I am new to crowdsec and over this past weekend, I set up CrowdSec on my homelab running caddy and authelia. It seems to be working well, detecting a few alerts a day and banning the IPs (I have it set for the default 4h). I have also manually added an IP and confirmed that IPs are being banned properly.
When I do get an alert, I have been looking them up in the CrowdSec Threat Intelligence are of the website. When I do so, I see this:
On the “Blocklists containing this IP” section, I also see that it belongs to the ‘Firehol greensnow.co’ list which I subscribe to as part of one of my 3 free tier allowances. So far, every alert I have received says the IP belongs to the community blocklist.
The confusion may arise when you join the CrowdSec network you get IP’s based on the scenario you are reporting, however, to make it fair to users that have been apart of the network for a long time is new joiners receive a limited list and will download the bigger list over time as long as they are actively reporting and contributing to the network.
No you should get all IP’s in a third party list, depending on your remediation (if only caddy) then it not 100% blocking the IP address it still responds with a 403 response code meaning it will end up in the logs again, meaning it can re-trigger scenarios.