Question about bouncers

ovizii · November 2, 2020, 3:53pm

I haven’t installed a bouncer yet but after a few times trying out nikto against my system cscli ban list shows my IP on the ban list which is absolutely correct but I can’t see any connection to any bouncer since I haven’t got one so I was just wondering where I should be able to see what “bouncing” action had been triggered once I have one isntalled.

cscli ban list
1 local decisions:
+--------+----------------+----------------------+------+--------+---------+--------------------------+--------+------------+
| SOURCE |       IP       |        REASON        | BANS | ACTION | COUNTRY |            AS            | EVENTS | EXPIRATION |
+--------+----------------+----------------------+------+--------+---------+--------------------------+--------+------------+
| local  | 80.142.111.111 | crowdsecurity/ssh-bf |    1 | ban    | DE      | 3320 Deutsche Telekom AG |      6 | 1h2m39s    |
+--------+----------------+----------------------+------+--------+---------+--------------------------+--------+------------+
And 100 records from API, 34 distinct AS, 19 distinct countries

thibault · November 3, 2020, 8:11am

Hello !

You can find a list of bouncers here: https://hub.crowdsec.net/browse/#bouncers
The bouncers will consume the database that is fed by crowdsec and take actions.
In the current version, crowdsec is not aware of which and what bouncers exist or are reading the database (it’s going to change in the coming version but that’s another topic ^^).

The idea is that if you install the netfilter bouncer (which is the bouncer for linux firewall), whenever a new IP will be banned by crowdsec, it will be made aware of it and can add said IP or range to your iptables/ipset configuration to ban it.

On the other hand, if you are using the nginx bouncer, it will behave a bit differently : whenever it sees an IP it doesn’t know (within nginx), it is going to query the local database to check if the IP needs to be blocked.

Hoped I answered your question,

sonix · November 3, 2020, 9:24am

Hi
Regarding the netfilter bouncer, Is there a way to get bouncer for Shorewall ?

Rgds

grant-veepshosting · November 4, 2020, 7:14am

The netfilter bouncer uses ipset so according to this document it should already “just work” https://shorewall.org/ipsets.html

sonix · November 4, 2020, 8:29am

Yes I know that, I already use them
But, it’s necessary to manually add the IPSETs to Shorewall…Currently, I populate to IPSETs chain (myAllowedIP and myBlockedIP) with a list of @IPs from countries I authorize or not.

If I install NetFilter Bouncer, how it works ?
It creates NetFilter IPSETs and it’ up to me to add them to shorewall ? or it creates them and add them automatically to iptables, somwhere ?

Thanks
Rgds

grant-veepshosting · November 5, 2020, 6:21am

AFAIK ipset generates 2 blacklists

crowdsec-blacklists
crowdsec6-blacklists

These should be blocked/filtered/rejected/whatever on your Shorewall.

ovizii · November 6, 2020, 8:48am

Thanks @thibault that was exactly the missing link in my understanding.

Topic		Replies	Views
Crowdsec-blacklists empty	10	1773	November 28, 2020
Decisions list not updated	8	1285	April 28, 2022
The bouncer decision would overwrite the manual decision? crowdsec	7	166	January 13, 2024
Bouncer block confirmation for lapi?	2	579	August 17, 2022
Ban by country does not work	1	547	February 27, 2023

Question about bouncers

Related Topics