CrowdSec Troubleshooting
Incident runbook for CrowdSec and nftables.
Am I banned?
Symptoms
Site unreachable from home, Caddy returns no connection, Tailscale still works.
Command to check your IP:
$sudo cscli decisions listCommand to unban yourself:
$sudo cscli decisions delete --ip <YOUR_IP>Note: Use Hetzner web console if SSH is also blocked.
Why was I banned?
Known triggers:
- Ente Photos bulk API calls → triggers
http-crawl-non-staticsscenario - Aggressive Navidrome/Subsonic client polling
Check logs to see what caused it:
$sudo tail -100 /var/log/caddy/access.log | grep <YOUR_IP>$sudo cscli alerts listPermanent Whitelist
Edit the whitelist file:
$sudo nano /etc/crowdsec/parsers/s02-enrich/my-whitelist.yamlStructure:
name: my/whitelist
description: "Whitelist home IPs"
whitelist:
reason: "home IP"
ip:
- "1.2.3.4"
cidr:
- "1.2.3.0/24"After editing, reload CrowdSec:
$sudo systemctl reload crowdsecWhitelist via allowlist (mynetworks)
Command to add an IP or CIDR to the allowlist:
$sudo cscli allowlists add mynetworks <IP_OR_CIDR> --reason "home IP"Command to list:
$sudo cscli allowlists list mynetworksHetzner Web Console Emergency Access
Emergency Access
Use when SSH is unreachable because your home IP is banned by CrowdSec/nftables.
- URL: console.hetzner.cloud
- Select VPS → Console tab
- Login: user
thomas, system password (stored in Bitwarden SSH vault)
Common Scenarios
| Scenario | Cause | Fix |
|---|---|---|
| Banned after Ente photo sync | http-crawl-non-statics | cscli decisions delete + add CIDR to allowlist |
| Banned after Subsonic API | Aggressive polling | Same as above |
| Banned home + mobile | Multiple IPs / CGNAT shift | Add full /24 CIDR |
| SSH blocked | nftables bouncer active | Hetzner console → unban |