I’ve been running Crowdsec on my OpenSense VM for a while now and today after a OpenSense upgrade that included an update to the crowdsec agent, it randomly decided to block my internal webserver from accessing the internet. No idea why.
Turns out Crowdsec has a allow list module you can install that prevents this kinda thing from happening. It’s not included by default.
To find out if you’re suffering from the same issue as me login to your OpenSense WebUI and go to Servers -> CrowdSec -> Overview
Click the ‘Alerts’ tab and if you’ve having the same problem as me you’ll see a internal IP listed:
Click the ‘Decisions’ tab and click the small trashcan icon next to the entry for your internal IP.
This is probably all you need to do but if you want to prevent this from happening again follow these steps:
- SSH into your OpenSense box
- Press ‘8’ to get a shell
- Run the following command:
cscli parsers install crowdsecurity/whitelists - Restart the crowdsec agent by running:
sudo service crowdsec reload
That’s it. That should remove any blocks currently in place and prevent future ones.
Thank you,
This works like a charm – My windows VM suddenly got blocked when I asked ESET to do a scan of my network.
Regards
Haha, glad it wasn’t just me.
Didn’t work for me, whenever I enable IPS my server loses WAN access until IPS is turned off.
This solution is specifically for the Crowdsec Module and not the built-in IPS on OpenSense.