Where is the crowdsec-blacklists ipset data originating from on Ubuntu 22.04?

Hi. I’m integrating crowdsec and crowdsec-firewall-bouncer-iptables on a system that is running hestia-cp on Ubuntu 22.04.

Hestia uses it’s own iptables process and removes the crowdsec iptables entry if it’s not added directly to hestia. Hestia needs the actual data source in the form of a url or file, but I can’t find the crowdsec-blacklists location on my system, nor do I see it in the crowdsec docs. Maybe it populates the ipset directly from an api? crowdsec seems to work fine in general and running the command: ipset list crowdsec-blacklists reveals data in the ipset.

Does anyone know the data source location for the ipset: crowdsec-blacklists?


The ipset is filled via crowdsec-firewall-bouncer-iptables binary which calls the LAPI which is a http api that is running on the crowdsec binary.


You can call the API directly but there are some caveats depending on how hestia works.

You could instead use our custom bouncer which then calls a script to write to a file which then hestia monitors?

Thanks! I’m working a workaround and will post the results in case it’s helpful to anyone.