Version: Next

IP / CIDR

For IP and CIDR-based allowlisting, we recommend using Centralized AllowLists instead. AllowLists are managed at the LAPI level, making them easier to maintain and they also affect blocklist pulls. The parser whitelists documented below are more suited for complex expressions based on log elements.

IP whitelists are best suited for the Parser whitelists stage: once a log line is parsed, CrowdSec already knows the IP and can discard it early to save resources.

Create mywhitelist.yaml in your parser whitelist directory (see introduction for OS-specific paths):

name: "my/whitelist" ## Must be unique
description: "Whitelist events from my ip addresses"
whitelist:
  reason: "my ip ranges"
  ip:
    - "192.168.1.1" # Replace with your public IP
  cidr:
    - "192.168.1.0/24" # Replace with your public IP range

Reload CrowdSec
sudo systemctl reload crowdsec

Test the whitelist

Use a security tool such as nikto to test the whitelist:

nikto -host myfqdn.com

sudo cscli decisions list --ip <your_whitelisted_ip>

The expected result is No active decisions.

I still see an old decision?

Whitelisting only prevents new decisions. Remove old decisions with:

sudo cscli decisions delete --ip <your_whitelisted_ip>

Test the whitelist​

I still see an old decision?​

Test the whitelist

I still see an old decision?