Working with two bouncers

mwalol · July 6, 2022, 6:46pm

hi,

i have installed two bouncer, nginx and firewall-iptable one

the current behavor is when i block an ip, it’s blocked on both bouncers, it’s add on iptable and to a 403 forbidden page, i would like to be able to block ssh brute force attack (ssh-bf) or all syslogs with the iptable bouncer, and for the http/nginx collection i want to use only the nginx bouncer and not ban them on the iptable bouncer firewall.

i can’t see a way for now to do it, i was digging on how to write a profile to take action like :
filters:

Alert.Remediation == true && Alert.GetScope() == “Ip” && Alert.GetScenario() in [“crowdsecurity/ssh-bf”]
decisions:
type: ban

but type ban is used on both bouncer’s…

any work around this or maybe any way to define a new type?

klausagnoletti · September 7, 2022, 11:02am

Hi and sorry for the very late reply. You’re right in the sense that you need to edit profies.yaml. An example of doing more or less what you want is in the article we did on the nginx bouncer at The NGINX Bouncer v1.0 is out! - The open-source & collaborative IPS.

On a different note I would recommend you to join our Discord at CrowdSec for a faster reply another time.

Topic		Replies	Views
IP is not blocked after banning by hand crowdsec	3	1134	June 4, 2022
Newbie with CrowdSec crowdsec	2	705	April 30, 2021
The bouncer decision would overwrite the manual decision? crowdsec	7	173	January 13, 2024
Sshd scenario test	1	561	October 5, 2020
SSHD detection not working? crowdsec	27	1867	December 9, 2021

Working with two bouncers

Related Topics