[GH-ISSUE #770] Crowdsec Defaults to Captcha without Captcha set up and bypasses checks #1620

New Issue

Closed

opened 2026-04-16 08:20:36 -05:00 by GiteaMirror · 5 comments

GiteaMirror commented 2026-04-16 08:20:36 -05:00

Owner

Copy Link

Originally created by @mellow65 on GitHub (May 22, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/770

I'm exploring an unknown world when it comes to Crowdsec, but have been stumbling through it, so bare with me.

After having Pangolin up for a few weeks, I opted to add Crowdsec and start the journey of getting that working. If nothing else it was an eye opening experience of the constant probing of things from the internet.

What I found not 5 mins after setting it up is I already had a couple IPs poking at my services. Crowdsec saw them, which was great, but they were flagged as Captcha, not ban. I get in a production kind of world captcha is probably safer, but in my case where I'm just trying to expose a couple small services to essentially myself, I would rather things default to ban, and then I can fix it after the fact.

The problem is I hadn't set up a captcha yet, yet they were still being flagged as captcha.

After much playing around and manually adding my phones IP address flagged as captcha, I found that if an IP gets flagged as captcha and you don't have a captcha set up, that IP is freely able to get to your domain.

I believe at least in my case I've sorted everything to be flagged as ban if crowdsec decides the IP is no good, and I did that by commenting out the captcha section of the profile.yaml file.

But as I feel Pangonlin has the chance to have a decent following with homelabbers, I would like to see ban be the default decision when it came to what happens when a crowdsec decides an IP is no good.

Originally created by @mellow65 on GitHub (May 22, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/770 I'm exploring an unknown world when it comes to Crowdsec, but have been stumbling through it, so bare with me. After having Pangolin up for a few weeks, I opted to add Crowdsec and start the journey of getting that working. If nothing else it was an eye opening experience of the constant probing of things from the internet. What I found not 5 mins after setting it up is I already had a couple IPs poking at my services. Crowdsec saw them, which was great, but they were flagged as Captcha, not ban. I get in a production kind of world captcha is probably safer, but in my case where I'm just trying to expose a couple small services to essentially myself, I would rather things default to ban, and then I can fix it after the fact. The problem is I hadn't set up a captcha yet, yet they were still being flagged as captcha. After much playing around and manually adding my phones IP address flagged as captcha, I found that if an IP gets flagged as captcha and you don't have a captcha set up, that IP is freely able to get to your domain. I believe at least in my case I've sorted everything to be flagged as ban if crowdsec decides the IP is no good, and I did that by commenting out the captcha section of the profile.yaml file. But as I feel Pangonlin has the chance to have a decent following with homelabbers, I would like to see ban be the default decision when it came to what happens when a crowdsec decides an IP is no good.

GiteaMirror closed this issue 2026-04-16 08:20:36 -05:00

GiteaMirror commented 2026-04-16 08:20:38 -05:00

Author

Owner

Copy Link

@TuncTaylan commented on GitHub (May 22, 2025):

Based on my experience, and I just tested this to be sure :) when CAPTCHA is not configured (which is the default with the Pangolin installer), IP addresses that get flagged for CAPTCHA are banned for four hours. The decision type is listed simply as "captcha," and those IPs receive an HTTP ERROR 403.

If an IP address is flagged and banned (decision type "ban"), it just results in a timeout (ERR_TIME_OUT).

For fun, I also tested this with my iPhone (using iCloud Private Relay, which uses Cloudflare IPs in my country). The IP was banned and flagged as "captcha," but I was still able to access the site.

So my question is: how did you test it? Are there any proxy / VPN involved?

<!-- gh-comment-id:2902162442 --> @TuncTaylan commented on GitHub (May 22, 2025): Based on my experience, and I just tested this to be sure :) when CAPTCHA is not configured (which is the default with the Pangolin installer), IP addresses that get flagged for CAPTCHA are banned for four hours. The decision type is listed simply as "captcha," and those IPs receive an HTTP ERROR 403. If an IP address is flagged and banned (decision type "ban"), it just results in a timeout (ERR_TIME_OUT). For fun, I also tested this with my iPhone (using iCloud Private Relay, which uses Cloudflare IPs in my country). The IP was banned and flagged as "captcha," but I was still able to access the site. So my question is: how did you test it? Are there any proxy / VPN involved?

GiteaMirror commented 2026-04-16 08:20:38 -05:00

Author

Owner

Copy Link

@mellow65 commented on GitHub (May 22, 2025):

Well what the crap, I have no idea what the heck happened now, because now it's following you're saying. I would have put money on what I was saying!! Because that's what triggered me to go down the rabbit hole to figure out how to not flag things as captcha.

But yeah, now my phones IP flagged as captcha are hitting the HTTP ERROR 403 page. I've even made sure I went back in the profile.yaml and uncommented the captcha section. I even went to the point of adding a captcha just to make sure that was all working, which it does.

So disregard the concern. I'm still leaving my profile as ban first, as I've made it up in my head that it fits my needs better (as I'm essentially the only one that uses the services).

I do appreciate the sanity check. 😊

<!-- gh-comment-id:2902311466 --> @mellow65 commented on GitHub (May 22, 2025): Well what the crap, I have no idea what the heck happened now, because now it's following you're saying. I would have put money on what I was saying!! Because that's what triggered me to go down the rabbit hole to figure out how to not flag things as captcha. But yeah, now my phones IP flagged as captcha are hitting the HTTP ERROR 403 page. I've even made sure I went back in the profile.yaml and uncommented the captcha section. I even went to the point of adding a captcha just to make sure that was all working, which it does. So disregard the concern. I'm still leaving my profile as ban first, as I've made it up in my head that it fits my needs better (as I'm essentially the only one that uses the services). I do appreciate the sanity check. 😊

GiteaMirror commented 2026-04-16 08:20:38 -05:00

Author

Owner

Copy Link

@TuncTaylan commented on GitHub (May 22, 2025):

There are some delay between parsing and decision taking by bouncers. :)

<!-- gh-comment-id:2902524997 --> @TuncTaylan commented on GitHub (May 22, 2025): There are some delay between parsing and decision taking by bouncers. :)

GiteaMirror commented 2026-04-16 08:20:39 -05:00

Author

Owner

Copy Link

@mellow65 commented on GitHub (May 22, 2025):

Oh man, I think i figured it out, because it just happened to me again!!! I think my IP rolled in the middle of testing! Because that just happened to me!! 🤣

<!-- gh-comment-id:2902616636 --> @mellow65 commented on GitHub (May 22, 2025): Oh man, I think i figured it out, because it just happened to me again!!! I think my IP rolled in the middle of testing! Because that just happened to me!! 🤣

GiteaMirror commented 2026-04-16 08:20:39 -05:00

Author

Owner

Copy Link

@TuncTaylan commented on GitHub (May 23, 2025):

Oh man, I think i figured it out, because it just happened to me again!!! I think my IP rolled in the middle of testing! Because that just happened to me!! 🤣

Yes, that's also what was happening to my iPhone with private relay. Better safe than sorry 👍

<!-- gh-comment-id:2903315482 --> @TuncTaylan commented on GitHub (May 23, 2025): > Oh man, I think i figured it out, because it just happened to me again!!! I think my IP rolled in the middle of testing! Because that just happened to me!! 🤣 Yes, that's also what was happening to my iPhone with private relay. Better safe than sorry 👍

GiteaMirror referenced this issue 2026-04-16 08:51:16 -05:00

[GH-ISSUE #1620] [RESOLVED] Minor AGPL compliance issues #1964

GiteaMirror referenced this issue 2026-04-20 08:08:18 -05:00

[GH-ISSUE #1620] [RESOLVED] Minor AGPL compliance issues #3906

GiteaMirror referenced this issue 2026-04-25 15:40:43 -05:00

[GH-ISSUE #1620] [RESOLVED] Minor AGPL compliance issues #6760

GiteaMirror referenced this issue 2026-04-30 04:44:19 -05:00

[GH-ISSUE #1620] [RESOLVED] Minor AGPL compliance issues #8728

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

resource-policies

copilot/fix-create-alert-visibility

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

redis

crowdin_dev

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

dependabot/docker/docker/library/node-25-slim

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#1620