Working with two bouncers

mwalol · July 6, 2022, 6:46pm

hi,

i have installed two bouncer, nginx and firewall-iptable one

the current behavor is when i block an ip, it’s blocked on both bouncers, it’s add on iptable and to a 403 forbidden page, i would like to be able to block ssh brute force attack (ssh-bf) or all syslogs with the iptable bouncer, and for the http/nginx collection i want to use only the nginx bouncer and not ban them on the iptable bouncer firewall.

i can’t see a way for now to do it, i was digging on how to write a profile to take action like :
filters:

Alert.Remediation == true && Alert.GetScope() == “Ip” && Alert.GetScenario() in [“crowdsecurity/ssh-bf”]
decisions:
type: ban

but type ban is used on both bouncer’s…

any work around this or maybe any way to define a new type?

klausagnoletti · September 7, 2022, 11:02am

Hi and sorry for the very late reply. You’re right in the sense that you need to edit profies.yaml. An example of doing more or less what you want is in the article we did on the nginx bouncer at The NGINX Bouncer v1.0 is out! - The open-source & collaborative IPS.

On a different note I would recommend you to join our Discord at CrowdSec for a faster reply another time.

Topic		Replies	Views
IP is not blocked after banning by hand crowdsec	3	1497	June 4, 2022
Newbie with CrowdSec crowdsec	2	780	April 30, 2021
Nubie need some assistant crowdsec	2	629	November 26, 2021
The bouncer decision would overwrite the manual decision? crowdsec	7	359	January 13, 2024
Sshd scenario test	1	620	October 5, 2020

Working with two bouncers

Related topics