Good day. First of all, I apologize for the machine translation; English is not my native language.
Recently, something strange has been happening with the program. Let me explain step by step.
We have Crowdsec installed on a mail server, and I wrote all the parsers myself. We chose Crowdsec because our mail server is multi-node — authentication happens on one machine, but blocking needs to happen on another. Additionally, the server hosting the database and LAPI is separate. Plus, we have alerts set up in Zulip for any triggered decisions.
So, I recently noticed that alerts are coming in, but in reality, no blocking is happening. I started investigating and saw something odd.
cscli bouncers list
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name IP Address Valid Last API pull Type Version Auth Type
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
post2 192.168.79.3 ✔️ 2026-02-10T17:55:28+03:00 crowdsec-firewall-bouncer v0.0.34-debian-pragmatic-amd64-4144555453620958398aee64253dfd90bbc1f698 api-key
post2@192.168.114.63 192.168.114.63 ✔️ 2026-02-04T21:10:33+03:00 N/A api-key
post2@192.168.102.63 192.168.102.63 ✔️ 2026-02-10T17:55:16+03:00 N/A api-key
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
post2 is the active server with the bouncer installed. The other two are Zabbix servers; moreover, 114.63 is actually a clone of the main one (102.63 ). We set up the clone for testing, and after cloning, we removed all monitoring hosts from it. However, before we removed the hosts on the clone, it managed to “knock on” the mail server and register itself in the bouncer.
cscli bouncers inspect post2
───────────────────────────────────────────────────────────────────────────────────────
Bouncer: post2
───────────────────────────────────────────────────────────────────────────────────────
Created At 2025-04-01 13:51:59.562137 +0300 MSK
Last Update 2026-02-11 11:07:08.926924 +0300 MSK
Revoked? false
IP Address 192.168.79.3
Type crowdsec-firewall-bouncer
Version v0.0.34-debian-pragmatic-amd64-4144555453620958398aee64253dfd90bbc1f698
Last Pull 2026-02-11 11:07:08.925039 +0300 MSK
Auth type api-key
OS Ubuntu/22.04
Auto Created false
───────────────────────────────────────────────────────────────────────────────────────
cscli bouncers inspect post2@192.168.114.63
────────────────────────────────────────────────────
Bouncer: post2@192.168.114.63
────────────────────────────────────────────────────
Created At 2026-02-04 17:54:14.55811 +0300 MSK
Last Update 2026-02-04 21:10:33.894864 +0300 MSK
Revoked? false
IP Address 192.168.114.63
Type
Version N/A
Last Pull 2026-02-04 21:10:33.89486 +0300 MSK
Auth type api-key
OS ?
Auto Created true
────────────────────────────────────────────────────
cscli bouncers inspect post2@192.168.102.63
────────────────────────────────────────────────────
Bouncer: post2@192.168.102.63
────────────────────────────────────────────────────
Created At 2025-10-13 16:02:59.030518 +0300 MSK
Last Update 2026-02-11 11:07:09.121255 +0300 MSK
Revoked? false
IP Address 192.168.102.63
Type
Version N/A
Last Pull 2026-02-11 11:07:09.12125 +0300 MSK
Auth type api-key
OS ?
Auto Created true
────────────────────────────────────────────────────
It’s clear that the clone is not being updated.
How could Zabbix possibly end up in the bouncer?
Here’s part of the config from the server:
server:
log_level: info
listen_uri: 192.168.102.161:9090
profiles_path: /etc/crowdsec/profiles.yaml
console_path: /etc/crowdsec/console.yaml
# online_client: # Central API credentials (to push signals and receive bad IPs)
# credentials_path: /etc/crowdsec/online_api_credentials.yaml
trusted_ips: # IP ranges, or IPs which can have admin API access
- 192.168.0.0/16
- 127.0.0.1
- ::1
# tls:
# cert_file: /etc/crowdsec/ssl/cert.pem
# key_file: /etc/crowdsec/ssl/key.pem
I can’t remove the fake bouncers because:
cscli bouncers delete post2@192.168.114.63
WARNING bouncer 'post2@192.168.114.63' is auto-created and cannot be deleted, delete parent bouncer post2 instead
But even if I re-added post2, the Zabbix server would appear again. How can I prevent this?
Here (https://docs.crowdsec.net/docs/local_api/tls_auth/) in the documentation it says that automatic bouncer enrollment can only happen via TLS, but I have it completely disabled. Yet the description says:
***
Auth type api-key
***
Auto Created true
This shouldn’t be possible, but then how?
cscli version
version: v1.7.0-debian-pragmatic-amd64-c3036e21
Codename: alphaga
BuildDate: 2025-09-02_12:39:35
GoVersion: 1.24.6
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.7.0-debian-pragmatic-amd64-c3036e21-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog
Can anyone help? What should I do in this situation to get the program back to a working state?