Increase crowdsec ban time exponentially for repeat offenders
2 min readIncrease crowdsec ban time exponentially for repeated offenders, by simply updating profiles.yaml
! This example show you how to increment ban time for repeated offenders with crowdsec for nginx. It features a captcha wall, then a classic IP ban.
Pre-requisites
- Docker – I use community edition, version 20.10.25
- docker-compose – I use the latest version v2.22.0
- frontend docker network:
docker network add frontrend
- A working swag nginx instance with some proxified apps and sites
- Swag nginx and Crowdsec to be in the same docker network 😉
- A working crowdsec bouncer attached to your swag instance
How To Apply Incremental Ban Time
To apply incremental ban time, simply modify /docker/crowdsec/config/profiles.yaml
:
name: ip_remediation_captcha # debug: true filters: - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains 'http' && GetDecisionsCount(Alert.GetValue()) < 2 decisions: - type: captcha # https://doc.crowdsec.net/docs/bouncers/php-lib/#ban-and-captcha-walls duration: 40h # optional: activate notifications notifications: # - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this. # - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this. # - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this. # - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this. - discord # Set the required discord parameters in /etc/crowdsec/notifications/discord.yaml before enabling this. on_success: break --- name: ip_remediation_ban # debug: true filters: - Alert.Remediation == true && Alert.GetScope() == "Ip" decisions: - type: ban duration: 40h duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 100) notifications: - discord # Set the required discord parameters in /etc/crowdsec/notifications/discord.yaml before enabling this. on_success: break
This example features a captcha as the first crowdsec ban time, for 40h, on the first offense only.
Every repeated offender will activate the second filter that is an IP ban, for (nb.alerts x 100 x 40h) more each time. Adapt to your needs!
To go further: