Crowdsec Observations

[ruzamai]

@dan786: Don't hesitate to discuss those points on our discourse.

The tables populated by CrowdSec are entirely dynamic. <TL/DR> It contains the IP your local machine blocks and a part of what the other in the network are blocking. The 1st step is really about checking your "stack health" in the SaaS console (or using the Claude Skill we published) to see that everything is properly configured.

The default 4h ban is meant to avoid a lengthy ban, since any IP caught locally will have its ban refreshed if needed, and if it is globally aggressive, it'll be added to a global blocklist (reputation vs. behavior).

CrowdSec now runs on hundreds of thousands of servers and we are confident the software is stable, behaving as intended, but this doesn't mean we can't have an OpenSense integration issue. So step 1: stack health or check the config with a Claude + the crowdsec skill. If it's cleared, please raise a bug and we'll investigate.

I'm not disputing it's stable Philippe - I'm saying it's completely unnecessary with proper use of the firewall and rules. It's good for people who don't want to address either, and massively oversold.
S

[ruzamai]

Hi there, I'm allowing myself just a few observations:

> [...] There's constant pressure to upsell.

On the FOSS product, there is zero upsell. The security engines, scenarios, virtual patches, and OAWSP CRS ruleset are all 100% free.
One place you may see an upsell is in the SaaS console's free tier. The reason is that this product is not free, not for you or for us, since we store the attacks your servers are receiving. There is a free tier, which is entirely optional for the use of CrowdSec as Homelab users. For professionals, if you need supervision, alerts, provisioning, QoL, etc., this is where the SaaS product is useful and where you get upsell CTAs.

[...] I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

It's then likely that you use only the IDS module (the one reading logs), with a few scenarios, and probably not exposed over the Internet. Because usually, Firewalls don't filter some ports that need to be opened (like HTTP or vpn, sometimes SSH, etc.) and those are scanned several thousand times a day, which is where CrowdSec WAF & IDS are helpful. Also, maybe check the SaaS console to see the health of your instance and whether you have log parsing, the scenario installed, etc. The logic is dynamic blocking based on behavior, rather than static filtering via firewall rules.

[...] Crowdsec claimed it had blocked nearly 20k attacks, all of which however were already blocked by the firewall

Normally, if a packet is dropped by your firewall, the related request should never reach the security engine for treatment.
CrowdSec Bouncer installs an IPset on your Linux firewall, and your firewall drops it, making it seem like it's your firewall dropping, but in fact, it's CrowdSec populating an IPset that your firewall is dropping.


Bests,

Philippe.

Fully open to the internet - forgot to mention.

S

[ruzamai]

@dan786: Don't hesitate to discuss those points on our discourse.

The tables populated by CrowdSec are entirely dynamic. <TL/DR> It contains the IP your local machine blocks and a part of what the other in the network are blocking. The 1st step is really about checking your "stack health" in the SaaS console (or using the Claude Skill we published) to see that everything is properly configured.

The default 4h ban is meant to avoid a lengthy ban, since any IP caught locally will have its ban refreshed if needed, and if it is globally aggressive, it'll be added to a global blocklist (reputation vs. behavior).

CrowdSec now runs on hundreds of thousands of servers and we are confident the software is stable, behaving as intended, but this doesn't mean we can't have an OpenSense integration issue. So step 1: stack health or check the config with a Claude + the crowdsec skill. If it's cleared, please raise a bug and we'll investigate.

Also - are you seriously suggesting I use Claude to prove you wrong or right? I craft my rules manually, have never needed AI as a crutch.
It's pretty hard to take you seriously when you suggest this.

Samuel