this is incorrect, it does work with the jc21 image, however, since jc21 image does not ship with a remediation component installed there is no way within that image to enforce decisions that crowdsec makes (we can still parse the logs and make decisions just no enforcement on that side hence the paragraph below). Hence lepresidente has a fork of the image to do this, I see alot of people are also turning to NPMPlus maintained by another user.
Now you can use the linux firewall remediation to enforce decisions but this only works if you do not use an upstream proxy like cloudflare as when proxy is enabled at layer 3/4 all the firewall can see is the cloudflare ip address not the proxied IP that is at layer 7.
Sorry, I don’t understand your answer. What is possible whit the JC21 which is not possible or possible with the one of lepresidente? What are the advantages of lepresidente?
As mentioned I already use CrowdSec with the Firewall Bouncer for the SSH service. No cloud flare involved.
You can block request on the within Nginx itself rather than relying on the firewall this is only useful if you want to use captcha remediation.
If you already use the firewall bouncer then you can enable the DOCKER_USER chain within the configuration file, then this will start blocking request that are proxied by docker, as docker uses NAT to expose services you must enable this chain.
Sorry, still do not get what should be the difference betweenn the JC21 and the Lepresidente Image.
Aas mentioned I use the JC21 image, crowdsec already installed on the machine, securing e.g. the SSH service.
Firewall bouncer enabled. UFW+ufw docker enabled on the host
The difference is the jc21 image does not have this remediation component installed within it as Lepresidente fork does.
If you dont use an upstream proxy like cloudflare then you can just use jc21 image, point crowdsec towards the logs, enable DOCKER_USER chain within the firewall bouncer configuration and thats it.
You dont have to to use Lepresidente fork, its just there as an option if you do use an upstream proxy like cloudflare.
I am using Cloudflare Tunnel. I have below questions.
Lepresidente fork seems to be last updated several months ago. When will this be updated again?
Is Captch is the only option it provides?
I am using Vaultwarden and I am afraid it may not support captcha based revalidation? Also, I want to stay with original jc21 image as I will get updates immediately. In that case, will crowdsec be useful? I tried to ban a IP, but still I am able to connect to my vaultwardern. Is this due to clouflare? Any workaround or suggestion?
Dont know we are not LePresidente, best to open an issue on the github fork
Is Captcha is the only option it provides?
No it provides ban and captcha
I am using Vaultwarden and I am afraid it may not support captcha based revalidation? Also, I want to stay with original jc21 image as I will get updates immediately. In that case, will crowdsec be useful? I tried to ban a IP, but still I am able to connect to my vaultwardern. Is this due to clouflare? Any workaround or suggestion?
Well the issue here is you cannot just use the firewall remediation as when using cloudflare with proxy enabled, the firewall can only see cloudflare ip address connecting at layer 3/4. Only other suggestion is either use a cloudflare remediation but that comes with various limits if you are on the free plan OR use another fork which is updated regularly like NPMPlus by ZoeyVid,
I am having free plan and it started throwing limit notification every day. Is there a way to run custom command for firewall bouncer whenever it deduct bad IPs?
I configured fail2ban to block an IP via its Cloudflare functionality. But I am afraid it uses very basic method (log parsing using regex to find bad IPs). Instead of I can combine it with firewall bouncer offered by crowdsec, then i won’t run into limit issue as Fail2ban uses some API to directly ban bad IPs that tries to connect my server instead of trying to add entire community list.