+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: Remote access with Caddy, Duckdns vs Tailscale for security? (/t-remote-access-with-caddy-duckdns-vs-tailscale-for-security)
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Duvel - 2025-04-10
(2025-04-10, 12:34 PM)Balinus Wrote: On my bouncers list, there is another one listed, can't remember if I installed that or not. Is there a way to "test" this bouncer?
To check if the firewall bouncer is active, first check your iptables with sudo iptables -L
You should find something like this:
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere match-set crowdsec-blacklists srcSo your LAPI is maintaining a list of blacklisted IPs, that are sourced from Crowdec servers, and also get feed by your LAPI decisions.
And that rules on your firewall tells to DROP all traffic from all the IPs in that list
to see the IPs in that crowdsec-blacklist, use :
Code:
sudo ipset list crowdsec-blacklistsTo see if it get correctly fed by your LAPI, you should have decisions and alerts triggered by your Caddy Bouncer
To list the decisions use the command : cscli decisions list
Code:
tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli decisions list
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
| ID | Source | Scope:Value | Reason | Action | Country | AS | Events | expiration | Alert ID |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
| 35622305 | crowdsec | Ip:45.148.10.90 | crowdsecurity/http-probing | ban | NL | 48090 Techoff Srv Limited | 11 | 2h21m25s | 5108 |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
1 duplicated entries skippedTo list the alerts use the command : cscli alerts list
Code:
+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
| ID | value | reason | country | as | decisions | created_at |
+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
| 5108 | Ip:45.148.10.90 | crowdsecurity/http-probing | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 13:02:36.862627355 +0000 UTC |
| 5107 | Ip:45.148.10.90 | crowdsecurity/http-sensitive-files | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 13:02:36.912274326 +0000 UTC |
| 5098 | Ip:45.148.10.35 | crowdsecurity/http-crawl-non_statics | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 07:34:41.401018012 +0000 UTC |
| 5097 | Ip:45.148.10.35 | crowdsecurity/http-probing | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 07:34:41.40102972 +0000 UTC |If everything works you should see the IPs alerted in the crowdsec-blacklists.
You can quickly check that using
Code:
sudo ipset list crowdsec-blacklists | grep <the_ip_adress_tocheck>Note that if you dont have any ongoing alerts, you can also trigger one yourself, its always funny :-)
An easy way to test is to trigger the http probing detection. That scenario should be installed, otherwise install it : https://app.crowdsec.net/hub/author/crowdsecurity/scenarios/http-probing
And then, using your smartphone, and preferably behind a VPN, visit in a row URL of your domain that doesnt exists :
https://your-domain.tld/thatdoesntexist1
https://your-domain.tld/thatdoesntexist2
https://your-domain.tld/thatdoesntexist3
https://your-domain.tld/thatdoesntexist4
https://your-domain.tld/thatdoesntexist5
The bouncer should block you after a dozen of attempts.
If you got blocked without using a VPN, you will have to learn how to remove the alerted IP using cscli commands ;-)
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Balinus - 2025-04-10
(2025-04-10, 02:15 PM)Duvel Wrote: Looks like the default firewall bouncer if crowdsec : https://github.com/crowdsecurity/cs-firewall-bouncer
Unsure if you got it installed by default or if you installed it manually...
So basically that one's acts like fail2ban and modifies the iptables of your Linux to block the alerted IPs. That's a nice addition that would prevent an IP blocked to reach the whole Linux server.
This is only a little plus depending on your architecture.
If the only way to reach your webfacing server is through Caddy, then it's mostly useless because the caddy bouncer will block all those IPs.
Now if you have other ports opened, it might become usefull.
For my architecture it is useless, because I have a crowdsec bouncer on my main gate, with is the pfsense router, and both the router and caddy bouncer are connected to my Crowdsec Lapi. So whenever something is detected by the Caddy bouncer, the LAPI will propagate it to the pfsense bouncer, which will block the IP on the firewall.
On top of this your LAPI also propagate your detected IPs to the central servers and everyone can benefit it.
That's the beauty of Crowdsec approach.
Ah, I think I installed iptables it by following Crowdsec documentation. For my case, there is only 1 port opened and the server, as far as I understand it, is only reacheable through Caddy. Thanks for your supplementary details, it is much clearer in my head now.
For Nginx, there is a tutorial that might be useful : https://www.crowdsec.net/blog/crowdsec-with-nginx-proxy-manager
Not sure if it's useful though.
RE: Remote access with Caddy, Duckdns vs Tailscale for security? - Balinus - 2025-04-10
(2025-04-10, 03:14 PM)Duvel Wrote: To check if the firewall bouncer is active, first check your iptables with sudo iptables -L
You should find something like this:
Code:Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere match-set crowdsec-blacklists src
So your LAPI is maintaining a list of blacklisted IPs, that are sourced from Crowdec servers, and also get feed by your LAPI decisions.
And that rules on your firewall tells to DROP all traffic from all the IPs in that list
to see the IPs in that crowdsec-blacklist, use :
Code:sudo ipset list crowdsec-blacklists
To see if it get correctly fed by your LAPI, you should have decisions and alerts triggered by your Caddy Bouncer
To list the decisions use the command : cscli decisions list
Code:tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli decisions list
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
| ID | Source | Scope:Value | Reason | Action | Country | AS | Events | expiration | Alert ID |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
| 35622305 | crowdsec | Ip:45.148.10.90 | crowdsecurity/http-probing | ban | NL | 48090 Techoff Srv Limited | 11 | 2h21m25s | 5108 |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
1 duplicated entries skipped
To list the alerts use the command : cscli alerts list
Code:+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
| ID | value | reason | country | as | decisions | created_at |
+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
| 5108 | Ip:45.148.10.90 | crowdsecurity/http-probing | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 13:02:36.862627355 +0000 UTC |
| 5107 | Ip:45.148.10.90 | crowdsecurity/http-sensitive-files | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 13:02:36.912274326 +0000 UTC |
| 5098 | Ip:45.148.10.35 | crowdsecurity/http-crawl-non_statics | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 07:34:41.401018012 +0000 UTC |
| 5097 | Ip:45.148.10.35 | crowdsecurity/http-probing | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 07:34:41.40102972 +0000 UTC |
If everything works you should see the IPs alerted in the crowdsec-blacklists.
You can quickly check that using
Code:sudo ipset list crowdsec-blacklists | grep <the_ip_adress_tocheck>
Note that if you dont have any ongoing alerts, you can also trigger one yourself, its always funny :-)
An easy way to test is to trigger the http probing detection. That scenario should be installed, otherwise install it : https://app.crowdsec.net/hub/author/crowdsecurity/scenarios/http-probing
And then, using your smartphone, and preferably behind a VPN, visit in a row URL of your domain that doesnt exists :
https://your-domain.tld/thatdoesntexist1
https://your-domain.tld/thatdoesntexist2
https://your-domain.tld/thatdoesntexist3
https://your-domain.tld/thatdoesntexist4
https://your-domain.tld/thatdoesntexist5
The bouncer should block you after a dozen of attempts.
If you got blocked without using a VPN, you will have to learn how to remove the alerted IP using cscli commands ;-)
Thanks! So, I haven't been able to trigger manually a blocking event, probably because of my config (or being too slow between attempts?). However, I found the package "Nikto" that is designed to probe server and provoke a ban.... and it worked! I connected my desktop to my cellphone data, ran nikto on my https://domain and it provoked a ban! Tried from 2-3 IP address on VPN and without VPN. They all got banned, blocking access to Jellyfin server. I reverted back the decisions from crowdsec and within ~1 minute, I got back access to Jellyfin server.
In terms of guide, you already have all the material in this thread with the help you provided, I encourage you to publish it!
I am very happy with the outcome and the design of Crowdsec, thanks again!
