Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - philippe_crowdsec

#1
@cookiemonster: I'm interested in the discussion about CrowdSec.

The product is free (security engine, scenarios, vpatch, WAF rules, Claude skill, etc.) and is MIT-licensed.
A blocklist is shared amongst users who share signals, for free, and many more are also free of charge.
There is 0 cost on the OpnSense integration.

So I'd be interested to understand your feelings better (or maybe it's about the SaaS console)?
If you have time and the will to discuss this, please PM me.
#2
General Discussion / Re: Crowdsec Observations
June 10, 2026, 11:25:20 AM
@dan786: Don't hesitate to discuss those points on our discourse.

The tables populated by CrowdSec are entirely dynamic. <TL/DR> It contains the IP your local machine blocks and a part of what the other in the network are blocking. The 1st step is really about checking your "stack health" in the SaaS console (or using the Claude Skill we published) to see that everything is properly configured.

The default 4h ban is meant to avoid a lengthy ban, since any IP caught locally will have its ban refreshed if needed, and if it is globally aggressive, it'll be added to a global blocklist (reputation vs. behavior).

CrowdSec now runs on hundreds of thousands of servers and we are confident the software is stable, behaving as intended, but this doesn't mean we can't have an OpenSense integration issue. So step 1: stack health or check the config with a Claude + the crowdsec skill. If it's cleared, please raise a bug and we'll investigate.

#3
General Discussion / Re: Crowdsec Observations
June 09, 2026, 04:47:30 PM
yup, sorry, OpenSense, obviously my bad, but the observation remains correct.
The firewall is dropping the table CrowdSec is populating, hence the feeling the firewall is doing the job all alone :-)

@ruzamai: Can you check how many times the rule that drops this table has been triggered?
#4
General Discussion / Re: Crowdsec Observations
June 09, 2026, 03:02:36 PM
Hi there, I'm allowing myself just a few observations:

> [...] There's constant pressure to upsell.

On the FOSS product, there is zero upsell. The security engines, scenarios, virtual patches, and OAWSP CRS ruleset are all 100% free.
One place you may see an upsell is in the SaaS console's free tier. The reason is that this product is not free, not for you or for us, since we store the attacks your servers are receiving. There is a free tier, which is entirely optional for the use of CrowdSec as Homelab users. For professionals, if you need supervision, alerts, provisioning, QoL, etc., this is where the SaaS product is useful and where you get upsell CTAs.

[...] I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

It's then likely that you use only the IDS module (the one reading logs), with a few scenarios, and probably not exposed over the Internet. Because usually, Firewalls don't filter some ports that need to be opened (like HTTP or vpn, sometimes SSH, etc.) and those are scanned several thousand times a day, which is where CrowdSec WAF & IDS are helpful. Also, maybe check the SaaS console to see the health of your instance and whether you have log parsing, the scenario installed, etc. The logic is dynamic blocking based on behavior, rather than static filtering via firewall rules.

[...] Crowdsec claimed it had blocked nearly 20k attacks, all of which however were already blocked by the firewall

Normally, if a packet is dropped by your firewall, the related request should never reach the security engine for treatment.
CrowdSec Bouncer installs an IPset on your Linux firewall, and your firewall drops it, making it seem like it's your firewall dropping, but in fact, it's CrowdSec populating an IPset that your firewall is dropping.


Bests,

Philippe.
#5
Quote from: Patrick M. Hausen on November 28, 2024, 01:23:34 PM
Quote from: Seimus on November 28, 2024, 01:12:52 PM
QuoteI have also been running (and still do) Crowdsec which I like a lot. If only they had a hobbyist license tier for e.g. 100€ per year. Now it's free edition with quite some limitations or something around 90€ per month - prohibitive, unfortunately.

Thanks for the kind words.

Just to be clear, the IDS, IPS, WAF, and all rulesets and scenarios have absolutely no limitations.
The only limited features are in the SaaS and the ones for corporations (auto-enrolment, alert context, AI-driven list, etc.) and the ones that are costly for us (like storing 1Y of incident history).

You even get a large and frequently updated blocklist in the free tier.
Premium, AI and Platinum blocklists are our paid products indeed.
#6
General Discussion / Re: CrowdSec
November 25, 2020, 04:00:27 PM
Hi guys, Philippe from the CrowdSec team.
We're glad you show interest in the product.
Currently, we are finalizing the v1.0 and packaging for debian.
A container will also soon be available, as well as a CentOS package.

As you can guess, we had queries for ports on a lot of OS & distros and we will have hard time to produce them all in a timely manner. What we can offer though is a repo on our site or Github to provide community compiled packages or ports, and we'll be more than happy to. If the team needs to support a community build, it will to the best of its time and capacities. that being said, we chose Golang also because of its very high portability.

As for privacy, we are based in France. To put it mildly, we are under one of the strictest data privacy regulations on earth. We are currently feeding the paperwork beast with all the proper processes, forms, applications, tools, declarations and all that jazz. Takes a bit of time and a lot of money for the lawyers, but be sure that we are working on it.

To put it short, we don't export your logs and no data of yours. To benefit from the network reputation system for free, you have to share your own findings. When you block one IP because of a bad behavior, 3 things and only those 3 are sent back to us: 1/ The timestamp 2/ Offending IP 3/ Scenario it triggered.

Hope this brings some answers to your legitimate concerns.