Question about bouncers

ovizii · November 2, 2020, 3:53pm

I haven’t installed a bouncer yet but after a few times trying out nikto against my system cscli ban list shows my IP on the ban list which is absolutely correct but I can’t see any connection to any bouncer since I haven’t got one so I was just wondering where I should be able to see what “bouncing” action had been triggered once I have one isntalled.

cscli ban list
1 local decisions:
+--------+----------------+----------------------+------+--------+---------+--------------------------+--------+------------+
| SOURCE |       IP       |        REASON        | BANS | ACTION | COUNTRY |            AS            | EVENTS | EXPIRATION |
+--------+----------------+----------------------+------+--------+---------+--------------------------+--------+------------+
| local  | 80.142.111.111 | crowdsecurity/ssh-bf |    1 | ban    | DE      | 3320 Deutsche Telekom AG |      6 | 1h2m39s    |
+--------+----------------+----------------------+------+--------+---------+--------------------------+--------+------------+
And 100 records from API, 34 distinct AS, 19 distinct countries

thibault · November 3, 2020, 8:11am

Hello !

You can find a list of bouncers here: https://hub.crowdsec.net/browse/#bouncers
The bouncers will consume the database that is fed by crowdsec and take actions.
In the current version, crowdsec is not aware of which and what bouncers exist or are reading the database (it’s going to change in the coming version but that’s another topic ^^).

The idea is that if you install the netfilter bouncer (which is the bouncer for linux firewall), whenever a new IP will be banned by crowdsec, it will be made aware of it and can add said IP or range to your iptables/ipset configuration to ban it.

On the other hand, if you are using the nginx bouncer, it will behave a bit differently : whenever it sees an IP it doesn’t know (within nginx), it is going to query the local database to check if the IP needs to be blocked.

Hoped I answered your question,

sonix · November 3, 2020, 9:24am

Hi
Regarding the netfilter bouncer, Is there a way to get bouncer for Shorewall ?

Rgds

grant-veepshosting · November 4, 2020, 7:14am

The netfilter bouncer uses ipset so according to this document it should already “just work” https://shorewall.org/ipsets.html

sonix · November 4, 2020, 8:29am

Yes I know that, I already use them
But, it’s necessary to manually add the IPSETs to Shorewall…Currently, I populate to IPSETs chain (myAllowedIP and myBlockedIP) with a list of @IPs from countries I authorize or not.

If I install NetFilter Bouncer, how it works ?
It creates NetFilter IPSETs and it’ up to me to add them to shorewall ? or it creates them and add them automatically to iptables, somwhere ?

Thanks
Rgds

grant-veepshosting · November 5, 2020, 6:21am

AFAIK ipset generates 2 blacklists

crowdsec-blacklists
crowdsec6-blacklists

These should be blocked/filtered/rejected/whatever on your Shorewall.

ovizii · November 6, 2020, 8:48am

Thanks @thibault that was exactly the missing link in my understanding.

Topic		Replies	Views
[docker setup] local bouncer on host doesn't ban IPs	3	1155	September 30, 2023
Wrong ban decision with haproxy bouncer crowdsec	1	18	November 8, 2024
Cs-nginx-bouncer doesn't ban IPs crowdsec	0	29	January 14, 2025
Same IP keeps getting banned, CTI says it's in community blocklist - firewall rule issue? crowdsec	2	80	November 26, 2024
Crowdsec-blacklists empty	10	2045	November 28, 2020

Question about bouncers

Related topics