canasta crowdsec
canasta > crowdsec
canasta crowdsec
Manage CrowdSec threat detection
Synopsis
Manage the optional CrowdSec security feature on a Compose or Kubernetes instance. Enable or disable CrowdSec itself with canasta config set CANASTA_ENABLE_CROWDSEC=true|false (the same pattern as the other optional features). The subcommands below allow further configuration and monitoring once CrowdSec is enabled:
bouncer-enrollregisters the Caddy bouncer with the CrowdSec engine, captures the generated API key, stores it asCROWDSEC_BOUNCER_API_KEY, and restarts so the bouncer starts enforcing decisions. This now happens automatically the first time the instance starts after CrowdSec is enabled; run it by hand only to force a fresh key (--force).console-enrollconnects the engine to the CrowdSec Console (app.crowdsec.net) for the full community blocklist. Optional — the engine already pulls the smaller "Lite" community blocklist via the Central API by default.reloadrestarts just the engine to apply changes (an accepted console enrollment, whitelist edits) without restarting the whole instance.statusshows the registered bouncers and the currently active IP decisions.scenarioslists the loaded collections and scenarios so you can confirm behavioral detection is active.alertsshows the attacks CrowdSec has detected (the detection history), complementingstatus(the bans in force right now).metricsshows engine throughput — the quickest check that the Caddy access log is actually being read.ban/unbanadd or remove a manual decision for an IP, independent of CrowdSec's automatic detection.
Durable detection tuning (whitelisting trusted IPs, custom rules) is done by editing config/crowdsec/whitelists.yaml in the instance directory — a version-controlled file, like Caddyfile.global.
On Kubernetes the engine runs as a sidecar in the Caddy pod and the same subcommands work via kubectl exec. Because Caddy always sits behind the in-cluster ingress there, CrowdSec auto-trusts the cluster pod CIDRs (override with CADDY_TRUSTED_PROXY_CIDRS) so it attributes decisions to the real client IP rather than the ingress.
Subcommands
This command requires a subcommand:
- alerts — Show recent CrowdSec alerts (detected attacks)
- ban — Block an IP via a manual CrowdSec decision
- bouncer-enroll — Register the Caddy bouncer with the CrowdSec engine
- console-enroll — Connect CrowdSec to the Console for the full community blocklist
- metrics — Show CrowdSec engine throughput metrics
- reload — Restart the CrowdSec engine to apply changes
- scenarios — List the loaded CrowdSec detection (collections and scenarios)
- status — Show CrowdSec bouncers and active decisions
- unban — Remove a manual CrowdSec decision for an IP
Global flags
| Flag | Shorthand | Description | Default | Required | Orchestrator |
|---|---|---|---|---|---|
--help |
-h |
Show help message and exit | Both | ||
--verbose |
-v |
Enable verbose output | Both |