Crowdsec and Virtualmin (on Ubuntu 24.04)

urbaman · September 26, 2025, 12:44pm

Hi,

I installed crowdsec together with firewall and apache2 bouncers, enabling some collections (apache2, http-cve, postfix, dovecot, and others).

I also set the apache logs acquisition to the virtualmin vhosts apache files, and they are parsed.

Thing is: I only see alerts (and decisions) triggered by the postfix parser, not from apache2, and it seems very strange to me, as I had another installation, with traefik in front of virtualmin/apache, and crowdsec parsing traefik logs, and it triggered a lot of alerts/decisions.

From cscli:

sudo cscli collection list
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
COLLECTIONS
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name 📦 Status Version Local Path
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────
andreasbrett/webmin ✔️ enabled 0.1 /etc/crowdsec/collections/webmin.yml
crowdsecurity/apache2 ✔️ enabled 0.1 /etc/crowdsec/collections/apache2.yaml
crowdsecurity/base-http-scenarios ✔️ enabled 1.2 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/dovecot ✔️ enabled 0.1 /etc/crowdsec/collections/dovecot.yaml
crowdsecurity/http-cve ✔️ enabled 2.9 /etc/crowdsec/collections/http-cve.yaml
crowdsecurity/http-dos ✔️ enabled 0.2 /etc/crowdsec/collections/http-dos.yaml
crowdsecurity/linux ✔️ enabled 0.3 /etc/crowdsec/collections/linux.yaml
crowdsecurity/mariadb ✔️ enabled 0.1 /etc/crowdsec/collections/mariadb.yaml
crowdsecurity/mysql ✔️ enabled 0.1 /etc/crowdsec/collections/mysql.yaml
crowdsecurity/pgsql ✔️ enabled 0.1 /etc/crowdsec/collections/pgsql.yaml
crowdsecurity/postfix ✔️ enabled 0.4 /etc/crowdsec/collections/postfix.yaml
crowdsecurity/sshd ✔️ enabled 0.7 /etc/crowdsec/collections/sshd.yaml
crowdsecurity/whitelist-good-actors ✔️ enabled 0.2 /etc/crowdsec/collections/whitelist-good-actors.yaml
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────

From the logs:

time=“2025-09-26T14:36:17+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:18+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:18+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:18+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:20+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:21+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:22+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:36+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:44+02:00” level=info msg=“Sent 3 usage metrics”
time=“2025-09-26T14:36:45+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:46+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:48+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:48+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:50+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:50+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:36:51+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:00+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:07+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:07+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:10+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:11+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:13+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:13+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:15+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:16+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:16+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:18+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:19+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:19+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:19+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:20+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:23+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:24+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:27+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:29+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:38+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:45+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:37:49+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:38:00+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:38:03+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075
time=“2025-09-26T14:38:26+02:00” level=warning msg=“bad user agent ‘Apache/2.4.58 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.13’” ip=127.0.0.1 name=cs-apache2-bouncer-1758885075

Is there something I can do to debug?

Thank you.

urbaman · September 27, 2025, 1:27pm

Hi, probably solved (being behind cloudflare is tricky with real IP)

Topic		Replies	Views
New to crowdSec, some questions crowdsec	11	3454	March 18, 2021
Crowdsec parser issues crowdsec	3	787	January 3, 2025
Crowdsecurity/http-logs debug crowdsec	2	226	April 24, 2024
Crowdsec and Traefik crowdsec	7	5400	March 13, 2022
I don't know if it works crowdsec	2	262	August 14, 2024

Crowdsec and Virtualmin (on Ubuntu 24.04)

Related topics