tables. (pfctl -t crowdsec6_blacklists -T show pfctl -t crowdsec_blacklists -T show) However, after some time, the IPs disappear from the pfSense tables, even though I didn’t manually unblock them. There are no relevant error logs, and CrowdSec appears to continue running without issues. By running cscli decisions list I can see the banned ips, so I do not know why the tables are empty. Maybe a relevant log could be...

Anthony LABADIE

7/15/2025

Traefik bouncer not connecting to LAPI

Hello everyone, I'm facing a very persistent issue with the Traefik bouncer in a Docker Compose setup and I'm running out of ideas after extensive debugging. For context, this whole setup is running on a mini-PC with Debian. ...

Previous Next

Gaming

Programming

CrowdSec

CrowdSec: IDS/IPS/WAF Community

CrowdSec

CrowdSec: IDS/IPS/WAF Community