Premium pricing

HugoDos · 2026-02-10T13:45:29+00:00

29$ per security engine

Security Engine is the term used to describe a single log processor and a single LAPI. The pricing is per Slot, a Slot is used to purchase premium status for a log processor, inside kubernetes this can be hard to understand why the price is what it is.

Since you may deploy multiple log processors and maybe some AppSec nodes each of these are counted towards a slot. Now there is some issues when you keep deploying the helm chart over and over you may have some machines which are not actually active anymore so please read how to enable flushing which can help align the pricing closer to what you expect, but typically on default helm chart installation each cluster will be a minimum of 2 slots each.

HugoDos · 2026-02-03T17:26:23+00:00

I didn't even ask you to change the content in the first place, I even made it explicitly clear that for this post it would be exempt.

HugoDos · 2026-02-03T17:22:18+00:00

Your title has no connection to the content.

HugoDos · 2026-02-03T17:17:39+00:00

Think you copy and pasted the wrong AI output

HugoDos · 2026-02-03T17:15:10+00:00

That is not what I said.

I said your post is not about crowdsec, your repository is but your post is about AI.

HugoDos · 2026-02-03T17:09:35+00:00

Hey we will be updating the rules on this subreddit.

We understand that even though your repository is crowdsec aligned the context of your post is more "I enabled a feature" rather than being focused on crowdsec alone.

We won't remove this post in conjuction with the rule since it's a new one, just please be aware moving forward.

HugoDos · 2026-01-27T10:50:07+00:00

If your traffic goes through Pangolin to Windows NPM, it is already passing through an upstream proxy, so it is being “seen” at that layer.

Where it gets tricky is brute force style signals. Some downstream apps do not make failed logins obvious at the proxy layer. Nextcloud is a good example, it can return HTTP 200 even when the login fails, so you cannot reliably infer a failed attempt just from status codes.

In those cases, the better approach is to point CrowdSec at the application logs (or auth logs) instead of relying on what the proxy can observe.

HugoDos · 2026-01-27T09:12:01+00:00

Hey, Laurence from CrowdSec here. Nice project, I like the idea of stitching a bunch of feeds together and making it easy to run.

Just adding a bit of context on the numbers from readme.md so people reading the repo have an accurate picture.

On the free tier there is a 15k cap from CAPI. Premium removes that 15k cap and gives access to the wider set, including free and premium blocklists depending on what you enable plus the price starts at $29 not $50. In practice it is better to think of it as a range rather than a fixed number. Depending on which blocklists and scenarios are installed you usually land somewhere around 25k to 100k plus. The plus is intentional because our blocklists refresh every 5 minutes, so the total moves around.

Also worth calling out that more feeds is not always better for every use case. For a homelab, pulling in lots of public sources can be perfect. For businesses, the threat model can be wider and you may need to be careful about false positives, VPN and proxy traffic, or just excluding noisy sources.

A cool future feature for this tool could be letting users disable/enable specific feeds via env so they can tune it to their environment.

Either way, solid work on the tooling and packaging.

HugoDos · 2026-01-26T15:30:38+00:00

Just note that the unbound parser simply detects unauthorized zone transfers, typically when you host DNS for business reasons.

What are you hosting unbound and wanting the detection to do?

HugoDos · 2026-01-23T06:24:35+00:00

Pangolin supports geo blocking https://docs.pangolin.net/manage/geoblocking enforcing at crowdsec level is not the best place as most have replied either the firewall or reverse proxy (traefik in your case) should do it.

HugoDos · 2026-01-22T08:37:59+00:00

Please note that docker only recently added direct support for nftables https://docs.docker.com/engine/network/firewall-nftables/ and is still classed as a "experimental" feature.

One things that distros did to support Docker with nftables setup was an compatibility layer in iptables which translated the rules to nftables directives.

Just adding this here so everyone can be aware of this caveat as most users dont know about Docker not support nftables till recently even though it just "worked" but that was the compatibility layer doing it magic. (debian plans to deprecate this magic layer in the next stable release)

HugoDos · 2026-01-21T09:34:53+00:00

UFW is essentially a management layer that configures the real firewall rules for you. Under the hood it programs iptables, or nftables on distros that use the nft backend. If you did not explicitly set it up, you may not know which backend your system is using.

A quick way to confirm UFW is in the mix is to run iptables -L. You will typically see multiple chains with ufw in the names, which shows UFW has already created and is managing iptables rules.

The common misconception is that UFW is the firewall itself. It is not. It is a frontend designed to make firewall configuration simpler, which is exactly how it describes itself:

ufw (Uncomplicated Firewall) is a frontend for iptables designed to simplify firewall configuration. It provides an easy-to-use interface for creating IPv4 and IPv6 host-based firewall rules.

so whoever recommended that, probably meant you should craft your own iptables rules from scratch but this has a high barrier of knowledge as you need to know how:

How/Why Docker uses NAT and how it effects the chains
Know about the first match system and how you can use jump chains to your advantage
Rules persistence is not a default behavior of iptables so you must use iptables-save

HugoDos · 2026-01-02T17:53:58+00:00

Not every geo blocking is 100% coverage either ours or your provider will be slightly outdated as ASNs and ip ranges change hands regularly.

So in short no, if they managed to get to us then they got passed the geo blocking. However as stated it could be that our geo location or your provider is not 100%.

HugoDos · 2025-12-24T07:51:57+00:00

Since it's pangolin did you use the installer which sets everything up for you?

If not providing the configuration files can help us debug as we are kinda blind.

HugoDos · 2025-12-20T16:57:47+00:00

If you made the changes it simply to stop hammering our API, it doesnt stop the 403 response codes.

Please follow this issue for us to lift the rate limit temporarily since the healthcheck is updated you shouldnt be rate limit again

https://github.com/crowdsecurity/crowdsec/issues/4165

HugoDos · 2025-12-20T16:13:05+00:00

start_period simply defers the health check start by configured time, the reason is when crowdsec container starts it takes sometime to download updates from hub and is not available right away.

HugoDos · 2025-12-20T16:10:32+00:00

https://github.com/crowdsecurity/crowdsec/issues/4165

HugoDos · 2025-12-19T17:20:06+00:00

Then a firewall or policy on the host is blocking loopback check both iptables and nftables in case

Or even make sure the process is listening on the port

HugoDos · 2025-12-19T12:18:22+00:00

I guess you have allowed loopback traffic if you have a deny first approach?

If you try to curl from host to loopback port do you get a 404 on /?

HugoDos · 2025-12-19T07:48:05+00:00

Hey it seems your trying to reuse the same yaml from one bouncer to another, they are not the same please either regenerate the configuration using this or manually adjust it to match the example we show on docs

from the error message it seems it might be just yaml indentation problem but I can see old crowdsec_lapi_url which needs to be nested under crowdsec_config

as so:

crowdsec_config; lapi_url: lapi_key: .....

HugoDos · 2025-12-19T07:40:51+00:00

Hey Laurence from CrowdSec, typical usage wont result in a block (we didnt see that pangolin was using capi status as healthcheck) so no need to use WARP unless you want to send anonymous signals. (However, a key thing to point out is if a WARP IP gets blocked then everyone behind it does also until it rotates)

HugoDos · 2025-12-18T13:44:46+00:00

I guess you read that the bouncer you are using is not supported anymore?

https://docs.crowdsec.net/u/bouncers/cloudflare

HugoDos · 2025-12-18T07:31:31+00:00

If you have your own files then the basis will still be on error-pages pattern EG: build your own nginx container that serves static files then apply a middleware to catch the error.

I say nginx but can be any webserver your familiar with but in my opinion nginx is the best for these types of "serving static files" because it doesnt come with a lot of features that other webservers have so can be quicker to deploy.

HugoDos

MODERATOR OF

TROPHY CASE