2025-04-10, 02:15 PM
(This post was last modified: 2025-04-21, 07:49 AM by Duvel. Edited 2 times in total.)
(2025-04-10, 12:34 PM)Balinus Wrote: Wow, THANKS! It worked! I'm very happy with it.Looks like the default firewall bouncer of crowdsec : https://github.com/crowdsecurity/cs-firewall-bouncer
We should sticky your post really, it's mostly "Guide" ready imho.
On my bouncers list, there is another one listed, can't remember if I installed that or not. Is there a way to "test" this bouncer?
Code:sudo cscli bouncers list
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name IP Address Valid Last API pull Type Version Auth Type
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
cs-firewall-bouncer-1744226856 127.0.0.1 ✔️ 2025-04-10T12:29:06Z crowdsec-firewall-bouncer v0.0.31-debian-pragmatic-amd64-4b99c161b2c1837d76c5fa89e1df83803dfbcc87 api-key
caddy-bouncer 127.0.0.1 ✔️ 2025-04-10T12:28:32Z caddy-cs-bouncer v0.8.1 api-key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Unsure if you got it installed by default or if you installed it manually...
So basically that one acts like fail2ban and modifies the iptables of your Linux to block the alerted IPs. That's a nice addition that would prevent an IP blocked to reach the whole Linux server.
This is only a little plus depending on your architecture.
If the only way to reach your webfacing server is through Caddy, then it's mostly useless because the caddy bouncer will block all those IPs.
Now if you have other ports opened, not using http(s), it might become usefull.
For my architecture it is useless, because I have a crowdsec bouncer on my main gate, with is the pfsense router, and both the router bouncer and caddy bouncer are connected to my Crowdsec Lapi. So whenever something is detected on any of my machines running Crowdsec, the LAPI will propagate it to the pfsense bouncer, which will block the IP on its firewall, and will thus prevent access from that IP to my whole network.
On top of this, your LAPI also propagate your detected IPs to the central servers and everyone can benefit it.
That's the beauty of Crowdsec approach: CROWD security.
@TheDreadPirate not considering myself as a guru but I am using Crowdsec for like 2 years on several different machines so I understand how it works.
Yes there's a nginx bouncer. Unsure for Apache
I might do a guide if it becomes necessary
