crowdsec_logo-768x519.webp

Warning: There is no coherence to this yet, it's just me taking notes.

This article was original written May 21, 2023. It is being updated in May, 2024.

Start here: CrowdSec Multi Server Setup

The TL;DR is:

On the "edge" machine: 
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec
sudo cscli lapi register -u http://10.0.0.1:8080
On the LAPI server: 
sudo cscli machines list
sudo cscli machines validate <machine hash>

Start first on a VM or something low-importance.

You can install the LAPI (Local API) on any machine, it does not need to be anything that does anything important, and you don't even need to install bouncers or scenarios on it. Do, however, install the dashboard(*).

*: 12 months later from the original date of this article, and I don't use the dashboard, the cli tools / UI in opnSense is more than enough.

nginx-proxy-manager

Good news! There's a collection for it now!

Centralised Whitelisting

It's totally not a thing.

But, you can fake it!

Something like the following at the top of profiles.yaml on your LAPI Server should do the trick:

name: whitelist
debug: true
filters:
  - IpInRange(Alert.GetValue(), "1.128.0.0/11")     # Telstra
  - IpInRange(Alert.GetValue(), "14.200.0.0/14")    # TPG
  - IpInRange(Alert.GetValue(), "149.167.0.0/16")   # Telstra
  - IpInRange(Alert.GetValue(), "180.150.36.0/24")  # AussieBB
  - IpInRange(Alert.GetValue(), "206.83.96.0/19")  # SpaceX
  - IpInRange(Alert.GetValue(), "106.68.0.0/15")    # iiNet
  - IpInRange(Alert.GetValue(), "61.68.0.0/15")     # iiNet
  - IpInRange(Alert.GetValue(), "124.176.0.0/11")   # Telstra Internet  
on_success: break
---

This will not actually "whitelist" the IP / subnet, but it will tell the LAPI no to act on any reports it receives.
The upshot is the LAPI will still log that it received the alert

(id) alert : crowdsecurity/windows-bf by ip xxx.xxx.xxx.xxx

As opposed to something it acts on:

(id/crowdsec) crowdsecurity/http-bad-user-agent by ip xxx.xxx.xxx.xxx : 4h ban on Ip xxx.xxx.xxx.xxx

run "cscli capi status" and "cscli lapi status" on both to verify they're both talking what you expect. It will also make sure both machines check in with the crowdsec UI

"cscli machines list" will only work on the actual LAPI server, the other one will just have the last time it was an LAPI (probably when you setup mutli-server mode) - in fact lots of things will stop working on the non-LAPI server.

"cscli decisions list" on each will tell you if you're getting decisions passed from the LAPI to the machines.

"cscli metrics show acquisition" will show you the parsing activity for each endpoint