C
CrowdSec7mo ago
light

IP blocked despite whitelisting

Hi I have an IP that keeps getting blocked despite being whitelisted
8 Replies
CrowdSec
CrowdSec7mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
iiamloz
iiamloz7mo ago
Do you have the local alert of the IP being blocked here are the things to check: - Is the IP address only been a local alert? EG: if you run cscli decisions list --all | grep IP you dont see it from community blocklist - Since adding the whitelist did you restart the container? - Are you using typical whitelist EG: a file under /etc/crowdsec/parsers/s02-enrich , maybe you could use the Allowlist function instead. cscli allowlist
light
lightOP7mo ago
Yes it is a local alert. The IP is - 65.36.1.28 I deleted the block, so I can no longer see it with cscli decisions list --all | grep IP anymore! Yes I did restart the container after whitelisting Yes I am using typical whitelisting using the file in said directory. It is a file I call my_whitelists.yaml, with the following entry - 
whitelist:
  reason: "my ip ranges"
  ip:
    - "65.36.1.28"
whitelist:
  reason: "my ip ranges"
  ip:
    - "65.36.1.28"
It has worked great so far with other IPs in the list. I will also add using allowlist function. Does the allowlist store ips in a file, or DB? Here's a view of that IP block decision from the crowdsec online dashboard -
No description
iiamloz
iiamloz7mo ago
That type of whitelist does not interact with appsec the new allowlist via cscli allowlist does, also I guess it some sort of security scanner? Hence why we made allowlist since there too many different kind of whitelist and it all over the place, allowlist is now the central place
light
lightOP6mo ago
And the cscli allowlist I believe stores the values in the DB? Is there a way eg. a dashboard to easily see the allowlist made through cscli allowlist without having to go through CLI? eg. I currently manage the allowlist.yaml through a git repo so other can collaborate.
iiamloz
iiamloz6mo ago
The only dashboard we currently support is our own offering via https://app.crowdsec.net/
light
lightOP6mo ago
Understood. So there is no way to version manage similar to the .yaml whitelist file
iiamloz
iiamloz6mo ago
No, as like you said they are entries within the database you can continue with the yaml file way but this means you have to maintain multiple different files per appsec, log processor and capi.

Did you find this page helpful?