OpenSense and Crowdsec blocking internal IPs

I’ve been running Crowdsec on my OpenSense VM for a while now and today after a OpenSense upgrade that included an update to the crowdsec agent, it randomly decided to block my internal webserver from accessing the internet. No idea why.

Turns out Crowdsec has a allow list module you can install that prevents this kinda thing from happening. It’s not included by default.

To find out if you’re suffering from the same issue as me login to your OpenSense WebUI and go to Servers -> CrowdSec -> Overview

Click the ‘Alerts’ tab and if you’ve having the same problem as me you’ll see a internal IP listed:

Click the ‘Decisions’ tab and click the small trashcan icon next to the entry for your internal IP.

This is probably all you need to do but if you want to prevent this from happening again follow these steps:

  1. SSH into your OpenSense box
  2. Press ‘8’ to get a shell
  3. Run the following command: cscli parsers install crowdsecurity/whitelists
  4. Restart the crowdsec agent by running: sudo service crowdsec reload

That’s it. That should remove any blocks currently in place and prevent future ones.

4 thoughts on “OpenSense and Crowdsec blocking internal IPs”

  1. Thank you,

    This works like a charm – My windows VM suddenly got blocked when I asked ESET to do a scan of my network.

    Regards

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.