I’m just running crodwsec for the first time. Combined it with suricata for the logs (added to acquis.yaml under the syslog paragraph. I’m coming from fail2ban and I’m letting fail2ban run while I fully understand how to control crowdsec which means configuration properly, time bannishment, and how to know which IP are already banned and how to unban an ip.
(I actually don’t know if the syslog are parse then or just omitted )
And I ran cscli decisions list and the ip of my vps where crowdsec is installed is in the decision list. (IPV4 and IPV6)
Is that normal? Should I do something?
create a whitelist
cd /etc/crowdsec/parsers/s02-enrich/
sudo nano personal-whitelist.yaml
name: crowdsecurity/whitelists
description: "Whitelist events from my personal ips"
whitelist:
reason: "internal traffic from my personal ips"
ip:
- "192.168.178.0/24"
the 24 said all ip in this range are whitelisted
But you have a VPS in Internet, you must take inside your static ip ! without 24
then
thanks I’m going to check it by installing it into another vps but a ubuntu this one and see if there is a difference, maybe it is just with fedora but I4m going to follow the same kind of tutorial just to check.