Increase crowdsec ban time exponentially for repeat offenders

Increase crowdsec ban time exponentially for repeated offenders, by simply updating profiles.yaml! This example show you how to increment ban time for repeated offenders with crowdsec for nginx. It features a captcha wall, then a classic IP ban.

Pre-requisites

• Docker – I use community edition, version 20.10.25
• docker-compose – I use the latest version v2.22.0
• frontend docker network: docker network add frontrend
• A working swag nginx instance with some proxified apps and sites
• Swag nginx and Crowdsec to be in the same docker network 😉
• A working crowdsec bouncer attached to your swag instance

How To Apply Incremental Ban Time

To apply incremental ban time, simply modify /docker/crowdsec/config/profiles.yaml :

name: ip_remediation_captcha
# debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains 'http' && GetDecisionsCount(Alert.GetValue()) < 2
decisions:
 - type: captcha     # https://doc.crowdsec.net/docs/bouncers/php-lib/#ban-and-captcha-walls
   duration: 40h
# optional: activate notifications
notifications:
#   - slack_default  # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
#   - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
#   - http_default   # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
#   - email_default  # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
  - discord        # Set the required discord parameters in /etc/crowdsec/notifications/discord.yaml before enabling this.
on_success: break

---
name: ip_remediation_ban
# debug: true
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 40h
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 100)
notifications:
  - discord        # Set the required discord parameters in /etc/crowdsec/notifications/discord.yaml before enabling this.
on_success: break

This example features a captcha as the first crowdsec ban time, for 40h, on the first offense only.

Every repeated offender will activate the second filter that is an IP ban, for (nb.alerts x 100 x 40h) more each time. Adapt to your needs!

To go further:

• more profile examples
• more remediation rules