Use CrowdSec to block malicious IPs

2026-04-24 06:38:36 -04:00 · 2025-11-15 04:27:20 -05:00
parent 43118ca1ae
commit a4faca0eef
4 changed files with 82 additions and 0 deletions
--- a/crowdsec_config/acquis.yaml
+++ b/crowdsec_config/acquis.yaml
@@ -0,0 +1,4 @@
+filenames:
+  - /var/log/traefik/*
+labels:
+  type: traefik
--- a/crowdsec_config/profiles.yaml
+++ b/crowdsec_config/profiles.yaml
@@ -0,0 +1,14 @@
+name: default_ip_remediation
+#debug: true
+filters:
+    - Alert.Remediation == true && Alert.GetScope() == "Ip"
+decisions:
+    - type: ban
+      duration: 672h
+#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
+# notifications:
+#   - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
+#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
+#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
+#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
+on_success: break
--- a/server.docker-compose.yaml
+++ b/server.docker-compose.yaml
@@ -60,6 +60,56 @@ services:
            - 6379
        restart: unless-stopped

+    crowdsec: # https://github.com/crowdsecurity/crowdsec
+        image: crowdsecurity/crowdsec:latest
+        container_name: crowdsec
+        environment:
+            GID: "${GID-1000}"
+            COLLECTIONS: "crowdsecurity/linux crowdsecurity/traefik"
+        depends_on:
+            - traefik
+        volumes:
+            - ./crowdsec_config/acquis.yaml:/etc/crowdsec/acquis.yaml:ro
+            - ./crowdsec_config/profiles.yaml:/etc/crowdsec/profiles.yaml:ro
+            - crowdsec_db:/var/lib/crowdsec/data/
+            - traefik_access_logs:/var/log/traefik/:ro
+        networks:
+            - traefik
+        restart: unless-stopped
+    crowdsec-bouncer:
+        image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest
+        container_name: crowdsec-bouncer
+        environment:
+            CROWDSEC_BOUNCER_API_KEY: "yRoByFyKf8q/mRg/gedtxE4XqJn+QdTBcSRsGLVx9b8" # cscli bouncers add crowdsecBouncer
+            CROWDSEC_AGENT_HOST: crowdsec:8080
+        networks:
+            - traefik
+        depends_on:
+            - crowdsec
+        restart: unless-stopped
+    crowdsec-dashboard:
+        image: metabase/metabase # crowdsec@crowdsec.net !!Cr0wdS3c_M3t4b4s3??
+        container_name: crowdsec-dashboard
+        depends_on:
+            - crowdsec
+        restart: unless-stopped
+        environment:
+            MB_DB_FILE: /data/metabase.db
+            MGID: "${GID-1000}"
+        networks:
+            - traefik
+        volumes:
+            - ./crowdsec_dash_db:/data # Bootstrap dashboard DB from https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip
+            - crowdsec_db:/metabase-data/
+        labels:
+            - "traefik.enable=true"
+            - "traefik.http.routers.crowdsec-dashboard.rule=Host(`crowdsec.imranr.cloud`)"
+            - "traefik.http.routers.crowdsec-dashboard.entrypoints=websecure"
+            - "traefik.http.routers.crowdsec-dashboard.tls.certresolver=le"
+            - "traefik.http.routers.crowdsec-dashboard.tls=true"
+            - "traefik.http.routers.crowdsec-dashboard.middlewares=authelia@docker"
+            - "traefik.http.services.crowdsec-dashboard.loadbalancer.server.port=3000"
+
    traefik: # https://github.com/traefik/traefik
        image: traefik:latest
        container_name: traefik
@@ -85,12 +135,18 @@ services:
            - "--certificatesresolvers.le.acme.storage=./acme/acme.json"
            - "--certificatesresolvers.le.acme.tlschallenge=true"
            - "--entryPoints.websecure.proxyProtocol.trustedIPs=172.19.0.1/32"
+            - "--accesslog=true"
+            - "--accesslog.filePath=/var/log/traefik/access.log"
+            - "--providers.file.filename=/etc/traefik/dynamic-configuration.yaml"
+            - "--entryPoints.websecure.http.middlewares=crowdsec-bouncer@file"
        ports:
            - "80:80"
            - "443:443"
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock
            - traefik_acme:/acme
+            - traefik_access_logs:/var/log/traefik/
+            - ./traefik_dynamic_config.yaml:/etc/traefik/dynamic-configuration.yaml:ro
        labels:
            - "traefik.enable=true"
            - "traefik.http.routers.api.rule=Host(`traefik.imranr.cloud`)"
@@ -128,6 +184,8 @@ volumes:
    filebrowser_db:
    traefik_acme:
    authelia_db:
+    crowdsec_db:
+    traefik_access_logs:

 networks:
    traefik:
--- a/traefik_dynamic_config.yaml
+++ b/traefik_dynamic_config.yaml
@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    crowdsec-bouncer:
+      forwardauth:
+        address: http://crowdsec-bouncer:8080/api/v1/forwardAuth
+        trustForwardHeader: true