CrowdSec

C

CrowdSec

CrowdSec: IDS/IPS/WAF Community

Join
gut4767
gut4767
View on Discord
8/31/2025

Difficulty Whitelisting AppSec CRS False Positives in Traefik Bouncer

Hi CrowdSec Team, I need help configuring a whitelist for the AppSec component in Traefik Bouncer. Despite testing multiple filter expressions, I can’t stop legitimate traffic from being blocked. Environment Traefik v3 (Docker) CrowdSec Agent: latest (Docker)...
Alfredo Borges
Alfredo Borges
View on Discord
8/27/2025

problem timeout nginx + plguin lua

Hello! I'm getting LAPI timeouts in my Kubernetes setup. Error: live_query(): ... timeout Troubleshooting done: - Network is OK: curl from Nginx pod to LAPI's /health endpoint works fine....
SenseiMarv
SenseiMarv
View on Discord
8/27/2025

Blocklist unsubscribe not working

Hey all, thanks for the great product! I wanted to swap out one of my subscribed blocklists. On one of my two in total security engines, this worked flawlessly with the next pull. However, on the other, even after 24 hours, the blocklist was still active, preventing me from enabling the other blocklist I want to activate. I then found a similar support request that had already been resolved: https://discord.com/channels/921520481163673640/1391559703724687390. I followed the recommendations there, e.g. looking up the blocklist name in the Local API Decisions when running cscli metrics and then running cscli decisions delete --scenario "firehol_cybercrime". The list disappeared from the metrics, so I waited for the next pull. After the next pull, I saw this in the logs: ``` time=2025-08-27T12:13:05+02:00 level=info msg=Starting community-blocklist update...
No description
martin.schaible
martin.schaible
View on Discord
8/27/2025

Scenario not working

Hello Some time ago, I created a scenario designed to stop SQL attacks in the URL. It's actually a copy of your "http-sqli-probing" scenario. Unfortunately, my scenario doesn't work. First, I added the website log folders to acquis.xml:...
Danimal91
Danimal91
View on Discord
8/27/2025

Crowdsec Blocking Large File Upload - Immich

Hello. I am running NPMPLUS with Crowdesc enabled and trying to use Immich. All the uploads are working fin except for videos over about 1 minute. I am getting the below error, I believe it is crowdsec that is blocking it but I have been unable to fine any config file / setting for this crowdsec | time="2025-08-27T09:25:47+02:00" level=warning msg="Disrupting transaction with body size above the configured limit (Action Reject)" 55 [lua] crowdsec.lua:642: Allow(): [Crowdsec] denied 'XXX' with 'ban' (by appsec), client: XXX, server: XXX request: "POST /api/assets HTTP/1.1", host: XXX ...
mss-cyclist
mss-cyclist
View on Discord
8/25/2025

freebsd firewall bounce metrics missing

Hello, I have installed two bouncer for freebsd pf firewall. Both have version 0.0.32 The lapi has version 1.6.9 Alerts are send to the crowdsec console. However it does not show metrics....
-_-;.....
-_-;.....
View on Discord
8/25/2025

Is it possible to set remediation to false for specific ip adresses?

I have several IPs and ranges that I want to continue monitoring, but which must not be banned. Only a notification should be sent for these IPs. I built my own threat intelligence system for this purpose. The whitelist parser prevents any notification for listed IP's. ...
Jack74r
Jack74r
View on Discord
8/25/2025

Selfhosted cloudflare tunnel + crowdSec?

Hi Before cloudflare tunel i was using crowSed alone but i set cloudflare tunnel to hide my public IP and filter request before hit my server with CF policies I'm not a expert , but i have somes self hosted service can acces on the web with cloudflare tunnel. It's working , i add some policies to autorize only IP from my country....
PintjesBier
PintjesBier
View on Discord
8/25/2025

Syslog not getting parsed...

Hi all, for some odd reason my syslog (and some others) are not getting parsed... The syslog is passed fine to the container (as I can cat the syslog file and see it being updated. acquis:...
GNU Plus Windows User
GNU Plus Windows User
View on Discord
8/24/2025

firewall bouncer stops grabbing new decisions after a while

I've been having some intermittent issues with the CrowdSec iptables bouncer where it'll stop bouncing after a few days. When I restart the bouncer everything works fine, but after a while it just stops bouncing. I don't see any errors in the log files that give a hint as to what might be the problem and I can clearly see that it's querying the LAPI with no problem, so the issue has to be with the bouncer itself. this is my config file: ``` mode: iptables...
martin.schaible
martin.schaible
View on Discord
8/23/2025

AlmaLinux 10: Update or Install fails

I wanted to run a simple "dnf update" which failed. I got this message: `[SKIPPED] crowdsec-1.6.11-1.el9.x86_64.rpm: Already downloaded
error: Verifying a signature using certificate 9082D8CACBBEB0DAB218BAB04C3D386C3CDF0DB4 (Crowdsec Rpm Archive <support@crowdsec.net>): 1. Certificiate 4C3D386C3CDF0DB4 invalid: certificate is not alive...
Xander
Xander
View on Discord
8/19/2025

Installed on OPNsense and blocking unraid community store

Like it says in the title. I have crowdsec installed on OPNsense and have been running it for a while. Yesterday it began blocking the Community appstore and I could no longer check for updates on my dockers or plugins on my unraid server. I would like to fix this and the only way I have so far is disabling crowdsec. I could use some help. Thanks
ook
ook
View on Discord
8/19/2025

ban disappeared before expiration

Yesterday, I manually added a decision about the IP 190.108.82.105 for 960h. I checked it was correctly displayed in CrowdsecSec decisions. Some minutes ago I got hit by my CEO because the hacker used that IP again today. I checked the traefik bouncer was effective by banning myself for 15min with success. Why the 960h ban disappeared in less than 24h ? Thank you....
Gunnar
Gunnar
View on Discord
8/19/2025

ngx.timer error when loading decisions

Yesterday we've updated the Nginx ingress controller and Crowdsec on AKS. Nginx ingress 12.1 by mmetc: https://github.com/crowdsecurity/cs-openresty-bouncer/issues/60 We had already tested this with a free account without issues on a low traffic staging site. ...
No description
πŸ…±πŸ…±πŸ†„πŸ…³πŸ…³πŸ…·πŸ…°
πŸ…±πŸ…±πŸ†„πŸ…³πŸ…³πŸ…·πŸ…°
View on Discord
8/18/2025

How to do without a service key and HTTP value?

Hello, I’m facing an issue: I have a LAMP server (Apache + PHP) on which I have two bouncers (PHP and iptables). I have CrowdSec installed with AppSec, and I also installed ModSecurity to strengthen detection, along with the ModSecurity collection to combine the two solutions. I configured the iptables bouncer with scenarios_not_containing: ["http"] so that only the PHP bouncer can handle HTTP blocking. However, this does not work when a ModSecurity scenario is triggered. After investigating, I found the reason: when I inspect the scenario in detail, I notice that the service key with the value http is missing (or something else, I’m not sure if it should be there). Consequently, I cannot make it so that this is handled by the PHP bouncer....
Laz
Laz
View on Discord
8/18/2025

Error while parsing logs - schiz0phr3ne/sonarr-logs

I'm encountering an issue with a log parser bundled as part of a collection. https://app.crowdsec.net/hub/author/schiz0phr3ne/collections/sonarr Specifically with this parser...
Domme
Domme
View on Discord
8/17/2025

Can't connect to remote LAPI with agent

On my Nginx Proxy Manager VM I am running the crowdsec server. This works so far as I already have another service successfully using it. But I only provided the URL, machine name and API_KEY because the service handles everything itself and just required the lapi credentials. Now I have another service which I have to configure manually. I installed the crowdsec agent via docker. This is my config.yaml for my log processor (this is not running the LAPI server) ```yaml common:...
Panzhunter
Panzhunter
View on Discord
8/17/2025

Updating Decisions List

Hello I just setup crowdsec for the first time. Is it normal for the 
cscli decision list
cscli decision list
to be different from 
cscli decisions list --origin CAPI
cscli decisions list --origin CAPI
? I'm using the container maintained by Zoey. docker.io/zoeyvid/npmplus:latest...
Pypanda
Pypanda
View on Discord
8/16/2025

Traefik logs only showing internal docker IP address.

https://www.crowdsec.net/blog/securing-automated-app-deployment-crowdsec-and-coolify i followed this guide to set crowdsec setup but ive tried pretty much everything but the traefik logs only show the docker ip and in the cscli metrics i can see everything being whitelisted. this is snippet from the logs....
Nicollas
Nicollas
View on Discord
8/15/2025

Help with crowdsec plugin

I need help installing the crowdsec plugin on wordpress
PreviousNext