I hope one can help me out here, I’m new to crowdsec and just have a basic webserver.
I want to protect ssh from failed logins, as well as blocking IPs having repetitive HTTP 400-599 errors.
On fail2ban i use simple regex on the access logs of nginx: ^."(GET|HEAD|POST|PUT|DELETE|CONNECT|OPTIONS|TRACE|PATCH)." (4[0-9][0-9]|5[0-9][0-9]) .*$
Hi I’m sorry, I’m honestly absolutely new to this. Do I just create that yaml file, how would I activate it or assign it to actual nginx logs?
p.s. it’s not just for crawlers, but people actively trying to download stuff from my site using HTTP Headers that are not verfied by my backend and I’m sending them to 401. But there are thousands of these logs.
it actually works like that ! That’s awesome, thank you so much.
Just one question tho, I don’t quite understand the leakspeed, capacity, cache size.
As well as how to define the ‘punishment’
Leakspeed in simple terms, is like… the timeframe that the amount of ‘logs’ (capacity) are needed for this scenario to be triggered and ban the source.
What does the cache_size and blackhole do? And how to define the ‘punishment’ ?
I’d like to put it like… max. 5 occurences in last 5 minutes, and ban for 10 hours.
Also on 1 time removing the ban ( using cscli decisions delete -i < IP > ) the scenario is not triggered anymore for this ip?
Remediation time is handled by profiles. Format | CrowdSec setting it to anything but true in the scenario will cause no bans to happen.
cache_size
Cache size limits the amount of “in memory” objects it means that at any point it will only ever hold the last 5 to reduce RAM allocation. This is useful for high capacity bucket EG: 1000 capacity but only 10 in memory at once
I’m new to this too.
Do we see right away the compilation fo the alert on the online dashboard at crowdsec website or does it refresh only every few hours?
I’ve combined suricata and crowdsec on one of my setup for the moment.
Also is it okey to let fail2ban to run also alongside crowdsec?