Crowdsec whitelist

Started by xpking, October 01, 2023, 06:55:03 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 01, 2023, 06:55:03 AM Last Edit: October 01, 2023, 07:07:51 AM by xpking
Dear all,

May I know if there is whitelist in crowdsec opnsense?

I followed this page:https://docs.crowdsec.net/docs/whitelist/create/
and created the file /usr/local/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
with below content.
Code Select

name: crowdsecurity/whitelists
description: "Whitelist events from my ip addresses"
whitelist:
  reason: "my ip ranges"
  ip:
    - "192.168.2.254"

~


I removed the Decision, and restarted Crowdsec.
I can see the file loaded in Parsers tab.
But it doesn't work.
I checked the Decision tab and the IP is banned again.

Parsers tab
Code Select

mywhitelists.yaml enabled,local /usr/local/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml


Decision tab:
Code Select

3051281 crowdsec Ip:192.168.2.254 firewallservices/pf-scan-multi_ports ban 16
an hour 990


Anyone have ideas how to add the IP to whitelist?
Thank you.
October 01, 2023, 11:11:41 PM #1
October 20, 2023, 07:04:26 AM #2
November 04, 2023, 06:14:10 AM #3 Last Edit: November 04, 2023, 09:17:50 PM by ApeDogg
in my case the IP was on the CAPI list so i had to follow those instructions but it didn't work until i ran the CLI command
Code Select
cscli decisions delete --ip 1.2.3.4 from the shell.

(update) it was blocked again today probably after updating with the API, so it seems the whitelist procedure isn't working.
November 29, 2023, 04:40:21 PM #4 Last Edit: November 29, 2023, 05:02:39 PM by MastrBlastr25
I've never used Crowdsec before so this may not be the best solution, but what I did was run
Code Select
cscli parsers install crowdsecurity/whitelists
which creates a whitelist.yaml file in
/usr/local/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity
then I edited that file to whatever I desire. After restarting Crowdsec it shows as 'enabled,tainted' but I guess 'tainted' just means the default auto-generated config was updated. It seems to be working
August 19, 2025, 10:01:30 AM #5
Adding whitelists as parsers seem to work on 1st glance, but they are not taken into account:
Code Select
my/homelan-whitelist                      🏠  enabled,local            /usr/local/etc/crowdsec/parsers/s02-enrich/my-homelan-whitelist.yaml
my/whitelist                              🏠  enabled,local            /usr/local/etc/crowdsec/parsers/s02-enrich/public-whitelist.yaml
and I still got my local desktop PC banned:
Code Select
root@opn:~ # cscli alerts list -i 192.168.11.69 -a
╭────────┬───────────────────────────────────────────────┬──────────────────────────────────────┬─────────┬────┬───────────┬─────────────────────────────────────────╮
│  ID  │                    value                    │                reason                │ country │ as │ decisions │                created_at              │
├────────┼───────────────────────────────────────────────┼──────────────────────────────────────┼─────────┼────┼───────────┼─────────────────────────────────────────┤
│ 312440 │ lists:otx-webscanners (1035 Ips)              │ update : +1035/-0 IPs                │        │    │ ban:1035  │ 2025-08-19 06:19:49 +0000 UTC          │

│ 311787 │ Ip:192.168.11.69                              │ firewallservices/pf-scan-multi_ports │        │    │ ban:1    │ 2025-08-18 09:37:24.421109652 +0000 UTC │
The only working solution was:
Code Select
cscli allowlists create my_allowlist -d "Trusted Home LAN"
cscli allowlists add my_allowlist 192.168.11.0/24 -d "Home LAN"


root@opn:/usr/local/etc/crowdsec/conf.d # cscli allowlist inspect my_allowlist
──────────────────────────────────────────────
 Allowlist: my_allowlist
──────────────────────────────────────────────
 Name                my_allowlist
 Description        Trusted Home LAN
 Created at          2025-08-19T07:43:22.504Z
 Updated at          2025-08-19T07:43:29.430Z
 Managed by Console  no
──────────────────────────────────────────────

─────────────────────────────────────────────────────────────
 Value            Comment  Expiration  Created at
─────────────────────────────────────────────────────────────
 192.168.11.0/24  Home LAN  never      2025-08-19T07:43:29Z
─────────────────────────────────────────────────────────────
root@opn:/usr/local/etc/crowdsec/conf.d #
Print
Go Up Pages1
User actions