Traefik bouncer not connecting to LAPI
Hello everyone,
I'm facing a very persistent issue with the Traefik bouncer in a Docker Compose setup and I'm running out of ideas after extensive debugging.
For context, this whole setup is running on a mini-PC with Debian.
...
cscli allows decisions on CIDR ranges, but nftables sets do not have the `interval` flag
TLDR: nftables sets created/managed by cs-firewall-bouncer are missing the
interval flag, causing incorrect elements to be added for subnets.
Today I manually added a decision to ban an IPv6 subnet, which cscli reported as successful, but then I noticed that traffic from IPs in the subnet was still getting past the crowdsec6 table's chains. I dug deeper and realized that it's because the banned subnet wasn't added correctly to the crowdsec6-blacklists-cscli set; it appears to have been added as a single IP.
```...decisions list strange result
I recently noticed my firewall bouncer stopped adding ip flagged for ssh attack to the iptable.
I had set it up that way :
```
log_mode: stdout # file or stdout
log_level: info...
crowdsec-nginx-bouncer memory leak?
On a debian bookworm system with nginx (version 1.22.1-9+deb12u2) I try to install and run crowdsec-nginx-bouncer. As soon as the crowdsec-nginx-bouncer is configured, nginx gets regularly killed by oom.
The crowdsec lapi is running on a different machine.
As an example a "nginx -t" only takes 2 seconds to complete without crowdsec-nginx-bouncer and with installed/configured/enabled crowdsec-nginx-bouncer the command "nginx -t" takes at least 1 minute....
How to test than setup will block attack
Hi all,
I had some alerts and decisions, not much but few a day. I had old mikrotik router so I had only default blocklist and one CVE with few IPs, yet that was too much for router to process (almost all time it was 100% CPU). I bought new Mikrotik router. Now it takes few sec (CPU 25%) in peaks but works really wel. Now I have not any decision or alert for more then day.
Is it possible to test that my setup working correctly?
I know that mikrotik working ok, because there are blocked connections which are comming from address list wich is made by mikrotik bouncer.
What I do not understad is why I have no alert and no decision for more then day 😦 Am I lucky that bad ppl do not try my IP?...
Enable context using helm
In the documentation is says to check and enable using
And check status with...
cscli console enable context
cscli console enable context
Should Prometheus Work in Multi-Server Setup?
Really quick question that I couldn't find the answer to anywhere. I have a multi-server setup pushing all logs to my main machine/security engine. 3-4 machines are pushing into the Sec Engine.
On the main sec engine, prometheus is working without issue in the default
config.yml. On a secondary, but important machine, I have prometheus set up the same as default but it isn't working. I get a scrape config timeout from Prometheus and and error in docker logs that it couldn't mind to the address. I've exposed the 6060 port in my docker compose file.
My hunch is that prometheus metrics are dependent on the LAPI being up and running. Can anyone confirm or deny if this is the case? Should metrics be available on any machine regardless of the rest of the configuration? ...Console Signup KO
Hi,
First post here so please excuse myself if it's not the right place to ask this.
I'm trying to signup to the web console (https://app.crowdsec.net/signup) but I keep getting a 500 error.
Is there a planned maintenance on this page ?
Thanks in advance for your help....
Does whitelisting still lead to ban requests?
I have whitelisted the tailscale IP network range (in
/config/parsers/s02-enrich/tailscale.yaml):
```
whitelist:
cidr:
- "100.64.0.0/10"...Blocklists and decisions streaming
Question if the blocklists or decisions added are somewhat merged into a bigger CIDR ranges? Use case is to lower amount of addresses added to the the device, with over 20k addresses seems like that could be beneficial. I was thinking about using something like https://github.com/seancfoley/ipaddress-go but maybe you know something better?
( Also I think there should be separate #dev channel for such questions I guess?)...
High CPU load since restart haproxy bouncers
Hi, I have high CPU load since I restarted host with haproxy bouncers. I use a SQLITE database. The pprof result says slow request sqlite.
I tried to migrate to a mariadb database, and it doesn't solve the CPU load.
I have sometimes failed request with http code 500
```
time="2025-07-07T12:04:58+02:00" level=info msg="10.0.3.240 - [Mon, 07 Jul 2025 12:04:58 CEST] "GET /v1/decisions/stream?startup=true HTTP/1.1 500 2m0.001530468s "crowdsec-haproxy-bouncer/v1.0.0" ""...
Last fetched signals (on web console)
Hi all, how frequently Security Engine fetches security signals from CAPI? I see on web portal, that my engine fetched security signals 2025-07-06 21:03:57. Is there any configuration where to setup frequency? Or there were not new signals from that time?
Minecraft Server Collections?
Hey all! I'm starting my multi-server setup. Do any of you have any a collection or log parser for Minecraft servers? I wasn't able to find any on the Hub website. Thanks!
Blocklist unsubscribe
Hi all,
I unsubscribed blocklist 15 hours ago, but my bouncer is still downloading that blocklist. Is there any way to force stop using that blocklist?...
New issue: $LAPI_HOST resolves to the wrong service name
```
acheong@fishy ~/P/k/ingress (master) [1]> kubectl exec -it -n crowdsec pods/crowdsec-agent-k5nxj --container wait-for-lapi-and-register -- sh
/ # ps aux
PID USER TIME COMMAND
1 root 0:00 sh -c until nc "$LAPI_HOST" "$LAPI_PORT" -z; do echo waiting for lapi to start; sleep 5; done; ln -s /staging/etc/crowdsec /etc/...
CrowdSec Windows Exchange
Hi folks. I would like to secure my Exchange Server with Crowdsec. Crowdsec is already installed and configured.
I have a Sophos Firewall in front of my Exchange Server which acts as a WAF.
When I tested CrowdSec with a few failed logins, it blocked the IP from my Sophos (my internal IP from the gateway - 10.102.225.1) instead of the public IP from the “attacker” (94.237.100.231)....
how to handle redeployment?
I get the following message, upon redeploying my docker swarm (with a single node).
level=warning msg="Instance already enrolled. You can use '--overwrite' to force enroll"
Is it recommended to overwrite?...Crowdsec-haproxy-bouncer
Hello, the haproxy bouncer package is not available in the repos, I installed it manually but I can't connect to my remote LAPI, and there is no systemd to start it, is that normal?
JSON logging
Hi, does the agents / local API support JSON log output?
I could not find a parameter in the linux default configuration related to log format.
Thanks!...
Parser failure
Hello !
I am currently trying to use crowdsec on my Apache Guacamole server.
I used the corvese/apache-guacamole-logs collection, and edited the pattern of the parser.
Sadly, i always get a parser failure, but my pattern is supposed to work according to https://grokdebugger.com/
...
