mirror of
https://github.com/fosrl/pangolin.git
synced 2026-07-16 22:55:14 -05:00
CrowdSec Bans Almost All Requests #210
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @LukeGus on GitHub (Apr 3, 2025).
Hello! So I set up Pangolin via Docker using the default installer, so nothing unusual. It was working great for a long time, using several Newt servers, and I was loving it. Until I decided to delete ~100 docker images off a server using Portainer (aka I made a lot of requests to a single resource), and since then, many of the resources I try to access simply just show this error when trying to access them.
About 10% of my resources still work, and the ones that do work are very random, with nothing unusual about them. Looking at the logs for all Docker containers, they look good, except for CrowdSec, which appears to be banning almost all requests made to it for whatever reason. I believe this was caused by CrowdSec not liking it after I made many requests to that single agent, causing it to ban almost all requests to it. Here is a truncated version of the logs. These liens just get repeated every time I try to access my websites.
I tried remaking a few resources, and that did not work. I tried restarting containers individually and also the entire server running pangolin and it did not help. The only thing I have not tried was recreating an agent, but since this happens on all agents, I doubt that's the issue. Any help appreciated!!!
Edit:
I have noticed that if I disconnect from my VPN (the VPN is hosted on the same server as Pangolin) then I can no longer even access any resource including the default pangolin site. The error is "You don't have authorization to view this page." This same issue goes for all devices, not just the desktop.
@tannkosten commented on GitHub (Apr 3, 2025):
Hello
You can go into the docker container for crowdsec with this command
docker exec -it crowdsec shWhen you're "inside" the container, run this command
cscli decisions listYou can then see if your IP is listed there. You can delete it with this command:
cscli alerts delete --ip x.x.x.xTo avoid your IP getting banned, you can add this to your volumes for crowdsec in docker-compose.yml
./config/whitelists.yaml:/etc/crowdsec/parsers/s02-enrich/whitelists.yamlMake "whitelists.yaml"
The default looks like this:
Feel free to add your IP here, under ip:
Hope this helps :)
@Maxklos commented on GitHub (Apr 4, 2025):
THANK YOU! I had the same problem and went nearly insane.... I got blocked because my IP was whitelisted, just IDK..... But thanks to @tannkosten i got my whole setup working again.
@AttaInsularis commented on GitHub (Sep 23, 2025):
Can't figure out what I'm doing wrong. Installed Pangolin + CrowdSec (+ community guide)
Added the whitelist-someservice.yaml file in the server (./config/my-whitelist.yaml:):
In docker-compose:
But after docker
compose downandup -dthedocker exec crowdsec cscli parsers list | grep whitereturn only:crowdsecurity/whitelists ✔️ enabled 0.3 /etc/crowdsec/parsers/s02-enrich/whitelists.yamlThis is some list from CrowdSec itself, not present in the server FS.
(Possibly because of enrollment with the CS console service.)
Is this only for one whitelist and the name must be exactly 'whitelist'?
@tannkosten commented on GitHub (Sep 24, 2025):
My example enables you to edit the "whitelists.yaml" file that crowdsec uses. Not to add a new whitelist file to crowdsec.
So in my example, you would create a "whitelists.yaml" file in your pangolin config directory, and add the info you wanted. Then start your containers. If you needed to whitelist more, add that to the whitelists.yaml file in the config directory and restart your containers.
@AttaInsularis commented on GitHub (Sep 24, 2025):
Didn't know the name must be 1:1 (not whitelists.yaml vs my-whitelist.yaml) as here in CS documentation is no info regarding this.
Just would like to have them separated by service so it's quicker to find.
Will look into that, thx.
@v1rusnl commented on GitHub (Sep 24, 2025):
Whitelists will be deprecated in the future. Use allowlists instead.
https://docs.crowdsec.net/docs/next/local_api/centralized_allowlists
@AttaInsularis commented on GitHub (Sep 24, 2025):
There is written:
And mine is parser for path such as:
whitelist: reason: "False positive from serviceX-api" expression:# /api/assets/ - evt.Meta.http_verb == 'GET' && evt.Meta.http_status == '400' && evt.Parsed.request contains '/api/assets/'So thinking that this is still needed.
@v1rusnl commented on GitHub (Sep 25, 2025):
No, just set up your home Public IP in an allowlist and you're good. Except you dont want your home address to be excluded completely.
@AttaInsularis commented on GitHub (Sep 25, 2025):
Why? Have no static IP I'm connecting from (nor my peers) so it's good to let the CS know those are assets that providing legit traffic that could be excluded.
Just in this thread because not knowing how to add manually the whitelist so its persistent.
@v1rusnl commented on GitHub (Sep 25, 2025):
Ok thought you are the typical usecase trying to whitelist his home public IP in Crowdsec (btw I also have a dynamic IP and I use a script to update the CS allowlist when my IP changes automatically within 60secs). How does CS distinguish between trustful clients and bad actors in your case and why you gut bad requests on the API?