Skip to content

Remove whitelist-good-actors from linux.yaml#1623

Open
daikoz wants to merge 1 commit intocrowdsecurity:masterfrom
daikoz:patch-3
Open

Remove whitelist-good-actors from linux.yaml#1623
daikoz wants to merge 1 commit intocrowdsecurity:masterfrom
daikoz:patch-3

Conversation

@daikoz
Copy link
Contributor

@daikoz daikoz commented Jan 2, 2026

linux is a core collection: "core linux support : syslog+geoip+ssh". It should not contain crowdsecurity/whitelist-good-actors !!!

Moreover, whitelist-good-actors contain wrong actor which don't respect robots.txt.
And it added recently.

All whitelist should be add manually by server's administrator, not in core collection.

Description

Checklist

  • [ X] I have read the contributing guide
  • [ X] I have tested my changes locally
  • [ X] For new parsers or scenarios, tests have been added
  • [ X] I have run the hub linter and no issues were reported (see contributing guide)
  • [ X] Automated tests are passing
  • [ X] AI was used to generate any/all content of this PR

@daikoz
Remove whitelist-good-actors from linux.yaml
e4ffacb 
linux is a core collection: core linux support : syslog+geoip+ssh
It should not contain crowdsecurity/whitelist-good-actors !!!

Moreover, whitelist-good-actors contain wrong actor which don't respect robots.txt.

All whitelist should be add manually by server's administrator, not in core collection.
@LaurenceJJones
Copy link
Member

LaurenceJJones commented Jan 5, 2026

Hey @daikoz thank you for opening a PR, i'll give some background on why we decided to make it within the standard linux collection.

Before hand we was getting about 100 - 200k signals per day based on these ranges, IPs. Because unfortunately users just install CrowdSec, go out to find other collection to install other than ones they need cause they dont really understand they are banning ranges they can ultimately bring down their sites (cloudflare CDN gets banned, your site is unreachable for users going through cloudflare cdn).

Before we added this change we only had 600 instances that actively installed this VS the 200k instances that are out their.

Moreover, whitelist-good-actors contain wrong actor which don't respect robots.txt.

If you can provide more content on who, what they did then we come be come around, but blanketing saying "administrators should install it" when we have the stats on our end to prove users just dont.

@daikoz
Copy link
Contributor Author

daikoz commented Jan 18, 2026

For example, as highlighted in this Datadome research on Facebook being used as a proxy by web scraping bots: How Facebook Was Used as a Proxy by Web Scraping Bots.

Applying a default whitelist to all users is inherently risky. It unnecessarily expands the attack surface for websites that do not rely on these third-party services, exposing them to potential threats such as DDoS or scraping attacks... A security tool should never enable such broad allowlists by default, as it compromises the principle of least privilege.

For this reason, we have removed this collection for all ours clients.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@daikoz @LaurenceJJones