Isolate client machines

unknown404 · April 10, 2025, 1:49pm

Hello,

I’ve configured several CrowdSec machines (server 1, server 2…), and they are linked together via the API.

However, when I run the following command on server 1:

cscli decisions list --machine

I see the decisions of all the servers. I want this to be impossible and for it to return only the decisions of server 1 and not the others. The idea is to ensure the confidentiality of each client.

Thanks

iiAmLoz · April 11, 2025, 11:47am

The --machine flag just adds the machine ID to the output table it does not do any filtering you can do this by running cscli decisions list --machine | grep <machineid>

unknown404 · April 11, 2025, 12:08pm

In fact, I have several customers connected to my central API. I would not like my customer 1 to be able to execute commands that can see the decision of neighboring machines; I want to have some segmentation.

iiAmLoz · April 11, 2025, 5:43pm

cscli can only be ran as root / sudo privileges so you can restrict access to user accounts.

Unfortunately there is no client side segmentation unless you put a reverse proxy infront of the LAPI and match on the decisions route to block the access. (You can only just allow or deny)

unknown404 · April 23, 2025, 11:37am

Okay, thanks for the information

Topic		Replies	Views
Multiple blacklist/decision groups crowdsec	0	506	September 23, 2021
Decision not listed crowdsec	9	430	November 11, 2024
Using "Machines" crowdsec	11	1648	May 6, 2021
No decisions in `cscli decisions list` output crowdsec	2	170	August 30, 2024
My ip is in the decisions list	6	658	February 20, 2024

Isolate client machines

Related topics