2025-04-10, 05:46 PM
(This post was last modified: 2025-04-10, 06:28 PM by Balinus. Edited 1 time in total.)
(2025-04-10, 03:14 PM)Duvel Wrote: To check if the firewall bouncer is active, first check your iptables with sudo iptables -L
You should find something like this:
Code:Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere match-set crowdsec-blacklists src
So your LAPI is maintaining a list of blacklisted IPs, that are sourced from Crowdec servers, and also get feed by your LAPI decisions.
And that rules on your firewall tells to DROP all traffic from all the IPs in that list
to see the IPs in that crowdsec-blacklist, use :
Code:sudo ipset list crowdsec-blacklists
To see if it get correctly fed by your LAPI, you should have decisions and alerts triggered by your Caddy Bouncer
To list the decisions use the command : cscli decisions list
Code:tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli decisions list
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
| ID | Source | Scope:Value | Reason | Action | Country | AS | Events | expiration | Alert ID |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
| 35622305 | crowdsec | Ip:45.148.10.90 | crowdsecurity/http-probing | ban | NL | 48090 Techoff Srv Limited | 11 | 2h21m25s | 5108 |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
1 duplicated entries skipped
To list the alerts use the command : cscli alerts list
Code:+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
| ID | value | reason | country | as | decisions | created_at |
+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
| 5108 | Ip:45.148.10.90 | crowdsecurity/http-probing | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 13:02:36.862627355 +0000 UTC |
| 5107 | Ip:45.148.10.90 | crowdsecurity/http-sensitive-files | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 13:02:36.912274326 +0000 UTC |
| 5098 | Ip:45.148.10.35 | crowdsecurity/http-crawl-non_statics | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 07:34:41.401018012 +0000 UTC |
| 5097 | Ip:45.148.10.35 | crowdsecurity/http-probing | NL | 48090 Techoff Srv Limited | ban:1 | 2025-04-10 07:34:41.40102972 +0000 UTC |
If everything works you should see the IPs alerted in the crowdsec-blacklists.
You can quickly check that using
Code:sudo ipset list crowdsec-blacklists | grep <the_ip_adress_tocheck>
Note that if you dont have any ongoing alerts, you can also trigger one yourself, its always funny :-)
An easy way to test is to trigger the http probing detection. That scenario should be installed, otherwise install it : https://app.crowdsec.net/hub/author/crow...tp-probing
And then, using your smartphone, and preferably behind a VPN, visit in a row URL of your domain that doesnt exists :
https://your-domain.tld/thatdoesntexist1
https://your-domain.tld/thatdoesntexist2
https://your-domain.tld/thatdoesntexist3
https://your-domain.tld/thatdoesntexist4
https://your-domain.tld/thatdoesntexist5
The bouncer should block you after a dozen of attempts.
If you got blocked without using a VPN, you will have to learn how to remove the alerted IP using cscli commands ;-)
Thanks! So, I haven't been able to trigger manually a blocking event, probably because of my config (or being too slow between attempts?). However, I found the package "Nikto" that is designed to probe server and provoke a ban.... and it worked! I connected my desktop to my cellphone data, ran nikto on my https://domain and it provoked a ban! Tried from 2-3 IP address on VPN and without VPN. They all got banned, blocking access to Jellyfin server. I reverted back the decisions from crowdsec and within ~1 minute, I got back access to Jellyfin server.
In terms of guide, you already have all the material in this thread with the help you provided, I encourage you to publish it!
I am very happy with the outcome and the design of Crowdsec, thanks again!
