CrowdSec Bans Almost All Requests #210

Closed
opened 2025-11-13 11:53:10 -06:00 by GiteaMirror · 10 comments
Owner

Originally created by @LukeGus on GitHub (Apr 3, 2025).

Hello! So I set up Pangolin via Docker using the default installer, so nothing unusual. It was working great for a long time, using several Newt servers, and I was loving it. Until I decided to delete ~100 docker images off a server using Portainer (aka I made a lot of requests to a single resource), and since then, many of the resources I try to access simply just show this error when trying to access them.

Image

About 10% of my resources still work, and the ones that do work are very random, with nothing unusual about them. Looking at the logs for all Docker containers, they look good, except for CrowdSec, which appears to be banning almost all requests made to it for whatever reason. I believe this was caused by CrowdSec not liking it after I made many requests to that single agent, causing it to ban almost all requests to it. Here is a truncated version of the logs. These liens just get repeated every time I try to access my websites.

time="2025-04-03T04:07:22Z" level=info msg="172.18.0.4 - [Thu, 03 Apr 2025 04:07:22 UTC] \"GET /v1/decisions?ip=my-ip&banned=true HTTP/1.1 200 262.609163ms \"Crowdsec-Bouncer-Traefik-Plugin/1.X.X\" \""
time="2025-04-03T04:07:43Z" level=info msg="172.18.0.4 - [Thu, 03 Apr 2025 04:07:43 UTC] \"GET /v1/decisions?ip=my-ip&banned=true HTTP/1.1 200 246.485035ms \"Crowdsec-Bouncer-Traefik-Plugin/1.X.X\" \""
time="2025-04-03T04:08:03Z" level=info msg="172.18.0.4 - [Thu, 03 Apr 2025 04:08:03 UTC] \"GET /v1/decisions?ip=my-ip&banned=true HTTP/1.1 200 233.115019ms \"Crowdsec-Bouncer-Traefik-Plugin/1.X.X\" \""

I tried remaking a few resources, and that did not work. I tried restarting containers individually and also the entire server running pangolin and it did not help. The only thing I have not tried was recreating an agent, but since this happens on all agents, I doubt that's the issue. Any help appreciated!!!

Edit:
I have noticed that if I disconnect from my VPN (the VPN is hosted on the same server as Pangolin) then I can no longer even access any resource including the default pangolin site. The error is "You don't have authorization to view this page." This same issue goes for all devices, not just the desktop.

Originally created by @LukeGus on GitHub (Apr 3, 2025). Hello! So I set up Pangolin via Docker using the default installer, so nothing unusual. It was working great for a long time, using several Newt servers, and I was loving it. Until I decided to delete ~100 docker images off a server using Portainer (aka I made a lot of requests to a single resource), and since then, many of the resources I try to access simply just show this error when trying to access them. ![Image](https://github.com/user-attachments/assets/31a1b38a-86bb-491b-84a0-3ee4f1a93c42) About 10% of my resources still work, and the ones that do work are very random, with nothing unusual about them. Looking at the logs for all Docker containers, they look good, except for CrowdSec, which appears to be banning almost all requests made to it for whatever reason. I believe this was caused by CrowdSec not liking it after I made many requests to that single agent, causing it to ban almost all requests to it. Here is a truncated version of the logs. These liens just get repeated every time I try to access my websites. ``` time="2025-04-03T04:07:22Z" level=info msg="172.18.0.4 - [Thu, 03 Apr 2025 04:07:22 UTC] \"GET /v1/decisions?ip=my-ip&banned=true HTTP/1.1 200 262.609163ms \"Crowdsec-Bouncer-Traefik-Plugin/1.X.X\" \"" time="2025-04-03T04:07:43Z" level=info msg="172.18.0.4 - [Thu, 03 Apr 2025 04:07:43 UTC] \"GET /v1/decisions?ip=my-ip&banned=true HTTP/1.1 200 246.485035ms \"Crowdsec-Bouncer-Traefik-Plugin/1.X.X\" \"" time="2025-04-03T04:08:03Z" level=info msg="172.18.0.4 - [Thu, 03 Apr 2025 04:08:03 UTC] \"GET /v1/decisions?ip=my-ip&banned=true HTTP/1.1 200 233.115019ms \"Crowdsec-Bouncer-Traefik-Plugin/1.X.X\" \"" ``` I tried remaking a few resources, and that did not work. I tried restarting containers individually and also the entire server running pangolin and it did not help. The only thing I have not tried was recreating an agent, but since this happens on all agents, I doubt that's the issue. Any help appreciated!!! Edit: I have noticed that if I disconnect from my VPN (the VPN is hosted on the same server as Pangolin) then I can no longer even access any resource including the default pangolin site. The error is "You don't have authorization to view this page." This same issue goes for all devices, not just the desktop.
Author
Owner

@tannkosten commented on GitHub (Apr 3, 2025):

Hello

You can go into the docker container for crowdsec with this command
docker exec -it crowdsec sh

When you're "inside" the container, run this command
cscli decisions list
You can then see if your IP is listed there. You can delete it with this command:
cscli alerts delete --ip x.x.x.x

To avoid your IP getting banned, you can add this to your volumes for crowdsec in docker-compose.yml

./config/whitelists.yaml:/etc/crowdsec/parsers/s02-enrich/whitelists.yaml
Make "whitelists.yaml"
The default looks like this:

name: crowdsecurity/whitelists
description: "Whitelist events from private ipv4 addresses"
whitelist:
  reason: "private ipv4/ipv6 ip/ranges"
  ip:
    - "::1"
  cidr:
    - "127.0.0.0/8"
    - "192.168.0.0/16"
    - "10.0.0.0/8"
    - "172.16.0.0/12"
  # expression:
  #   - "'foo.com' in evt.Meta.source_ip.reverse"

Feel free to add your IP here, under ip:

Hope this helps :)

@tannkosten commented on GitHub (Apr 3, 2025): Hello You can go into the docker container for crowdsec with this command `docker exec -it crowdsec sh` When you're "inside" the container, run this command `cscli decisions list` You can then see if your IP is listed there. You can delete it with this command: `cscli alerts delete --ip x.x.x.x` To avoid your IP getting banned, you can add this to your volumes for crowdsec in docker-compose.yml `./config/whitelists.yaml:/etc/crowdsec/parsers/s02-enrich/whitelists.yaml` Make "whitelists.yaml" The default looks like this: ``` name: crowdsecurity/whitelists description: "Whitelist events from private ipv4 addresses" whitelist: reason: "private ipv4/ipv6 ip/ranges" ip: - "::1" cidr: - "127.0.0.0/8" - "192.168.0.0/16" - "10.0.0.0/8" - "172.16.0.0/12" # expression: # - "'foo.com' in evt.Meta.source_ip.reverse" ``` Feel free to add your IP here, under ip: Hope this helps :)
Author
Owner

@Maxklos commented on GitHub (Apr 4, 2025):

THANK YOU! I had the same problem and went nearly insane.... I got blocked because my IP was whitelisted, just IDK..... But thanks to @tannkosten i got my whole setup working again.

@Maxklos commented on GitHub (Apr 4, 2025): THANK YOU! I had the same problem and went nearly insane.... I got blocked because my IP was whitelisted, just IDK..... But thanks to @tannkosten i got my whole setup working again.
Author
Owner

@AttaInsularis commented on GitHub (Sep 23, 2025):

Hello

You can go into the docker container for crowdsec with this command docker exec -it crowdsec sh

When you're "inside" the container, run this command cscli decisions list You can then see if your IP is listed there. You can delete it with this command: cscli alerts delete --ip x.x.x.x

To avoid your IP getting banned, you can add this to your volumes for crowdsec in docker-compose.yml

./config/whitelists.yaml:/etc/crowdsec/parsers/s02-enrich/whitelists.yaml Make "whitelists.yaml" The default looks like this:

Can't figure out what I'm doing wrong. Installed Pangolin + CrowdSec (+ community guide)

Added the whitelist-someservice.yaml file in the server (./config/my-whitelist.yaml:):

In docker-compose:

volumes:
      - ./config/crowdsec:/etc/crowdsec
      - ./config/crowdsec/db:/var/lib/crowdsec/data
      - ./config/traefik/logs:/var/log/traefik
      - /var/log/journal:/var/log/host:ro
      - ./config/my-whitelist.yaml:/etc/crowdsec/parsers/s02-enrich/my-whitelist.yaml

But after docker compose down and up -d the docker exec crowdsec cscli parsers list | grep white return only:
crowdsecurity/whitelists ✔️ enabled 0.3 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml

This is some list from CrowdSec itself, not present in the server FS.
(Possibly because of enrollment with the CS console service.)

Is this only for one whitelist and the name must be exactly 'whitelist'?

@AttaInsularis commented on GitHub (Sep 23, 2025): > Hello > > You can go into the docker container for crowdsec with this command `docker exec -it crowdsec sh` > > When you're "inside" the container, run this command `cscli decisions list` You can then see if your IP is listed there. You can delete it with this command: `cscli alerts delete --ip x.x.x.x` > > To avoid your IP getting banned, you can add this to your volumes for crowdsec in docker-compose.yml > > `./config/whitelists.yaml:/etc/crowdsec/parsers/s02-enrich/whitelists.yaml` Make "whitelists.yaml" The default looks like this: > Can't figure out what I'm doing wrong. Installed Pangolin + CrowdSec (+ community [guide](https://docs.digpangolin.com/self-host/community-guides/crowdsec)) Added the whitelist-someservice.yaml file in the server (./config/my-whitelist.yaml:): In docker-compose: ``` volumes: - ./config/crowdsec:/etc/crowdsec - ./config/crowdsec/db:/var/lib/crowdsec/data - ./config/traefik/logs:/var/log/traefik - /var/log/journal:/var/log/host:ro - ./config/my-whitelist.yaml:/etc/crowdsec/parsers/s02-enrich/my-whitelist.yaml ``` But after docker `compose down` and `up -d` the `docker exec crowdsec cscli parsers list | grep white` return only: ` crowdsecurity/whitelists ✔️ enabled 0.3 /etc/crowdsec/parsers/s02-enrich/whitelists.yaml` This is some list from CrowdSec itself, not present in the server FS. (Possibly because of enrollment with the CS console service.) Is this only for one whitelist and the name must be exactly 'whitelist'?
Author
Owner

@tannkosten commented on GitHub (Sep 24, 2025):

My example enables you to edit the "whitelists.yaml" file that crowdsec uses. Not to add a new whitelist file to crowdsec.

So in my example, you would create a "whitelists.yaml" file in your pangolin config directory, and add the info you wanted. Then start your containers. If you needed to whitelist more, add that to the whitelists.yaml file in the config directory and restart your containers.

@tannkosten commented on GitHub (Sep 24, 2025): My example enables you to edit the "whitelists.yaml" file that crowdsec uses. Not to add a new whitelist file to crowdsec. So in my example, you would create a "whitelists.yaml" file in your pangolin config directory, and add the info you wanted. Then start your containers. If you needed to whitelist more, add that to the whitelists.yaml file in the config directory and restart your containers.
Author
Owner

@AttaInsularis commented on GitHub (Sep 24, 2025):

Didn't know the name must be 1:1 (not whitelists.yaml vs my-whitelist.yaml) as here in CS documentation is no info regarding this.
Just would like to have them separated by service so it's quicker to find.

Will look into that, thx.

@AttaInsularis commented on GitHub (Sep 24, 2025): Didn't know the name must be 1:1 (not whitelists.yaml vs my-whitelist.yaml) as here in [CS documentation](https://doc.crowdsec.net/docs/next/log_processor/whitelist/intro) is no info regarding this. Just would like to have them separated by service so it's quicker to find. Will look into that, thx.
Author
Owner

@v1rusnl commented on GitHub (Sep 24, 2025):

Whitelists will be deprecated in the future. Use allowlists instead.

https://docs.crowdsec.net/docs/next/local_api/centralized_allowlists

@v1rusnl commented on GitHub (Sep 24, 2025): Whitelists will be deprecated in the future. Use allowlists instead. https://docs.crowdsec.net/docs/next/local_api/centralized_allowlists
Author
Owner

@AttaInsularis commented on GitHub (Sep 24, 2025):

Whitelists will be deprecated in the future. Use allowlists instead.

https://docs.crowdsec.net/docs/next/local_api/centralized_allowlists

There is written:

AllowLists are limited to IP/Range based rules. If you need rules that rely on log elements such as URL and so on, Parser Whitelists or Profile Rules might more relevant.

And mine is parser for path such as:

whitelist: reason: "False positive from serviceX-api" expression:# /api/assets/ - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '400' && evt.Parsed.request contains '/api/assets/'

So thinking that this is still needed.

@AttaInsularis commented on GitHub (Sep 24, 2025): > Whitelists will be deprecated in the future. Use allowlists instead. > > https://docs.crowdsec.net/docs/next/local_api/centralized_allowlists There is written: > AllowLists are limited to IP/Range based rules. If you need rules that rely on log elements such as URL and so on, [Parser Whitelists](https://docs.crowdsec.net/docs/next/log_processor/whitelist/intro) or [Profile Rules](https://docs.crowdsec.net/docs/next/local_api/profiles/format) might more relevant. And mine is parser for path such as: `whitelist: reason: "False positive from serviceX-api" expression:# /api/assets/ - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '400' && evt.Parsed.request contains '/api/assets/'` So thinking that this is still needed.
Author
Owner

@v1rusnl commented on GitHub (Sep 25, 2025):

No, just set up your home Public IP in an allowlist and you're good. Except you dont want your home address to be excluded completely.

@v1rusnl commented on GitHub (Sep 25, 2025): No, just set up your home Public IP in an allowlist and you're good. Except you dont want your home address to be excluded completely.
Author
Owner

@AttaInsularis commented on GitHub (Sep 25, 2025):

Why? Have no static IP I'm connecting from (nor my peers) so it's good to let the CS know those are assets that providing legit traffic that could be excluded.

Just in this thread because not knowing how to add manually the whitelist so its persistent.

@AttaInsularis commented on GitHub (Sep 25, 2025): Why? Have no static IP I'm connecting from (nor my peers) so it's good to let the CS know those are assets that providing legit traffic that could be excluded. Just in this thread because not knowing how to add manually the whitelist so its persistent.
Author
Owner

@v1rusnl commented on GitHub (Sep 25, 2025):

Ok thought you are the typical usecase trying to whitelist his home public IP in Crowdsec (btw I also have a dynamic IP and I use a script to update the CS allowlist when my IP changes automatically within 60secs). How does CS distinguish between trustful clients and bad actors in your case and why you gut bad requests on the API?

@v1rusnl commented on GitHub (Sep 25, 2025): Ok thought you are the typical usecase trying to whitelist his home public IP in Crowdsec (btw I also have a dynamic IP and I use a script to update the CS allowlist when my IP changes automatically within 60secs). How does CS distinguish between trustful clients and bad actors in your case and why you gut bad requests on the API?
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#210