My ip is in the decisions list


I’m just running crodwsec for the first time. Combined it with suricata for the logs (added to acquis.yaml under the syslog paragraph. I’m coming from fail2ban and I’m letting fail2ban run while I fully understand how to control crowdsec which means configuration properly, time bannishment, and how to know which IP are already banned and how to unban an ip.
(I actually don’t know if the syslog are parse then or just omitted )
And I ran cscli decisions list and the ip of my vps where crowdsec is installed is in the decision list. (IPV4 and IPV6)
Is that normal? Should I do something?

create a whitelist
cd /etc/crowdsec/parsers/s02-enrich/
sudo nano personal-whitelist.yaml

name: crowdsecurity/whitelists
description: "Whitelist events from my personal ips"
  reason: "internal traffic from my personal ips"
        - ""

the 24 said all ip in this range are whitelisted
But you have a VPS in Internet, you must take inside your static ip ! without 24

sudo systemctl restart crowdsec.service
1 Like

okey thank you for that.
Any leads you might think off why suricata would not put the ip of the host itself into major security ?

sorry, you must edit the whitelist.yaml

1 Like

does not totally answer my question but yes sure thanks will do that, I would prefer to alsoknow the underlying condition behind it.

You can view the context around the alert via

cscli alerts list

Find the ID in the previous command then run:

cscli alerts inspect <id> -d

thanks I’m going to check it by installing it into another vps but a ubuntu this one and see if there is a difference, maybe it is just with fedora but I4m going to follow the same kind of tutorial just to check.