2025-04-10, 03:14 PM
(This post was last modified: 2025-04-10, 03:19 PM by Duvel. Edited 2 times in total.)
(2025-04-10, 12:34 PM)Balinus Wrote: On my bouncers list, there is another one listed, can't remember if I installed that or not. Is there a way to "test" this bouncer?
To check if the firewall bouncer is active, first check your iptables with sudo iptables -L
You should find something like this:
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere match-set crowdsec-blacklists srcSo your LAPI is maintaining a list of blacklisted IPs, that are sourced from Crowdec servers, and also get feed by your LAPI decisions.
And that rules on your firewall tells to DROP all traffic from all the IPs in that list
to see the IPs in that crowdsec-blacklist, use :
Code:
sudo ipset list crowdsec-blacklistsTo see if it get correctly fed by your LAPI, you should have decisions and alerts triggered by your Caddy Bouncer
To list the decisions use the command : cscli decisions list
Code:
tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli decisions list
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
| ID | Source | Scope:Value | Reason | Action | Country | AS | Events | expiration | Alert ID |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
| 35622305 | crowdsec | Ip:45.148.10.90 | crowdsecurity/http-probing | ban | NL | 48090 Techoff Srv Limited | 11 | 2h21m25s | 5108 |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
1 duplicated entries skippedTo list the alerts use the command : cscli alerts list
Code:
+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
| ID | value | reason | country | as | decisions | created_at |
+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
| 5108 | Ip:45.148.10.90 | crowdsecurity/http-probing | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 13:02:36.862627355 +0000 UTC |
| 5107 | Ip:45.148.10.90 | crowdsecurity/http-sensitive-files | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 13:02:36.912274326 +0000 UTC |
| 5098 | Ip:45.148.10.35 | crowdsecurity/http-crawl-non_statics | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 07:34:41.401018012 +0000 UTC |
| 5097 | Ip:45.148.10.35 | crowdsecurity/http-probing | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 07:34:41.40102972 +0000 UTC |If everything works you should see the IPs alerted in the crowdsec-blacklists.
You can quickly check that using
Code:
sudo ipset list crowdsec-blacklists | grep <the_ip_adress_tocheck>Note that if you dont have any ongoing alerts, you can also trigger one yourself, its always funny :-)
An easy way to test is to trigger the http probing detection. That scenario should be installed, otherwise install it : https://app.crowdsec.net/hub/author/crow...tp-probing
And then, using your smartphone, and preferably behind a VPN, visit in a row URL of your domain that doesnt exists :
https://your-domain.tld/thatdoesntexist1
https://your-domain.tld/thatdoesntexist2
https://your-domain.tld/thatdoesntexist3
https://your-domain.tld/thatdoesntexist4
https://your-domain.tld/thatdoesntexist5
The bouncer should block you after a dozen of attempts.
If you got blocked without using a VPN, you will have to learn how to remove the alerted IP using cscli commands ;-)