Problem
CrowdSec false-positive bans are blocking legitimate admin and user traffic. Scenarios like http-probing and http-generic-403-bf trigger on normal browsing patterns when enough 403/404/400 responses accumulate (10 distinct paths within 10 seconds on the same FQDN). This creates a feedback loop: the ban generates more 403s, which re-trigger the ban after the 5-minute blackhole expires — effectively an infinite ban until the container is rebuilt.
There is currently no mechanism to whitelist trusted IPs from CrowdSec analysis. The existing Cerberus admin_whitelist only bypasses ACL/WAF/Rate Limiting middleware — it does not protect against CrowdSec bans.
Impact
- Admin loses access to all proxied services
- Any user whose browsing pattern triggers enough error responses gets banned
- Only fix today is rebuilding the container image (wipes CrowdSec DB)
- ISP changes require manual CLI intervention to update whitelists
Current State
| Component |
Status |
crowdsecurity/whitelists parser |
Not installed by default |
| Custom whitelist YAML |
None shipped with image |
| Whitelist API endpoints |
None |
| Whitelist UI |
None |
Cerberus admin_whitelist → CrowdSec sync |
None |
Proposed Solution
1. Default Whitelist Parser Installation
- Add
crowdsecurity/whitelists to configs/crowdsec/install_hub_items.sh so it ships with every new build
- This automatically whitelists RFC1918 private ranges (already handled by the parser)
2. Custom Whitelist File Generation
- Generate
/etc/crowdsec/parsers/s02-enrich/custom-whitelists.yaml at container startup from:
- An environment variable (e.g.,
CROWDSEC_TRUSTED_IPS)
- AND/OR the existing Cerberus
admin_whitelist CIDRs from the database
3. API Endpoints
Add CRUD endpoints under /admin/crowdsec/whitelist:
GET /admin/crowdsec/whitelist — List whitelisted IPs/CIDRs
POST /admin/crowdsec/whitelist — Add IP/CIDR to whitelist
DELETE /admin/crowdsec/whitelist/:entry — Remove IP/CIDR from whitelist
Backend should write changes to the persistent custom whitelist YAML and reload CrowdSec.
4. Frontend UI
Add a "Trusted IPs" section to the CrowdSec Config page (CrowdSecConfig.tsx):
- Table showing whitelisted IPs/CIDRs with reason
- Add/Remove controls
- Option to sync from Cerberus
admin_whitelist
- Detect and display the user's current public IP for easy self-whitelisting
5. Cerberus ↔ CrowdSec Sync (Optional Enhancement)
- When IPs are added to the Cerberus
admin_whitelist, automatically propagate them to the CrowdSec whitelist
- This ensures a single "trusted IPs" concept protects against both middleware AND CrowdSec bans
Temporary Workaround Applied
A manual custom-whitelists.yaml has been created in the running production container at /app/data/crowdsec/config/parsers/s02-enrich/custom-whitelists.yaml. This survives container restarts but will be lost on image rebuild if not baked into the build process.
Acceptance Criteria
Problem
CrowdSec false-positive bans are blocking legitimate admin and user traffic. Scenarios like
http-probingandhttp-generic-403-bftrigger on normal browsing patterns when enough 403/404/400 responses accumulate (10 distinct paths within 10 seconds on the same FQDN). This creates a feedback loop: the ban generates more 403s, which re-trigger the ban after the 5-minute blackhole expires — effectively an infinite ban until the container is rebuilt.There is currently no mechanism to whitelist trusted IPs from CrowdSec analysis. The existing Cerberus
admin_whitelistonly bypasses ACL/WAF/Rate Limiting middleware — it does not protect against CrowdSec bans.Impact
Current State
crowdsecurity/whitelistsparseradmin_whitelist→ CrowdSec syncProposed Solution
1. Default Whitelist Parser Installation
crowdsecurity/whiteliststoconfigs/crowdsec/install_hub_items.shso it ships with every new build2. Custom Whitelist File Generation
/etc/crowdsec/parsers/s02-enrich/custom-whitelists.yamlat container startup from:CROWDSEC_TRUSTED_IPS)admin_whitelistCIDRs from the database3. API Endpoints
Add CRUD endpoints under
/admin/crowdsec/whitelist:GET /admin/crowdsec/whitelist— List whitelisted IPs/CIDRsPOST /admin/crowdsec/whitelist— Add IP/CIDR to whitelistDELETE /admin/crowdsec/whitelist/:entry— Remove IP/CIDR from whitelistBackend should write changes to the persistent custom whitelist YAML and reload CrowdSec.
4. Frontend UI
Add a "Trusted IPs" section to the CrowdSec Config page (
CrowdSecConfig.tsx):admin_whitelist5. Cerberus ↔ CrowdSec Sync (Optional Enhancement)
admin_whitelist, automatically propagate them to the CrowdSec whitelistTemporary Workaround Applied
A manual
custom-whitelists.yamlhas been created in the running production container at/app/data/crowdsec/config/parsers/s02-enrich/custom-whitelists.yaml. This survives container restarts but will be lost on image rebuild if not baked into the build process.Acceptance Criteria
crowdsecurity/whitelistsparser installed by default on new builds