Hello there,
We’ve implemented a POC, where we defined a custom scenarios, based on specific nginx log patterns. This is only been in staging so far, but we’re prepping to introduce it to our production environment.
I’ve tested the behavior of CrowdSec by ingesting logs and crowdsec was able to detect that activity and post alerts and ban IPs. I’ve only created scenario files, without adding bouncers to the config. My question is, would just a scenario will be enough to ban malicious IPs without a bouncer’s presence? My concern is that, I’ve only tested it via ingesting fake logs, so I’m wondering if it goes to prod and we get real malicious activity, will it take action and block those IPs or do we still need to add a bouncer piece to that?
Hope that I was able to explain my thought here, please let me know if the paragraph does not make sense.
Thank you.
So just having scenarios will allow CrowdSec Security Engine to detect malicious activities.
Without a bouncer there is no way for you to enforce these decisions as a bad actor can just keep exploiting the same thing over and over again.
We made these separate as you may want to enforce decision away from when the Security Engine is running.
2 Likes
So if you want to be sure, I would personally push just CrowdSec Security Engine to production. Allow some time to pass to ensure your custom scenarios do not generate false positives. Once you are happy that is when you should think about adding a bouncer.
2 Likes
Does it mean that the IPs listed as banned in the output of “cscli decisions list” are not truly banned unless I implement a bouncer component?
Thank you for your quick responses.
Does it mean that the IPs listed as banned in the output of “cscli decisions list” are not truly banned unless I implement a bouncer component?
Yes they are not truly banned as they are detected but you need the other component to enforce the decisions
1 Like
Just note that this is covered in our FAQ
1 Like
Thank you for the clarification. 
