Question about bouncers

I haven’t installed a bouncer yet but after a few times trying out nikto against my system cscli ban list shows my IP on the ban list which is absolutely correct but I can’t see any connection to any bouncer since I haven’t got one so I was just wondering where I should be able to see what “bouncing” action had been triggered once I have one isntalled.

cscli ban list
1 local decisions:
| SOURCE |       IP       |        REASON        | BANS | ACTION | COUNTRY |            AS            | EVENTS | EXPIRATION |
| local  | | crowdsecurity/ssh-bf |    1 | ban    | DE      | 3320 Deutsche Telekom AG |      6 | 1h2m39s    |
And 100 records from API, 34 distinct AS, 19 distinct countries

Hello !

You can find a list of bouncers here:
The bouncers will consume the database that is fed by crowdsec and take actions.
In the current version, crowdsec is not aware of which and what bouncers exist or are reading the database (it’s going to change in the coming version but that’s another topic ^^).

The idea is that if you install the netfilter bouncer (which is the bouncer for linux firewall), whenever a new IP will be banned by crowdsec, it will be made aware of it and can add said IP or range to your iptables/ipset configuration to ban it.

On the other hand, if you are using the nginx bouncer, it will behave a bit differently : whenever it sees an IP it doesn’t know (within nginx), it is going to query the local database to check if the IP needs to be blocked.

Hoped I answered your question,

1 Like

Regarding the netfilter bouncer, Is there a way to get bouncer for Shorewall ?


The netfilter bouncer uses ipset so according to this document it should already “just work”

Yes I know that, I already use them :slight_smile:
But, it’s necessary to manually add the IPSETs to Shorewall…Currently, I populate to IPSETs chain (myAllowedIP and myBlockedIP) with a list of @IPs from countries I authorize or not.

If I install NetFilter Bouncer, how it works ?
It creates NetFilter IPSETs and it’ up to me to add them to shorewall ? or it creates them and add them automatically to iptables, somwhere ?

Thanks :wink:

AFAIK ipset generates 2 blacklists


These should be blocked/filtered/rejected/whatever on your Shorewall.

Thanks @thibault that was exactly the missing link in my understanding.