CrowdSec IP Blocklist

[andrewoliv]

I have CrowdSec up and running on my OpnSense instance. My understanding is that CrowdSec is protecting my WebGUi service from Brute Force Attacks.

I had heard CrowdSec was going to release an IP blocklist of their own that OpnSense users could build an Alias for (ie Spamhaus). Ran into this on the CrowdSec website:

sudo apt install crowdsec-blocklist-mirror

Was wondering if I could Somehow build an alias? Any suggestions? It appears CrowdSec is maintaining a blocklist.

[andrewoliv]

Totally wrong about this it appears the CrowdSec plug in I installed also blocks at the FW level

[Georges]

I have CrowdSec up and running on my OpnSense instance. My understanding is that CrowdSec is protecting my WebGUi service from Brute Force Attacks.

I had heard CrowdSec was going to release an IP blocklist of their own that OpnSense users could build an Alias for (ie Spamhaus). Ran into this on the CrowdSec website:

sudo apt install crowdsec-blocklist-mirror

Was wondering if I could Somehow build an alias? Any suggestions? It appears CrowdSec is maintaining a blocklist.

Hello

https://github.com/crowdsecurity/opnsense-plugin-crowdsec

v0.0.6

crowdsec update 1.3.1.r1
bouncer update to 0.0.23.r1
automated creation of Alias and Rule objects

They already have alias.

[klausagnoletti]

I had heard CrowdSec was going to release an IP blocklist of their own that OpnSense users could build an Alias for (ie Spamhaus). Ran into this on the CrowdSec website:

sudo apt install crowdsec-blocklist-mirror

Was wondering if I could Somehow build an alias? Any suggestions? It appears CrowdSec is maintaining a blocklist.

You accidently bumped into our new blocklist mirror bouncer :-) The basic idea is that it sets up a basic webserver that exposes a blocklist that can be exported into any firewall. Here's an article on how to use it with pfSense: https://blog.vacum.se/updated-blocklist-export-for-crowdsec/.

The downside to using this approach with pfSense at least (I assume it would be the same with OPNsense) is that connections that are already established won't be cut off. I am under the impression that can be fixed using pfBlockerNG somehow (without knowing the details).

Being an OPNsense user I would advice you to use the OPNsense port whenever possible as that will give you the best experience - if nothing else just use the pf bouncer package.

Did that answer your question? If not, feel free to ask again

[spyware-avoidance]

Hello

So CrowdSec is basically a bit like the good old fail2ban with extensible and modular sources? is that it or I'm misunderstanding something?
I would just not open the WebUI to internet at all. Is this to protect against attempts coming from the LAN side or the management interface?

[klausagnoletti]

So CrowdSec is basically a bit like the good old fail2ban with extensible and modular sources? is that it or I'm misunderstanding something?

Excellent question. The short answer is yes. And no. Read this article I wrote a couple of weeks ago for an elaboration: https://crowdsec.net/blog/crowdsec-not-your-typical-fail2ban-clone/

Let me know if you have further questions.