C
CrowdSec4w ago
jjg23

Remove allow list for local addresses?

It looks like by default Crowdsec has an allowlist for RFC1918 / private address ranges. I'm testing primarily within a local network on 10.0/8. Is there a way to temporarily disable this allow list? I don't see it un der 'cscli allowlist list'.
10 Replies
CrowdSec
CrowdSec4w ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
iiamloz
iiamloz3w ago
cscli parsers remove crowdsecurity/whitelists as its a s02 parser its a file instead of being held inside a db (where allowlists are stored)
jjg23
jjg23OP3w ago
I see, so there are both allowlists, and parsers named 'whitelist', '<etc>-allowlist' etc at another level? Is there a way to view their contents? Also, how do I properly uninstall a parser? I tried "cscli parsers remove crowdsecurity/whitelists" which seemed to work but said I may need to restart contianers for it to take effect. After restarting the containers the parser was again installed. I'm basically just hoping to get a demo alert via nikto which seems to be commonly used for crowdsec demonstrtions.
iiamloz
iiamloz3w ago
if your on k8s, you need to specify agent.env and add: 
agent:
  env:
    - name: DISABLE_PARSERS
      value: "crowdsecurity/whitelists"
agent:
  env:
    - name: DISABLE_PARSERS
      value: "crowdsecurity/whitelists"
jjg23
jjg23OP3w ago
yep, k8s installed with helm. thanks, I'll try this out. cscli still shows it as enabled after redeploynig and restarting the agent and lapi containers.
iiamloz
iiamloz3w ago
it doesnt matter if its on the LAPI containers, it only matters for the agents. If you exec into the agent pods do you see the env set if you run env command
jjg23
jjg23OP3w ago
Yes. "DISABLE_PARSERS=crowdsecurity/whitelists" in the output of env. Still not seeing nitko blocked, or any decisions made
iiamloz
iiamloz3w ago
and cscli metrics on the agents show it picking up the log files?
jjg23
jjg23OP3w ago
hmm, ok, looks ike it shows my traefik logs as all unparsed. Seems like this could be related to an issue I mentioned in a different support thread, but got no traction on. The agent logs the following. As far as I can tell the logs are correctly formatted JSON, but maybe some field is missing that is required since we currently only keep some portion of them. time="2025-08-04T14:43:50Z" level=error msg="UnmarshalJSON : unexpected end of JSON input" line= time="2025-08-04T14:43:50Z" level=warning msg="failed to run filter : unexpected end of JSON input (1:1)\n | UnmarshalJSON(evt.Parsed.message, evt.Unmarshaled, \"traefik\") in [\"\", nil]\n | ^" id=twilight-firefly name=child-crowdsecurity/traefik-logs stage=s01-parse tried with all log fields enabled, and same error. I did find this list which shows which ones should be required: https://app.crowdsec.net/hub/author/crowdsecurity/log-parsers/traefik-logs oh man, came accross this thread: https://discourse.crowdsec.net/t/agent-fails-to-parse-logs-but-cscli-explain-works/1117/3 and realized the default container_runtime is docker, but we're on containerd. Logs are being parsed, successfully triggered a decision with nikto.
CrowdSec
CrowdSec3w ago
Resolving Remove allow list for local addresses? This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?