Crowdsec whitelist

Started by xpking, October 01, 2023, 06:55:03 AM

Previous topic - Next topic
October 01, 2023, 06:55:03 AM Last Edit: October 01, 2023, 07:07:51 AM by xpking
Dear all,

May I know if there is whitelist in crowdsec opnsense?

I followed this page:https://docs.crowdsec.net/docs/whitelist/create/
and created the file /usr/local/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml
with below content.

name: crowdsecurity/whitelists
description: "Whitelist events from my ip addresses"
whitelist:
  reason: "my ip ranges"
  ip:
    - "192.168.2.254"

~


I removed the Decision, and restarted Crowdsec.
I can see the file loaded in Parsers tab.
But it doesn't work.
I checked the Decision tab and the IP is banned again.

Parsers tab

mywhitelists.yaml enabled,local /usr/local/etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml


Decision tab:

3051281 crowdsec Ip:192.168.2.254 firewallservices/pf-scan-multi_ports ban 16
an hour 990


Anyone have ideas how to add the IP to whitelist?
Thank you.



November 04, 2023, 06:14:10 AM #3 Last Edit: November 04, 2023, 09:17:50 PM by ApeDogg
in my case the IP was on the CAPI list so i had to follow those instructions but it didn't work until i ran the CLI command cscli decisions delete --ip 1.2.3.4 from the shell.

(update) it was blocked again today probably after updating with the API, so it seems the whitelist procedure isn't working.

November 29, 2023, 04:40:21 PM #4 Last Edit: November 29, 2023, 05:02:39 PM by MastrBlastr25
I've never used Crowdsec before so this may not be the best solution, but what I did was run
cscli parsers install crowdsecurity/whitelists
which creates a whitelist.yaml file in
/usr/local/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity
then I edited that file to whatever I desire. After restarting Crowdsec it shows as 'enabled,tainted' but I guess 'tainted' just means the default auto-generated config was updated. It seems to be working