CrowdSec decisions: list, add, delete (cscli + panel UI)
Last updated
A CrowdSec decision is a live ban, CAPTCHA challenge, or allowlist entry currently in force on the panel host. Decisions are produced automatically by CrowdSec scenarios watching your logs, pushed from the CrowdSec Console (community blocklists), or added manually. This page shows both the cscli commands and the Jabali Panel UI at /jabali-admin/security/crowdsec-decisions.
TL;DR — common cscli commands
# List every active decision on the host
cscli decisions list
# List only bans for a specific IP
cscli decisions list --ip 203.0.113.42
# Add a manual 4-hour ban for an IP
cscli decisions add --ip 203.0.113.42 --duration 4h --reason "manual block"
# Delete a decision by IP (removes every active decision for that IP)
cscli decisions delete --ip 203.0.113.42
# Delete a decision by ID (from `cscli decisions list`)
cscli decisions delete --id 12345
All three actions are also available in the panel UI, one click per row. Both surfaces write to the same LAPI, so a change made in the panel is visible immediately in cscli decisions list, and vice-versa.
cscli decisions list — filter cheat sheet
cscli decisions list prints every active decision by default. The panel calls the same API under the hood and passes the same filters:
| Filter | cscli flag | Panel UI |
|---|---|---|
| Type (ban/captcha/allowlist) | --type ban | ”Decision type” dropdown |
| Scenario | --scenario crowdsecurity/ssh-bf | ”Scenario” dropdown |
| IP or CIDR | --ip 203.0.113.42 / --range 203.0.113.0/24 | ”IP range (CIDR)” search |
| Origin (local/console/manual) | --origin console | ”Origin” dropdown |
| Include expired | --all | ”Show expired” toggle |
Example — list only bans from the CrowdSec Console:
cscli decisions list --type ban --origin console
Delete a CrowdSec decision by IP
Two options:
-
By IP — removes every active decision for that IP (typical when a user is unblocked by mistake):
cscli decisions delete --ip 203.0.113.42 -
By decision ID — targets a single decision when an IP has multiple:
cscli decisions delete --id 12345The ID column comes from
cscli decisions list --output raw.
In the panel: open the row’s action menu and pick Remove. The panel calls cscli decisions delete --id <id> on the host over the agent socket. No manual SSH.
Add a manual decision (block or allow an IP)
cscli decisions add creates a manual decision. Duration accepts s|m|h|d suffixes; scope defaults to Ip.
# 24-hour manual ban with reason
cscli decisions add --ip 203.0.113.42 --duration 24h --reason "manual block"
# 30-day CIDR ban
cscli decisions add --range 203.0.113.0/24 --duration 30d --type ban
For allowlists — persistent, survive CrowdSec restarts, and take precedence over bans — use the Allowlist tab in the panel or see the Allowlists guide. The single-command form is:
cscli allowlists add my-office --range 203.0.113.0/24
Where do decisions come from?
Decisions are produced by CrowdSec scenarios — YAML rules that match patterns in log streams:
nginxaccess log → HTTP probing, scanner detection, abusive paths.sshdjournal → SSH bruteforce.stalwart-mailjournal → IMAP / SMTP authentication flood.bulwarkjournal → panel-side authentication flood.crowdsec-appseclog → WAF rule trips.
Each scenario has a configurable severity, leakspeed (decay rate), and capacity (threshold). Adjust them under the Per-Scenario Override tab.
The origin column tells you how a decision landed on this host:
| Origin | Meaning |
|---|---|
crowdsec | Local scenario tripped by log activity on this host. |
console | Pushed from the CrowdSec Console (community blocklists). |
cscli | Manually added via cscli decisions add. |
lapi | Added via LAPI (panel UI, third-party tool). |
Panel UI: columns, filters, per-row actions
The /jabali-admin/security/crowdsec-decisions page displays every active decision with:
- IP (IPv4 or IPv6)
- Decision type (
ban,captcha,allowlist) - Scenario that triggered it (e.g.
crowdsecurity/ssh-bf,crowdsecurity/http-probing) - Origin (
crowdsec,console,cscli,lapi) - Duration remaining
- First seen, last seen
Per-row actions:
- Extend duration — bump time on an existing decision.
- Remove — same effect as
cscli decisions delete --id <id>. - Add to allowlist — promote the IP to a persistent allowlist entry; the current decision is removed in the same operation.
The list refreshes every 30 seconds; filters are query-string-driven and shareable.
How decisions are enforced
Decisions themselves are just database rows in LAPI. The actual blocking is done by bouncers subscribing to LAPI:
cs-nginx-bouncer— drops HTTP requests from banned IPs at the nginx layer; renders the configured CAPTCHA HTML forcaptchadecisions.cs-firewall-bouncer— installs nftables drop rules for non-HTTP traffic (SSH, ICMP, arbitrary ports).cs-stalwart-bouncer— rejects IMAP / SMTP connections at the mail-server layer.
cscli decisions delete invalidates the decision in LAPI; bouncers pick up the change on their next poll (default 10 s).
CrowdSec Console sync
If the panel host is enrolled with the central CrowdSec Console (Server Settings → Security → CrowdSec enrollment), decisions sync bidirectionally:
- Local decisions appear in the Console alerts feed.
- Console-pushed community blocklists appear in
cscli decisions listmarkedorigin=console.
Local decisions are never overridden by Console pushes, and vice-versa.
Related
- CrowdSec allowlists — persistent IP/CIDR whitelists.
- Bouncers — what each bouncer enforces, how to add a new one.
- Server Settings → Security — CrowdSec Console enrollment, per-scenario overrides.