I’m fairly new to Crowdsec but have decided to go full in with it so I started by installing it on my Opnsense firewall a few months back and decided to setup the Swag reverse proxy to access several services at home from outside and saw that I could also add Crowdsec to Swag and so I did and was a bit surprise by the results, in a couple of hours I had more alerts and scenarios with the bouncer on the reverse proxy than the instance running on the firewall for several months as you can see below (left is the reverse proxy instance running on docker inside Portainer, on the right is Opnsense running baremetal:
That made me question myself about the whole setup:
1- Should all the bouncers and agents be under the same instance or not?
2- If not I assume that I can leave the setup the way it is and it will be fine?
My next step is to install the Cloudflare-bouncer and to be honest I’m a bit lost on how to go about it first of all due to my questions above and secondly because I’m unable to set my set myself on the best way to proceed; that being said docker compose stack has my preference, my question then would be should this be running standalone of should it be added to my current Swag reverse proxy stack that already has Swag, Authelia and the current bouncer you can the on the left of the image.
Additional questions:
3- Can I easily remove a bouncer from an instance to either move it to a different instance or delete it completely?
4- I see on that app.crowdsec.net page that the Opnsense instance is using agent version v.1.4.1 and that V.1.4.3 is available but despite having tried to run and update of the different elements from the Opnsense UI which didn’t worked, I haven’t found a way to get this updated, so what’s the best way to do this, should I just removed all together and restart from scratch?
I’ll appreciate any help/advise you guys and gals can provide me so that I can move forward in my Crowdsec journey.
You don’t necessarily have to. If it’s various “layers” protecting the same component, having separate instances works too. The good point of using one instance w/ all your bouncers and agents is that they all share the same decisions.
Yes
Not sure I figured out your exact setup, but I guess having the CF bouncer attached to the instances that process your web logs makes sense.
Yes, you can use cscli bouncers to add / remove API keys. When changing to which LAPI a bouncer is attached, remember that you need to edit its config file too !
We’re waiting for 1.4.3 to be merged into opnsense too
Many thanks for taking the time to answer my questions, thins are clearer to me now, I still don’t understand why I have more alerts on the reverse proxy after a few hours than after months on the firewall.
Ideally and FWIW I would prefer to have all instances sharing the decisions so will need to see how I go about that.
Concerning the CF bouncer, as my crowdsec service depends on swag as they’re all on the same stack can I just add the CF bouncer at the end of the stack or should I install it on a different stack/container all together?
One last thing, how can I modify the ban period if that’s possible?
Ok so managed to install the Cloudflare bouncer on my docker stack, but following that, I’ve notice that as you can see below the Swag bouncer is showing as inactive (2days) but it was showing fine prior to me adding the Cloudflare bouncer, not sure if it’s normal but doesn’t look normal to me.
The previous bouncer I added never had any additional information like the IP or version but the Cloudflare one does so again not sure if that’s normal or not but doesn’t look normal to me.
Also I’m seeing 1 agent despite having 2 bouncers and was expecting to see 2 agents and 2 bouncers, this is maybe explained by the fact that this is a docker stack?
One last thing is that I wanted to try to do a cscli decisions list from the Cloudflare container but when I want to connect to the console, it fails.
If any one could help me see clearer on this, I would be very greatful.
