CrowdSec•2mo ago

No alerts sent to central dashboard - lite community blocklist

Hi, I not-so-recently added crowsec to my caddy reverse proxy, but at that time I had yet another thing in front of it so it never really saw the public ip addresses. I've since fixed this, and i'm trying to get it off of the lite blocklist. CAPI and LAPI looks correct

# cscli lapi status 
Loaded credentials from /etc/crowdsec/local_api_credentials.yaml
Trying to authenticate with username xxx on http://127.0.0.1:8080/
You can successfully interact with Local API (LAPI)

# cscli capi status
Loaded credentials from /etc/crowdsec/online_api_credentials.yaml
Trying to authenticate with username xxx on https://api.crowdsec.net/
You can successfully interact with Central API (CAPI)
Your instance is enrolled in the console
Subscription type: COMMUNITY
Sharing signals is enabled
Pulling community blocklist is enabled
Pulling blocklists from the console is enabled

# cscli lapi status 
Loaded credentials from /etc/crowdsec/local_api_credentials.yaml
Trying to authenticate with username xxx on http://127.0.0.1:8080/
You can successfully interact with Local API (LAPI)

# cscli capi status
Loaded credentials from /etc/crowdsec/online_api_credentials.yaml
Trying to authenticate with username xxx on https://api.crowdsec.net/
You can successfully interact with Central API (CAPI)
Your instance is enrolled in the console
Subscription type: COMMUNITY
Sharing signals is enabled
Pulling community blocklist is enabled
Pulling blocklists from the console is enabled

I've added caddy logs, and the metrics look ok to me (see attachment). What might i have missed? The web console says the last signal was sent 17 july, when I added crowdsec.

log.txt

20 Replies

CrowdSec•2mo ago

Important Information

This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve

CrowdSec•2mo ago

Resolving No alerts sent to central dashboard - lite community blocklist This has now been resolved. If you think this is a mistake please run /unresolve Unresolving No alerts sent to central dashboard - lite community blocklist This has now been unresolved.

DevilkinOP•2mo ago

iiamloz•2mo ago

CrowdSec running inside a container or on the host?

DevilkinOP•2mo ago

It's running on the host. I'm wondering though why so much is being parsed by the whitelist parser?

iiamloz•2mo ago

crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 132349 │ 3456 │

well out of the 130k lines only 3.4k was whitelisted

DevilkinOP•2mo ago

ah, i was looking at

 | crowdsecurity/whitelists           │ 133.43k │ 133.43k │ -        │

 | crowdsecurity/whitelists           │ 133.43k │ 133.43k │ -        │

iiamloz•2mo ago

Yeah that just means the parser didnt fail, but doesnt imply any whitelist status

DevilkinOP•2mo ago

ah ok 🙂 I've even tried hammering one of my sites with nikto, and then i see that there are local api decisions but nothing goes to the dashboard

iiamloz•2mo ago

Do you see any errors in /var/log/crowdsec.log?

DevilkinOP•2mo ago

no, no errors.

time="2025-09-02T10:13:39+02:00" level=info msg="Starting community-blocklist update"
time="2025-09-02T10:13:39+02:00" level=info msg="capi/community-blocklist : 0 explicit deletions"
time="2025-09-02T10:13:39+02:00" level=info msg="crowdsecurity/community-blocklist : added 3000 entries, deleted 3000 entries (alert:1145)"
time="2025-09-02T10:13:40+02:00" level=info msg="blocklist firehol_cybercrime hasn't been modified since Tue, 02 Sep 2025 06:13:41 GMT, skipping"
time="2025-09-02T10:13:40+02:00" level=info msg="blocklist firehol_cruzit_web_attacks hasn't been modified since Tue, 02 Sep 2025 06:13:40 GMT, skipping"
time="2025-09-02T10:13:40+02:00" level=info msg="lists:otx-webscanners : added 972 entries, deleted 972 entries (alert:1146)"
time="2025-09-02T10:25:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T10:30:14+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T10:36:10+02:00" level=info msg="flushed 2/198 alerts because they were created 168h0m0s ago or more"
time="2025-09-02T10:42:26+02:00" level=info msg="0 existing buckets"
time="2025-09-02T10:55:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T11:00:14+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T11:25:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T11:30:15+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T11:35:07+02:00" level=info msg="0 existing buckets"

time="2025-09-02T10:13:39+02:00" level=info msg="Starting community-blocklist update"
time="2025-09-02T10:13:39+02:00" level=info msg="capi/community-blocklist : 0 explicit deletions"
time="2025-09-02T10:13:39+02:00" level=info msg="crowdsecurity/community-blocklist : added 3000 entries, deleted 3000 entries (alert:1145)"
time="2025-09-02T10:13:40+02:00" level=info msg="blocklist firehol_cybercrime hasn't been modified since Tue, 02 Sep 2025 06:13:41 GMT, skipping"
time="2025-09-02T10:13:40+02:00" level=info msg="blocklist firehol_cruzit_web_attacks hasn't been modified since Tue, 02 Sep 2025 06:13:40 GMT, skipping"
time="2025-09-02T10:13:40+02:00" level=info msg="lists:otx-webscanners : added 972 entries, deleted 972 entries (alert:1146)"
time="2025-09-02T10:25:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T10:30:14+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T10:36:10+02:00" level=info msg="flushed 2/198 alerts because they were created 168h0m0s ago or more"
time="2025-09-02T10:42:26+02:00" level=info msg="0 existing buckets"
time="2025-09-02T10:55:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T11:00:14+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T11:25:19+02:00" level=info msg="Sent 1 usage metrics"
time="2025-09-02T11:30:15+02:00" level=info msg="capi metrics: sending"
time="2025-09-02T11:35:07+02:00" level=info msg="0 existing buckets"

iiamloz•2mo ago

and you have scenario via cscli scenarios list?

DevilkinOP•2mo ago

The 5 default ones

# cscli scenario list
───────────────────────────────────────────────────────────────────────────────────────────────────────
 SCENARIOS                                                                                             
───────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                             📦 Status    Version  Local Path                                     
───────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/ssh-bf             ✔  enabled  0.3      /etc/crowdsec/scenarios/ssh-bf.yaml            
 crowdsecurity/ssh-cve-2024-6387  ✔  enabled  0.2      /etc/crowdsec/scenarios/ssh-cve-2024-6387.yaml 
 crowdsecurity/ssh-generic-test   ✔  enabled  0.2      /etc/crowdsec/scenarios/ssh-generic-test.yaml  
 crowdsecurity/ssh-refused-conn   ✔  enabled  0.1      /etc/crowdsec/scenarios/ssh-refused-conn.yaml  
 crowdsecurity/ssh-slow-bf        ✔  enabled  0.4      /etc/crowdsec/scenarios/ssh-slow-bf.yaml       
───────────────────────────────────────────────────────────────────────────────────────────────────────

# cscli scenario list
───────────────────────────────────────────────────────────────────────────────────────────────────────
 SCENARIOS                                                                                             
───────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                             📦 Status    Version  Local Path                                     
───────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/ssh-bf             ✔  enabled  0.3      /etc/crowdsec/scenarios/ssh-bf.yaml            
 crowdsecurity/ssh-cve-2024-6387  ✔  enabled  0.2      /etc/crowdsec/scenarios/ssh-cve-2024-6387.yaml 
 crowdsecurity/ssh-generic-test   ✔  enabled  0.2      /etc/crowdsec/scenarios/ssh-generic-test.yaml  
 crowdsecurity/ssh-refused-conn   ✔  enabled  0.1      /etc/crowdsec/scenarios/ssh-refused-conn.yaml  
 crowdsecurity/ssh-slow-bf        ✔  enabled  0.4      /etc/crowdsec/scenarios/ssh-slow-bf.yaml       
───────────────────────────────────────────────────────────────────────────────────────────────────────

iiamloz•2mo ago

Yeah so you have no http scenarios

DevilkinOP•2mo ago

I see, ok, I had been poking around in the webconsole to find any others but that's just handled using the cli and then life intervened

iiamloz•2mo ago

cscli collections install crowdsecurity/base-http-scenarios then run systemctl restart crowdsec then your nikto will be banned so be careful 😄

DevilkinOP•2mo ago

let's see what that does. I had honestly never looked beyond the security engine 😒

iiamloz•2mo ago

https://tenor.com/view/elmo-hell-yeah-destruction-chaos-gif-10254814210470709186

Tenor

DevilkinOP•2mo ago

Ok, so that now seems to work. I'll have a decent look at the available scenarios to see what is useful for my usecase. And then configure caddy to actually block 😉

CrowdSec•2mo ago

Resolving No alerts sent to central dashboard - lite community blocklist This has now been resolved. If you think this is a mistake please run /unresolve

Gaming

Programming

No alerts sent to central dashboard - lite community blocklist

Did you find this page helpful?