Remote access with Caddy, Duckdns vs Tailscale for security?

[Duvel]

On my bouncers list, there is another one listed, can't remember if I installed that or not. Is there a way to "test" this bouncer?

To check if the firewall bouncer is active, first check your iptables with sudo iptables -L
You should find something like this:

Code:

Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
DROP      all  --  anywhere            anywhere            match-set crowdsec-blacklists src

So your LAPI is maintaining a list of blacklisted IPs, that are sourced from Crowdec servers, and also get feed by your LAPI decisions.
And that rules on your firewall tells to DROP all traffic from all the IPs in that list

to see the IPs in that crowdsec-blacklist, use :

Code:

sudo ipset list crowdsec-blacklists

To see if it get correctly fed by your LAPI, you should have decisions and alerts triggered by your Caddy Bouncer

To list the decisions use the command : cscli decisions list

Code:

tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli decisions list
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
|    ID    |  Source  |  Scope:Value  |          Reason          | Action | Country |            AS            | Events | expiration | Alert ID |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
| 35622305 | crowdsec | Ip:45.148.10.90 | crowdsecurity/http-probing | ban    | NL      | 48090 Techoff Srv Limited | 11    | 2h21m25s  | 5108    |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
1 duplicated entries skipped

To list the alerts use the command : cscli alerts list

Code:

+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
|  ID  |      value      |                reason                | country |            as            | decisions |                created_at              |
+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
| 5108 | Ip:45.148.10.90  | crowdsecurity/http-probing            | NL      | 48090 Techoff Srv Limited | ban:1    | 2025-04-10 13:02:36.862627355 +0000 UTC |
| 5107 | Ip:45.148.10.90  | crowdsecurity/http-sensitive-files    | NL      | 48090 Techoff Srv Limited | ban:1    | 2025-04-10 13:02:36.912274326 +0000 UTC |
| 5098 | Ip:45.148.10.35  | crowdsecurity/http-crawl-non_statics  | NL      | 48090 Techoff Srv Limited | ban:1    | 2025-04-10 07:34:41.401018012 +0000 UTC |
| 5097 | Ip:45.148.10.35  | crowdsecurity/http-probing            | NL      | 48090 Techoff Srv Limited | ban:1    | 2025-04-10 07:34:41.40102972 +0000 UTC  |

If everything works you should see the IPs alerted in the crowdsec-blacklists.
You can quickly check that using

Code:

sudo ipset list crowdsec-blacklists | grep <the_ip_adress_tocheck>

Note that if you dont have any ongoing alerts, you can also trigger one yourself, its always funny :-)
An easy way to test is to trigger the http probing detection. That scenario should be installed, otherwise install it : https://app.crowdsec.net/hub/author/crow...tp-probing
And then, using your smartphone, and preferably behind a VPN, visit in a row URL of your domain that doesnt exists :
https://your-domain.tld/thatdoesntexist1
https://your-domain.tld/thatdoesntexist2
https://your-domain.tld/thatdoesntexist3
https://your-domain.tld/thatdoesntexist4
https://your-domain.tld/thatdoesntexist5

The bouncer should block you after a dozen of attempts.
If you got blocked without using a VPN, you will have to learn how to remove the alerted IP using cscli commands ;-)

[Balinus]

Looks like the default firewall bouncer if crowdsec : https://github.com/crowdsecurity/cs-firewall-bouncer

Unsure if you got it installed by default or if you installed it manually...

So basically that one's acts like fail2ban and modifies the iptables of your Linux to block the alerted IPs. That's a nice addition that would prevent an IP blocked to reach the whole Linux server.
This is only a little plus depending on your architecture.
If the only way to reach your webfacing server is through Caddy, then it's mostly useless because the caddy bouncer will block all those IPs.
Now if you have other ports opened, it might become usefull.

For my architecture it is useless, because I have a crowdsec bouncer on my main gate, with is the pfsense router, and both the router and caddy bouncer are connected to my Crowdsec Lapi. So whenever something is detected by the Caddy bouncer, the LAPI will propagate it to the pfsense bouncer, which will block the IP on the firewall.
On top of this your LAPI also propagate your detected IPs to the central servers and everyone can benefit it.

That's the beauty of Crowdsec approach.

Ah, I think I installed iptables  it by following Crowdsec documentation. For my case, there is only 1 port opened and the server, as far as I understand it, is only reacheable through Caddy. Thanks for your supplementary details, it is much clearer in my head now.

For Nginx, there is a tutorial that might be useful : https://www.crowdsec.net/blog/crowdsec-w...xy-manager
Not sure if it's useful though.

[Balinus]

To check if the firewall bouncer is active, first check your iptables with sudo iptables -L
You should find something like this:

Code:

Chain INPUT (policy ACCEPT)
target    prot opt source              destination       
DROP      all  --  anywhere            anywhere            match-set crowdsec-blacklists src

So your LAPI is maintaining a list of blacklisted IPs, that are sourced from Crowdec servers, and also get feed by your LAPI decisions.
And that rules on your firewall tells to DROP all traffic from all the IPs in that list

to see the IPs in that crowdsec-blacklist, use :

Code:

sudo ipset list crowdsec-blacklists

To see if it get correctly fed by your LAPI, you should have decisions and alerts triggered by your Caddy Bouncer

To list the decisions use the command : cscli decisions list

Code:

tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli decisions list
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
|    ID    |  Source  |  Scope:Value  |          Reason          | Action | Country |            AS            | Events | expiration | Alert ID |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
| 35622305 | crowdsec | Ip:45.148.10.90 | crowdsecurity/http-probing | ban    | NL      | 48090 Techoff Srv Limited | 11    | 2h21m25s  | 5108    |
+----------+----------+-----------------+----------------------------+--------+---------+---------------------------+--------+------------+----------+
1 duplicated entries skipped

To list the alerts use the command : cscli alerts list

Code:

+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
|  ID  |      value      |                reason                | country |            as            | decisions |                created_at              |
+------+-------------------+---------------------------------------+---------+---------------------------+-----------+-----------------------------------------+
| 5108 | Ip:45.148.10.90  | crowdsecurity/http-probing            | NL      | 48090 Techoff Srv Limited | ban:1    | 2025-04-10 13:02:36.862627355 +0000 UTC |
| 5107 | Ip:45.148.10.90  | crowdsecurity/http-sensitive-files    | NL      | 48090 Techoff Srv Limited | ban:1    | 2025-04-10 13:02:36.912274326 +0000 UTC |
| 5098 | Ip:45.148.10.35  | crowdsecurity/http-crawl-non_statics  | NL      | 48090 Techoff Srv Limited | ban:1    | 2025-04-10 07:34:41.401018012 +0000 UTC |
| 5097 | Ip:45.148.10.35  | crowdsecurity/http-probing            | NL      | 48090 Techoff Srv Limited | ban:1    | 2025-04-10 07:34:41.40102972 +0000 UTC  |

If everything works you should see the IPs alerted in the crowdsec-blacklists.
You can quickly check that using

Code:

sudo ipset list crowdsec-blacklists | grep <the_ip_adress_tocheck>

Note that if you dont have any ongoing alerts, you can also trigger one yourself, its always funny :-)
An easy way to test is to trigger the http probing detection. That scenario should be installed, otherwise install it : https://app.crowdsec.net/hub/author/crow...tp-probing
And then, using your smartphone, and preferably behind a VPN, visit in a row URL of your domain that doesnt exists :
https://your-domain.tld/thatdoesntexist1
https://your-domain.tld/thatdoesntexist2
https://your-domain.tld/thatdoesntexist3
https://your-domain.tld/thatdoesntexist4
https://your-domain.tld/thatdoesntexist5

The bouncer should block you after a dozen of attempts.
If you got blocked without using a VPN, you will have to learn how to remove the alerted IP using cscli commands ;-)

Thanks! So, I haven't been able to trigger manually a blocking event, probably because of my config (or being too slow between attempts?). However, I found the package "Nikto" that is designed to probe server and provoke a ban.... and it worked! I connected my desktop to my cellphone data, ran nikto on my https://domain and it provoked a ban! Tried from 2-3 IP address on VPN and without VPN. They all got banned, blocking access to Jellyfin server. I reverted back the decisions from crowdsec and within ~1 minute, I got back access to Jellyfin server.

In terms of guide, you already have all the material in this thread with the help you provided, I encourage you to publish it! 

I am very happy with the outcome and the design of Crowdsec, thanks again!