C
CrowdSec3mo ago
neur0

Crowdsec makes my server crash

I've set up Crowdsec and it works well until it randomly starts making my server crash. When it does, I need to reboot it, then simply not launch Crowdsec and it works. The moment I start the crowdsec container it crashes again. I've checked the logs of the container and couldn't find anything in them, maybe a bad config on my end ?
6 Replies
CrowdSec
CrowdSec3mo ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
neur0
neur0OP3mo ago
My config is basic, I am running these collections : 
crowdsecurity/traefik
crowdsecurity/http-cve
crowdsecurity/base-http-scenarios
crowdsecurity/sshd crowdsecurity/linux
crowdsecurity/appsec-generic-rules
crowdsecurity/appsec-virtual-patching
crowdsecurity/appsec-crs
firix/authentik
crowdsecurity/traefik
crowdsecurity/http-cve
crowdsecurity/base-http-scenarios
crowdsecurity/sshd crowdsecurity/linux
crowdsecurity/appsec-generic-rules
crowdsecurity/appsec-virtual-patching
crowdsecurity/appsec-crs
firix/authentik
and this is my acquis 
filenames:
  - /var/log/auth.log
  - /var/log/syslog
  - /var/log/kern.log
  - /var/log/ufw.log
  - /var/log/mail.log
labels:
  type: syslog
---
filenames:
  - /var/log/traefik/*.log
labels:
  type: traefik
---
source: docker
container_name:
 - authentik
labels:
  type: authentik
filenames:
  - /var/log/auth.log
  - /var/log/syslog
  - /var/log/kern.log
  - /var/log/ufw.log
  - /var/log/mail.log
labels:
  type: syslog
---
filenames:
  - /var/log/traefik/*.log
labels:
  type: traefik
---
source: docker
container_name:
 - authentik
labels:
  type: authentik
Oh I think I actually got banned :kek_ahhh: 
- LePresidente/http-generic-401-bf (6 events over 4.896409193s)
- crowdsecurity/http-probing (13 events over 2m37.854117021s)
- LePresidente/http-generic-401-bf (6 events over 4.896409193s)
- crowdsecurity/http-probing (13 events over 2m37.854117021s)
This is what Crowdsec didn't like but i didn't do anything particular tho :Shrug:
iiamloz
iiamloz3mo ago
You can check via cscli alerts list and then cscli alerts inspect -d <alert_id> to see which service inparticular is triggering those scenarios
neur0
neur0OP3mo ago
- Date: 2025-07-17 10:02:40 +0000 UTC ╭─────────────────────┬─────────────────────────────╮ │ Key │ Value │ ├─────────────────────┼─────────────────────────────┤ │ ASNNumber │ 5410 │ │ IsInEU │ true │ │ IsoCode │ FR │ │ │ datasource_path │ /var/log/traefik/access.log │ │ datasource_type │ file │ │ http_args_len │ 0 │ │ http_path │ /read/GetCoreInfo │ │ http_status │ 401 │ │ http_user_agent │ - │ │ http_verb │ POST │ │ log_type │ http_access-log │ │ service │ http │ │ timestamp │ 2025-07-17T10:02:40Z │ │ traefik_router_name │ komodo@docker │ │ user │ - │ ╰─────────────────────┴─────────────────────────────╯
iiamloz
iiamloz3mo ago
the 401 is probably the side effects to the http-probing so check that one for the actual reason
neur0
neur0OP3mo ago
I will check in Komodo and Traefik's logs found it in the access logs of traefik 
- - [17/Jul/2025:10:02:39 +0000] "POST /read/GetCoreInfo HTTP/2.0" 401 106 "-" "-" 5245 "komodo@docker" 
- - [17/Jul/2025:10:02:39 +0000] "POST /read/GetCoreInfo HTTP/2.0" 401 106 "-" "-" 5245 "komodo@docker"
i just ended up whitelisting my own ip to avoid this in the future

Did you find this page helpful?