How to make it work?

Hi, I was looking for a way to protect my self hosted computer from ddos attacks (mainly ping and a lot of visits into my site) and i found out about crowdsec but i’m not sure how it works, i installed debian package with nginx bouncer with parsers and scenarios (ssh and http and other) but each time i try use ping or ping stress it just keep working and i do not see any blocking message or anything, only thing i saw was blocking my bad user agent (using curl) and tor connections. So i’m not sure if i’m even installed it right or not or how to make it block ddos attacks not just bad user agents and if there a file to edit it as my home connection is bad and least ddos attack will effect it for sure because i think you guys made files genearic and for more good connections

Also yes i read wiki but not all of it because i’m still testing crowdsec, i do not want waste my time on reading about application that i’m not even sure i will use for long term, hope that’s fine with you

Thanks for your post.

I have a question before I start providing you suggestions on how to fix it: Do you plan to protect the ssh service as well as nginx?
In that case you would also need the firewall bouncer as described in the installation guide on Install CrowdSec | CrowdSec. I assume the agent and bouncer you have installed already were installed using these instructions. If not, removing what is already installed first and reinstall using those would be the first part of the debugging process.

Assuming that part works already, we should start finding out whether the agent works correctly and if bouncers are installed. For that we’ll use cscli. That command has to be run as root, so use your favorite method for that.
cscli alerts list (Has the agent seen anything it whats to alert on?)
cscli descisions list (Has it seen anything that it would want to block?)
cscli bouncers list (Are bouncers installed and added correctly?)

Let me know the results.

Thanks!

I do not even use SSH so no

Yes i followed guides in there so first step is good

I will post in same order of your commands:

+----+------------------------------+-----------------------------------+---------+----+-----------+--------------------------------+
| ID |            VALUE             |              REASON               | COUNTRY | AS | DECISIONS |           CREATED AT           |
+----+------------------------------+-----------------------------------+---------+----+-----------+--------------------------------+
|  9 | crowdsec/community-blocklist | update : +662/-0 IPs              |         |    | ban:662   | 2021-11-14 13:51:21 -0800      |
|    |                              |                                   |         |    |           |                          -0800 |
|  8 | Ip:161.156.29.33             | crowdsecurity/http-bad-user-agent | US      |    | ban:1     | 2021-11-12 15:59:49.270138362  |
|    |                              |                                   |         |    |           | -0800 -0800                    |
|  7 | crowdsec/community-blocklist | update : +664/-0 IPs              |         |    | ban:57    | 2021-11-12 14:51:14 -0800      |
|    |                              |                                   |         |    |           |                          -0800 |
|  6 | crowdsec/community-blocklist | update : +666/-0 IPs              |         |    | ban:3     | 2021-11-12 12:51:14 -0800      |
|    |                              |                                   |         |    |           |                          -0800 |
|  5 | crowdsec/community-blocklist | update : +667/-0 IPs              |         |    | ban:2     | 2021-11-12 10:51:14 -0800      |
|    |                              |                                   |         |    |           |                          -0800 |
|  4 | crowdsec/community-blocklist | update : +668/-0 IPs              |         |    | ban:3     | 2021-11-12 08:51:09 -0800      |
|    |                              |                                   |         |    |           |                          -0800 |
|  3 | crowdsec/community-blocklist | update : +665/-0 IPs              |         |    |           | 2021-11-12 07:12:10 -0800      |
|    |                              |                                   |         |    |           |                          -0800 |
|  2 | Ip:167.94.138.42             | crowdsecurity/http-bad-user-agent | US      |    | ban:1     | 2021-11-11 22:29:55.949794573  |
|    |                              |                                   |         |    |           | -0800 -0800                    |
|  1 | crowdsec/community-blocklist | update : +578/-0 IPs              |         |    | ban:8     | 2021-11-11 22:24:31 -0800      |
|    |                              |                                   |         |    |           |                          -0800 |
+----+------------------------------+-----------------------------------+---------+----+-----------+--------------------------------+

No active decisions

-------------------------------------------------------------------------------------------------
 NAME              IP ADDRESS  VALID  LAST API PULL              TYPE                    VERSION 
-------------------------------------------------------------------------------------------------
 nginx-1636731563  127.0.0.1   ✔️      2021-11-12T07:39:24-08:00  crowdsec-nginx-bouncer  v0.0.7  
-------------------------------------------------------------------------------------------------

Thanks a lot. Everything seems to be in order, at least in terms of CrowdSec configuration. Also from the looks of it, two ips are already banned based on locally detected attacks.

To be honest, using nginx and the bouncer like this is not really the best way to protect against L7 DDoS attacks since everything is on the same network you’re trying to protect. Also the nginx is a bit limited in that it can’t block attackers by country (but we have created an issue on our github to implement this as it would help in cases like yours). Instead I would suggest looking at two other approaches:

• Put your webserver behind Cloudflare’s free tier and use CrowdSec’s cloudflare bouncer as described in our article at How to beat application DDoS attacks with CrowdSec & Cloudflare - The open-source & collaborative security solution.
• Set up nginx as a reverse proxy on a vps to front your privately hosted webserver and let that take the beatings. As mentioned above it still wouldn’t be able to block by country but at least you would outsource the stress to someone who can better handle it.

I hope that helps you. If not, you’re welcome to write again

Well first of all thanks to you too

Oh, that seems lovely, please let me know when that happen (on reddit)

Yeah this idea seems more reasonable to me, I mean i will pay extra fees for a VPS…

wait a minute, ddos - Config of nginx to filter http flood - Stack Overflow!

Happy to hear my replies make sense to you.

Regarding the stackflow link it works differently when doing filtering by country with CrowdSec. First of all it’s dynamic so it cuts off a country only when a certain amount of attacks occur from that country. But that being said, this method could work to blacklist certain countries where there’s no need to allow access from; like China (just to pick on one).
Also a block is not nescessarily a block. Both the Cloudflare and our Wordpress/PHP bouncer do what we call flex bouncing where we force users through a CAPTCHA so that human users are never cut off. Unfortunately the nginx bouncer doesn’t support this.

Sorry but that won’t be possible. Instead I would advise you to watch or star the issue on github so you will be automatically notified as the work progresses. The issue is available at Add support for country ban · Issue #20 · crowdsecurity/cs-nginx-bouncer · GitHub.