Working with two bouncers


i have installed two bouncer, nginx and firewall-iptable one

the current behavor is when i block an ip, it’s blocked on both bouncers, it’s add on iptable and to a 403 forbidden page, i would like to be able to block ssh brute force attack (ssh-bf) or all syslogs with the iptable bouncer, and for the http/nginx collection i want to use only the nginx bouncer and not ban them on the iptable bouncer firewall.

i can’t see a way for now to do it, i was digging on how to write a profile to take action like :

  • Alert.Remediation == true && Alert.GetScope() == “Ip” && Alert.GetScenario() in [“crowdsecurity/ssh-bf”]
  • type: ban

but type ban is used on both bouncer’s…

any work around this or maybe any way to define a new type?

Hi and sorry for the very late reply. You’re right in the sense that you need to edit profies.yaml. An example of doing more or less what you want is in the article we did on the nginx bouncer at The NGINX Bouncer v1.0 is out! - The open-source & collaborative IPS.

On a different note I would recommend you to join our Discord at CrowdSec for a faster reply another time.