Hey,
I would like to escalate a captcha ban to a “full” ban if the banned IP keeps appearing in the logs.
Does anyone have an idea or suggestion on how to do that?
Yes this can be achieved by inserting a profile above where you are enabling captchas (only use this approach if you would like to extend ban timer for longer than default if you do not then see option 2)
option 1
## Deal with persistent offenders when they get decision's more than 3 times
name: anti_captcha_flood
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && GetDecisionsCount(Alert.GetValue()) > 2
decisions:
- type: ban
duration: 4h
on_success: break
---
name: captcha_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http"
decisions:
- type: captcha
duration: 4h
on_success: break
---
name: default_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
on_success: break
OR (this is cleaner approach) you can extend the filter by having a max decision count I havent tried this but it should work
option 2
name: captcha_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http" && GetDecisionsCount(Alert.GetValue()) < 2
## filter check if http based and if IP has less than 2 decisions if they have more than 2 then fall down to default remediation.
decisions:
- type: captcha
duration: 4h
on_success: break
---
name: default_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
on_success: break
You may want to improve this by only selecting decisions since a date Helpers | CrowdSec since if your retention policy is long it may result an IP being instant banned on returning after couple of days or so.
EG user has had 3 decisions since 2 hours so they are just bad actors so ban instead
Hope this helps !
Laurence
CrowdSec Support
1 Like