nftables IP ban based on appsec?
I've tried to search for support threads here on discord, but can't really find anything. I've also tried to read the docs and asked chatgpt (increadiably useless, but was worth a try) but I feel like I'm missing something fundamental here.
What I want:
- AppSec triggered from traefik to add an IP block on nftables.
My setup:
- Ubuntu server
- nftables in front of a traefik instance
- crowdsec installed, listening on port 8080, appsec running listening on port 7422
- crowdsec-bouncer-traefik-plugin installed and enabled (crowdsecMode: appsec)
- crowdsec-firewall-bouncer
When I manually add a decision
sudo cscli decisions add -i <client-up> -t ban -d 1m I'm locked out directly
When I run "curl -vk "https://<server domain>/?id=%27%20OR%201%3D1--" I can see the following in my traefik logs.
DEBUG: CrowdsecBouncerTraefikPlugin: 2025/09/21 12:25:52 ServeHTTP ip:<client computer> isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2025/09/21 12:25:52 handleNextServeHTTP ip:<client computer> isWaf:true appsecQuery statusCode:403
10.0.0.169 - - [21/Sep/2025:12:25:52 +0000] "GET /?id=%27%20OR%201%3D1-- HTTP/2.0" 403 0 "-" "curl/8.11.1" 61 "next-router@file" "-" 67ms
cscli alert list shows:
So AppSec seems to do what I want. But decisions is empty.
My understanding of this is that there's an alert created based on the AppSec trigger, but no decision is matched. SO nftables will not block anything.5 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
My undestanding of this is that the
appsec.yaml controls what appsec_configs files are loaded. My config should load the custom/appsec-hybrid file. This should trigger an outofband alert when I trigger crowdsecurity/appsec-generic-test, i.e. curl <server-domain>/crowdsec-test-NtktlJHV4TfBSK3wvlhiOBnl. This in turn should trigger the scenarios/custom-appsec.yaml file that should trigger the nftable bouncer if the filter matches. But nothing of this seems to happen.
Is there any obvious misunderstandings I've made here? Am I just completely wrong here? If so, where can I read to a better understanding of this? I feel like I must be missing something truly obvious in the docs.
(Really sorry for the huge post. Not sure how to cut it down or if I'm missing something I should include)
After this I tried adding a scenarios/custom-appsec.yaml file looking something like this below. (I've played around with the filter a lot-)
As well as a appsec-configs/custom-appsec.yaml file. I've played aruond with what inbound and outofband rules I have.
And lastly my appsec.yaml file:
(also sorry for the jumbled post. I was over the 2000 char limit)
Not sure if it helps at all. But this is a big of my debug log that seems to show what's going on, and where it fails. I'm just not sure why it fails.
It seems like it's not running my scenario at all. But not sure whyThis would be unlikely just make sure if you run
cscli parsers list that you have the appsec parser so it does to the scenarios.Collections, AppSec Rules & Configurations | CrowdSec Hub
Manage collections, configurations, remediation components, and AppSec rules with CrowdSec Hub. Streamline security with tools and integrations for enhanced protection.
And I just got it working. I missed your response here 🙂 But YES. it was indeed a missed parser. I have no idea how I missed that 😐
The last logs I pasted made me realize I never had any logs from the scenario I was expecting, just the non-syslog once. That made me read up on parsers and realized I actually didn't have an appsec parser. Installed it, started seeing logs, tweaked my filter to something working again and I was locked out of my server 😄 Success
This was a some what frustrating debug session, but I learnt a lot
Didn't originally know what I was supposed to see in the logs, making it much harder
Time to deploy this thing and get some real world logs I Think 😄
Ok, as far as I can tell it's all working as expected now. Thanks for the push Loz 😄