How-to

Install premium blocklists

This guide shows you how to install and manage premium blocklists after enrolling with the Community Console. Install one blocklist per 24 hours so you can attribute any false-positive wave to a specific source.

Prerequisites

The engine must be enrolled — see enroll-community-console.

List available blocklists

Show all blocklists offered to your account:

kubectl exec -n crowdsec deploy/crowdsec-lapi -- cscli blocklists list

The output shows name, description, size in IPs, and update frequency.

Blocklists to avoid initially

Do not install these without per-app analysis:

  • crowdsecurity/firehol_anonymous — may block Tor exit nodes and VPN providers, which is a privacy anti-pattern for public-facing sites

  • Aggressive catch-all lists without a clear scope

These can be revisited in Phase 4 for specific endpoints (admin panels, login pages) where Tor/VPN access has no legitimate use.

Disable a blocklist after a false-positive wave

If a blocklist causes user complaints or 4xx spikes:

kubectl exec -n crowdsec deploy/crowdsec-lapi -- cscli blocklists disable crowdsecurity/firehol_voipbl

The plugin stops applying decisions from this blocklist within 60 seconds. Existing decisions from this source remain in the cache until their TTL expires (typically 7 days).

To force-remove all decisions from a specific blocklist:

kubectl exec -n crowdsec deploy/crowdsec-lapi -- cscli decisions delete \
  --origin "lists:crowdsecurity/firehol_voipbl"

Inspect a blocklist

To see metadata and sample IPs:

kubectl exec -n crowdsec deploy/crowdsec-lapi -- cscli blocklists inspect crowdsecurity/firehol_proxies

Re-evaluate after seven days

After seven days running with the selected blocklists:

  • Lists with many hits and no complaints — keep.

  • Lists with few hits and no complaints — keep (no harm done).

  • Lists that triggered user complaints — disable and document.

Record the decision and any disabled blocklists in the memory file project_kup6s_waf_phase2_live.md.