C
CrowdSec4mo ago
Devilkin

No alerts sent to central dashboard - lite community blocklist

Hi, I not-so-recently added crowsec to my caddy reverse proxy, but at that time I had yet another thing in front of it so it never really saw the public ip addresses. I've since fixed this, and i'm trying to get it off of the lite blocklist. CAPI and LAPI looks correct 
# cscli lapi status 
Loaded credentials from /etc/crowdsec/local_api_credentials.yaml
Trying to authenticate with username xxx on http://127.0.0.1:8080/
You can successfully interact with Local API (LAPI)

# cscli capi status
Loaded credentials from /etc/crowdsec/online_api_credentials.yaml
Trying to authenticate with username xxx on https://api.crowdsec.net/
You can successfully interact with Central API (CAPI)
Your instance is enrolled in the console
Subscription type: COMMUNITY
Sharing signals is enabled
Pulling community blocklist is enabled
Pulling blocklists from the console is enabled
# cscli lapi status 
Loaded credentials from /etc/crowdsec/local_api_credentials.yaml
Trying to authenticate with username xxx on http://127.0.0.1:8080/
You can successfully interact with Local API (LAPI)

# cscli capi status
Loaded credentials from /etc/crowdsec/online_api_credentials.yaml
Trying to authenticate with username xxx on https://api.crowdsec.net/
You can successfully interact with Central API (CAPI)
Your instance is enrolled in the console
Subscription type: COMMUNITY
Sharing signals is enabled
Pulling community blocklist is enabled
Pulling blocklists from the console is enabled
I've added caddy logs, and the metrics look ok to me (see attachment). What might i have missed? The web console says the last signal was sent 17 july, when I added crowdsec.

log.txt

20 Replies
CrowdSec
CrowdSec4mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
CrowdSec
CrowdSec4mo ago
Resolving No alerts sent to central dashboard - lite community blocklist This has now been resolved. If you think this is a mistake please run /unresolve Unresolving No alerts sent to central dashboard - lite community blocklist This has now been unresolved.
Devilkin
DevilkinOP4mo ago
No description
Loz
Loz4mo ago
CrowdSec running inside a container or on the host?
Devilkin
DevilkinOP4mo ago
It's running on the host. I'm wondering though why so much is being parsed by the whitelist parser?
Loz
Loz4mo ago
crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 132349 │ 3456 │
well out of the 130k lines only 3.4k was whitelisted
Devilkin
DevilkinOP4mo ago
ah, i was looking at
 | crowdsecurity/whitelists           │ 133.43k │ 133.43k │ -        │
 | crowdsecurity/whitelists           │ 133.43k │ 133.43k │ -        │
Loz
Loz4mo ago
Yeah that just means the parser didnt fail, but doesnt imply any whitelist status
Devilkin
DevilkinOP4mo ago
ah ok 🙂 I've even tried hammering one of my sites with nikto, and then i see that there are local api decisions but nothing goes to the dashboard
Loz
Loz4mo ago
Do you see any errors in /var/log/crowdsec.log?
Devilkin
DevilkinOP4mo ago
no, no errors. 
time="2025-09-02T10:13:39+02:00" level=info msg="Starting community-blocklist update"
time="2025-09-02T10:13:39+02:00" level=info msg="capi/community-blocklist : 0 explicit deletions"
time="2025-09-02T10:13:39+02:00" level=info msg="crowdsecurity/community-blocklist : added 3000 entries, deleted 3000 entries (alert:1145)"
time="2025-09-02T10:13:40+02:00" level=info msg="blocklist firehol_cybercrime hasn't been modified since Tue, 02 Sep 2025 06:13:41 GMT, skipping"
time="2025-09-02T10:13:40+02:00" level=info msg="blocklist firehol_cruzit_web_attacks hasn't been modified since Tue, 02 Sep 2025 06:13:40 GMT, skipping"
time="2025-09-02T10:13:40+02:00" level=info msg="lists:otx-webscanners : added 972 entries, deleted 972 entries (alert:1146)"
time="2025-09-02T10:25:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T10:30:14+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T10:36:10+02:00" level=info msg="flushed 2/198 alerts because they were created 168h0m0s ago or more"
time="2025-09-02T10:42:26+02:00" level=info msg="0 existing buckets"
time="2025-09-02T10:55:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T11:00:14+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T11:25:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T11:30:15+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T11:35:07+02:00" level=info msg="0 existing buckets"
time="2025-09-02T10:13:39+02:00" level=info msg="Starting community-blocklist update"
time="2025-09-02T10:13:39+02:00" level=info msg="capi/community-blocklist : 0 explicit deletions"
time="2025-09-02T10:13:39+02:00" level=info msg="crowdsecurity/community-blocklist : added 3000 entries, deleted 3000 entries (alert:1145)"
time="2025-09-02T10:13:40+02:00" level=info msg="blocklist firehol_cybercrime hasn't been modified since Tue, 02 Sep 2025 06:13:41 GMT, skipping"
time="2025-09-02T10:13:40+02:00" level=info msg="blocklist firehol_cruzit_web_attacks hasn't been modified since Tue, 02 Sep 2025 06:13:40 GMT, skipping"
time="2025-09-02T10:13:40+02:00" level=info msg="lists:otx-webscanners : added 972 entries, deleted 972 entries (alert:1146)"
time="2025-09-02T10:25:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T10:30:14+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T10:36:10+02:00" level=info msg="flushed 2/198 alerts because they were created 168h0m0s ago or more"
time="2025-09-02T10:42:26+02:00" level=info msg="0 existing buckets"
time="2025-09-02T10:55:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T11:00:14+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T11:25:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T11:30:15+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T11:35:07+02:00" level=info msg="0 existing buckets"
Loz
Loz4mo ago
and you have scenario via cscli scenarios list?
Devilkin
DevilkinOP4mo ago
The 5 default ones 
# cscli scenario list
───────────────────────────────────────────────────────────────────────────────────────────────────────
 SCENARIOS                                                                                             
───────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                             📦 Status    Version  Local Path                                     
───────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/ssh-bf             ✔  enabled  0.3      /etc/crowdsec/scenarios/ssh-bf.yaml            
 crowdsecurity/ssh-cve-2024-6387  ✔  enabled  0.2      /etc/crowdsec/scenarios/ssh-cve-2024-6387.yaml 
 crowdsecurity/ssh-generic-test   ✔  enabled  0.2      /etc/crowdsec/scenarios/ssh-generic-test.yaml  
 crowdsecurity/ssh-refused-conn   ✔  enabled  0.1      /etc/crowdsec/scenarios/ssh-refused-conn.yaml  
 crowdsecurity/ssh-slow-bf        ✔  enabled  0.4      /etc/crowdsec/scenarios/ssh-slow-bf.yaml       
───────────────────────────────────────────────────────────────────────────────────────────────────────
# cscli scenario list
───────────────────────────────────────────────────────────────────────────────────────────────────────
 SCENARIOS                                                                                             
───────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                             📦 Status    Version  Local Path                                     
───────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/ssh-bf             ✔  enabled  0.3      /etc/crowdsec/scenarios/ssh-bf.yaml            
 crowdsecurity/ssh-cve-2024-6387  ✔  enabled  0.2      /etc/crowdsec/scenarios/ssh-cve-2024-6387.yaml 
 crowdsecurity/ssh-generic-test   ✔  enabled  0.2      /etc/crowdsec/scenarios/ssh-generic-test.yaml  
 crowdsecurity/ssh-refused-conn   ✔  enabled  0.1      /etc/crowdsec/scenarios/ssh-refused-conn.yaml  
 crowdsecurity/ssh-slow-bf        ✔  enabled  0.4      /etc/crowdsec/scenarios/ssh-slow-bf.yaml       
───────────────────────────────────────────────────────────────────────────────────────────────────────
Loz
Loz4mo ago
Yeah so you have no http scenarios
Devilkin
DevilkinOP4mo ago
I see, ok, I had been poking around in the webconsole to find any others but that's just handled using the cli and then life intervened
Loz
Loz4mo ago
cscli collections install crowdsecurity/base-http-scenarios then run systemctl restart crowdsec then your nikto will be banned so be careful 😄
Devilkin
DevilkinOP4mo ago
let's see what that does. I had honestly never looked beyond the security engine 😒
Loz
Loz4mo ago
Devilkin
DevilkinOP4mo ago
Ok, so that now seems to work. I'll have a decent look at the available scenarios to see what is useful for my usecase. And then configure caddy to actually block 😉
CrowdSec
CrowdSec4mo ago
Resolving No alerts sent to central dashboard - lite community blocklist This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?