I’ve been running crowdsec for a month or so now and the same IP keeps triggering alerts, gets banned for some time, then alerts again. When I look up that IP in CTI, it says it’s in the community blocklist. I’m using firewall bouncer on ubuntu.
I am using Docker to host my services and Docker bypasses the iptables input chain… So I think that is why this IP wasn’t blocked in the first place (and many more apparently)
In /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml I had to uncomment the DOCKER-USER chain like so:
Dear @riley , Thanks so much for this post! Took me half a day to figure out how to filter Docker traffic with the iptables bouncer. My pushover was flooded with notifications.
Appreciate that you shared this with the community