From a4faca0eefb405b912d7d7383ea87fe47b54ba71 Mon Sep 17 00:00:00 2001
From: Imran Remtulla <contact@imranr.dev>
Date: Sat, 15 Nov 2025 04:27:20 -0500
Subject: [PATCH] Use CrowdSec to block malicious IPs

---
 crowdsec_config/acquis.yaml   |  4 +++
 crowdsec_config/profiles.yaml | 14 +++++++++
 server.docker-compose.yaml    | 58 +++++++++++++++++++++++++++++++++++
 traefik_dynamic_config.yaml   |  6 ++++
 4 files changed, 82 insertions(+)
 create mode 100755 crowdsec_config/acquis.yaml
 create mode 100755 crowdsec_config/profiles.yaml
 create mode 100644 traefik_dynamic_config.yaml

diff --git a/crowdsec_config/acquis.yaml b/crowdsec_config/acquis.yaml
new file mode 100755
index 0000000..866ab5b
--- /dev/null
+++ b/crowdsec_config/acquis.yaml
@@ -0,0 +1,4 @@
+filenames:
+  - /var/log/traefik/*
+labels:
+  type: traefik
\ No newline at end of file
diff --git a/crowdsec_config/profiles.yaml b/crowdsec_config/profiles.yaml
new file mode 100755
index 0000000..91c3d46
--- /dev/null
+++ b/crowdsec_config/profiles.yaml
@@ -0,0 +1,14 @@
+name: default_ip_remediation
+#debug: true
+filters:
+    - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+    - type: ban
+      duration: 672h
+#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
+# notifications:
+#   - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
+#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
+#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
+#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
+on_success: break
\ No newline at end of file
diff --git a/server.docker-compose.yaml b/server.docker-compose.yaml
index cd2d4bc..45d5f56 100644
--- a/server.docker-compose.yaml
+++ b/server.docker-compose.yaml
@@ -60,6 +60,56 @@ services:
             - 6379
         restart: unless-stopped
 
+    crowdsec: # https://github.com/crowdsecurity/crowdsec
+        image: crowdsecurity/crowdsec:latest
+        container_name: crowdsec
+        environment:
+            GID: "${GID-1000}"
+            COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik"
+        depends_on:
+            - traefik
+        volumes:
+            - ./crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
+            - ./crowdsec_config/profiles.yaml:/etc/crowdsec/profiles.yaml:ro
+            - crowdsec_db:/var/lib/crowdsec/data/
+            - traefik_access_logs:/var/log/traefik/:ro
+        networks:
+            - traefik
+        restart: unless-stopped
+    crowdsec-bouncer:
+        image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest
+        container_name: crowdsec-bouncer
+        environment:
+            CROWDSEC_BOUNCER_API_KEY: "yRoByFyKf8q/mRg/gedtxE4XqJn+QdTBcSRsGLVx9b8" # cscli bouncers add crowdsecBouncer
+            CROWDSEC_AGENT_HOST: crowdsec:8080
+        networks:
+            - traefik
+        depends_on:
+            - crowdsec
+        restart: unless-stopped
+    crowdsec-dashboard:
+        image: metabase/metabase # crowdsec@crowdsec.net !!Cr0wdS3c_M3t4b4s3??
+        container_name: crowdsec-dashboard
+        depends_on:
+            - crowdsec
+        restart: unless-stopped
+        environment:
+            MB_DB_FILE: /data/metabase.db
+            MGID: "${GID-1000}"
+        networks:
+            - traefik
+        volumes:
+            - ./crowdsec_dash_db:/data # Bootstrap dashboard DB from https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip
+            - crowdsec_db:/metabase-data/
+        labels:
+            - "traefik.enable=true"
+            - "traefik.http.routers.crowdsec-dashboard.rule=Host(`crowdsec.imranr.cloud`)"
+            - "traefik.http.routers.crowdsec-dashboard.entrypoints=websecure"
+            - "traefik.http.routers.crowdsec-dashboard.tls.certresolver=le"
+            - "traefik.http.routers.crowdsec-dashboard.tls=true"
+            - "traefik.http.routers.crowdsec-dashboard.middlewares=authelia@docker"
+            - "traefik.http.services.crowdsec-dashboard.loadbalancer.server.port=3000"
+
     traefik: # https://github.com/traefik/traefik
         image: traefik:latest
         container_name: traefik
@@ -85,12 +135,18 @@ services:
             - "--certificatesresolvers.le.acme.storage=./acme/acme.json"
             - "--certificatesresolvers.le.acme.tlschallenge=true"
             - "--entryPoints.websecure.proxyProtocol.trustedIPs=172.19.0.1/32"
+            - "--accesslog=true"
+            - "--accesslog.filePath=/var/log/traefik/access.log"
+            - "--providers.file.filename=/etc/traefik/dynamic-configuration.yaml"
+            - "--entryPoints.websecure.http.middlewares=crowdsec-bouncer@file"
         ports:
             - "80:80"
             - "443:443"
         volumes:
             - /var/run/docker.sock:/var/run/docker.sock
             - traefik_acme:/acme
+            - traefik_access_logs:/var/log/traefik/
+            - ./traefik_dynamic_config.yaml:/etc/traefik/dynamic-configuration.yaml:ro
         labels:
             - "traefik.enable=true"
             - "traefik.http.routers.api.rule=Host(`traefik.imranr.cloud`)"
@@ -128,6 +184,8 @@ volumes:
     filebrowser_db:
     traefik_acme:
     authelia_db:
+    crowdsec_db:
+    traefik_access_logs:
 
 networks:
     traefik:
diff --git a/traefik_dynamic_config.yaml b/traefik_dynamic_config.yaml
new file mode 100644
index 0000000..6e8ec8f
--- /dev/null
+++ b/traefik_dynamic_config.yaml
@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    crowdsec-bouncer:
+      forwardauth:
+        address: http://crowdsec-bouncer:8080/api/v1/forwardAuth
+        trustForwardHeader: true
\ No newline at end of file