Crowdsec Whitelist won't work

crowdsec
1

Hello,

I have actual a problem with a IP from my Webhoster.
Crowdsec banned the IP, but I don’t know why?
But my problem is a other problem.
I have created a whitelist “/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml” and added the following

name: crowdsecurity/whitelists
description: "Whitelist for me"
whitelist:
  reason: "Whitelist for working"
  ip:
    - "IP" # Webhosting

After this I restarted crowdsec and check, if the mywhitelists.yaml will be parsed.
I checked it with “cscli parsers list” and the list will be parsed:

crowdsecurity/whitelists                🏠  enabled,local           /etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml

I unban the IP and it works. But after 2 hours the IP is on the banlist again and I have no access to my Webhosting.

Is there a problem with my whitelist or something else?
How can I whitelist my IP?

Thanks,
Robert

2

my suggestion as per our whitelist documentation is name the name key something different

name: my/whitelists
description: "Whitelist for me"
whitelist:
  reason: "Whitelist for working"
  ip:
    - "IP" # Webhosting

Getting started whitelist documentation

this will stop any conflict with our official crowdsecurity/whitelists parser.

You can test this by running

grep <IP> /var/log/<your_log_file> | tail -n1 | cscli explain -f- --type <log_type>

this will show you if the whitelist is passing.

documentation on testing

Once you have confirmed this you need to restart CrowdSec by running systemctl restart crowdsec

Edit: What I said above only applies to log parsers, it seem from this comment

But after 2 hours the IP is on the banlist again and I have no access to my Webhosting.

That the IP address you want to whitelist is in fact in the “Community Blocklist”, because the Security Engine pulls updates every 2 hours.

If this is the case then you can use this guide here to whitelist decisions that come from the Community Blocklist.

3

The problem is bigger.
The Mailsupport has helped me.

The IP ist on a blacklist from Crowdsec and they don’t want delete it.
The solution was a CAPI-Whitelist. CAPI | CrowdSec
It works for me.

4

It was myself on the mail support, its not that we don’t want to delete it. It more we are still seeing malicious signals, so we have to weigh up releasing the IP for the context it is a hosting company but also noting that their is still active attacking users of our network.

5

It’s OK.
I meant no harm. You helped me with the CAPI-Whitelist.
On this Webhosting-IP, there are 81 Domains and I own 2 of it.