r/CrowdSec | reddlx

▲ 15 r/CrowdSec+1 crossposts

Securing a publicly exposed mailserver with crowdsec

I have been doing this for some time but this weekend i decided to add more relevant logs to block more logs from my Xeams mail gateway appliance.

My log list now contains

authTerminate — bad AUTH attempts
helloTerminate — bad EHLO/HELO
invalidRecipients — directory harvesting
rcptTerminate — invalid RCPT
timeoutTerminate — connection timeouts
GreyListing — persistent greylisted senders
ForgedSenders — forged sender addresses

This feels almost like a honeypot due to the number of "attacks" - just during this afternoon 105 decisions was made to block traffic, to my mail server alone ✌️

All decisions are fed into a blocklist that my TWO Juniper vSRX firewalls subscribe to and is part of global deny rules in the firewall.

It does not matter if a IP tried to perform a wordpress attach or connect over SMTP - you shall not pass.... ❤️‍🔥

This might end up on Github soon..

u/kY2iB3yH0mN8wI2h — 5 days ago

▲ 0 r/CrowdSec

I think http probing scenario needs to go...

I'm just on a holiday and got banned again left and right (wifi, mobile, mobile + vpns) for using my services.

my internet is so slow right I'm struggling to find out why. I added my Ips to my allowlist and then it worked briefly. But I also ran into weird issues that made me reboot my VPS and ultimately led to a backup restore of my Pangolin setup. Briefly even my whitelisted home ip didn't work no idea why

I'm sorry I can't produce enough details as I had to fix my whole setup using an iphone and it was painful enough believe me...

What I realised is that the http-probing scenario - which I've disabled months prior- was reenabled. Probably through a CS upgrade I guess?

what's the point of this crap if it repeatedly blocks me and my other users from accessing simple services on m homelab?

is there no way to disable this thing for good??

reddit.com

u/-ThreeHeadedMonkey- — 8 days ago

▲ 1 r/CrowdSec

Request to bouncer IP forbidden despite allowlist

I use an additional tool which can inject blocklists into crowdsec. Recently it got blocked by crowdsec despite me having an allowlist for all private ranges.

Any ideas what is going on?

The error:

crowdsec-monitor-api  | Deleting 26 alert(s) for blocklist "Abuse.ch" from CrowdSec...
crowdsec-monitor-api  | Error deleting alert 14609: 403 - {"message":"access forbidden from this IP (172.16.0.165)"}
crowdsec-monitor-api  | Background CrowdSec sync failed for blocklist "Abuse.ch": Failed to delete blocklist decisions from CrowdSec

The allowlist:

docker exec -ti crowdsec bash
root@crowdsec:/# cscli allowlist inspect PrivateRanges
──────────────────────────────────────────────
 Allowlist: PrivateRanges                     
──────────────────────────────────────────────
 Name                PrivateRanges            
 Description         Private IP Ranges        
 Created at          2026-04-22T10:32:54.492Z 
 Updated at          2026-04-30T07:26:02.981Z 
 Managed by Console  no                       
──────────────────────────────────────────────

───────────────────────────────────────────────────────────────────────────────────────────────
 Value           Comment                                      Expiration  Created at           
───────────────────────────────────────────────────────────────────────────────────────────────
 ::1                                                          never       2026-04-22T10:33:36Z 
 127.0.0.0/8                                                  never       2026-04-22T10:33:42Z 
 192.168.0.0/16                                               never       2026-04-22T10:33:50Z 
 10.0.0.0/8                                                   never       2026-04-22T10:33:59Z 
 172.16.0.0/12                                                never       2026-04-22T10:34:06Z 
 100.64.0.0/10   CGNAT range, used by Tailscale and Pangolin  never       2026-04-30T07:26:02Z 
───────────────────────────────────────────────────────────────────────────────────────────────
root@crowdsec:/#

reddit.com

u/ovizii — 11 days ago

▲ 0 r/CrowdSec

Crowdsec Dashboard install on Unraid

Hey guys - quick question.

Edit/Update: I'm leaving my original post/question below as-is, but in a moment of clarity, I realized what the directions were probably saying was that 99:99 wasn't key:variable but was <crowdsec_value>:<crowdsec-dashboard value>.
I had gotten it working earlier by manually changing permissions with chmod on the crowdsec.db file but after a restart of my containers a few days later the permissions returned to what it was before and dashboard was no longer able to read crowdsec.db.
Resolution:
In the crowdsec container I set key:variable to UID:99, GID:98.
The crowdsec-dashboard container has MUID:99, MGID:98 so it looks like these variables map between the containers like:
crowdsec UID = crowdsec-dashboard MUID, value is 99 for both.
crowdsec GID = crowdsec-dashboard MGID, value is 98 for both.

Once I updated crowdsec with UID:99, GID:98, crowdsec-dashboard can now read crowdsec.db again.

Original Post where my understanding of the directions wasn't correct:
I'm new to crowdsec and just got it up and running on Unraid. Now I'm following up with the metabase crowdsec-dashboard container install on Unraid.

Under "Additional Requirements" it states:

>Add the following to your Crowdsec container as enviroment variables to give the dashboard appropriate permisions to read data:
UID: 99:99
GID: 98:98

Is that format in <variable name>: <key>:<value> ?

So I would go back to the crowdsec config and add this variable as shown in my screenshot and repeat for GID: 98:98, right? It just seemed a bit strange adding a numeric key so just wanted to double-check.

https://preview.redd.it/wdip584zlxzg1.png?width=532&format=png&auto=webp&s=6aa2e630087a25919e20b7563189d27ef64c5eb4

reddit.com

u/3WolfTShirt — 13 days ago