Custom
📚 Documentation 💠Hub 💬 Discourse
CrowdSec Remediation Component written to invoke custom scripts.
The crowdsec-custom-bouncer will periodically fetch new, expired and removed decisions from the CrowdSec Local API and will pass them as arguments to a custom user script.
Installation​
Repository​
- Debian/Ubuntu
- RHEL/Centos/Fedora
sudo apt install crowdsec-custom-bouncer
sudo yum install crowdsec-custom-bouncer
Manual​
Assisted​
Download the latest crowdsec-custom-bouncer
release
tar xzvf crowdsec-custom-bouncer.tgz
cd crowdsec-custom-bouncer*
sudo ./install.sh
Edit the configuration file to your desired settings:
sudo vim /etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml
Then enable the service:
sudo systemctl enable --now crowdsec-custom-bouncer
From source​
Clone the repository:
git clone https://github.com/crowdsecurity/cs-custom-bouncer && cd cs-custom-bouncer
Build the binary:
make release && cd crowdsec-custom-bouncer-v*
Install the build release:
sudo ./install.sh
Edit the configuration file to your desired settings:
sudo vim /etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml
Then enable the service:
sudo systemctl enable --now crowdsec-custom-bouncer
Default configuration​
$ vim /etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml
bin_path: <absolute_path_to_binary>
bin_args: []
feed_via_stdin: false # Invokes binary once and feeds incoming decisions to it's stdin.
total_retries: 0
scenarios_containing: [] # ignore IPs banned for triggering scenarios not containing either of provided word, eg ["ssh", "http"]
scenarios_not_containing: [] # ignore IPs banned for triggering scenarios containing either of provided word
scopes: [] # scopes of the decisions to filter on
origins: [] # origins of the decisions to filter on
piddir: /var/run/
update_frequency: 10s
cache_retention_duration: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: <API_URL>
api_key: <API_KEY>
prometheus:
enabled: true
listen_addr: 127.0.0.1
listen_port: 60602
cache_retention_duration
: The bouncer keeps track of all custom script invocations from the last cache_retention_duration
interval. If a decision is identical to some decision already present in the cache, then the custom script is not invoked. The keys for hashing a decision is it's Type
(eg ban
, captcha
etc) and Value
(eg 1.2.3.4
, CH
etc).
You can then start the service:
sudo systemctl start crowdsec-custom-bouncer
If you need to make changes to the configuration file and be sure they will never be modified or reverted
by package upgrades, starting from v0.0.12 you can write them in a crowdsec-custom-bouncer.yaml.local
file as described in
Overriding values.
Package upgrades may have good reasons to modify the configuration, so be careful if you use a .local
file.
Logs​
By default you can find the log file /var/log/crowdsec-custom-bouncer.log
, however, this can change if you have changed the configuration.
Best pratices​
We recommend using the scopes configuration to filter the scope your script is interested in. This will ensure you get the expected values in your script.
This is only applicable if you have configured your profiles to make use of scopes but is general best pratice to set it to ["Ip"]
by default if that is the script aim.
The above will ensure you get values from LAPI to the script, however, you should double check the values in your script to ensure they are as expected.
Usage​
The custom binary will be called with the following arguments :
<my_custom_binary> add <value> <duration> <reason> <json_object> # to add an IP address
<my_custom_binary> del <value> <duration> <reason> <json_object> # to del an IP address
value
: The value will be the decision scope value (eg192.168.1.1
for IP)duration
: duration of the remediation in secondsreason
: reason of the decisionjson_object
: the serialized decision
Remember to set execution permissions for your binary or script. If it's a script, include a shebang on the first line (e.g., #!/bin/sh
).
Examples​
custom_binary.sh add 1.2.3.4/32 3600 "test blacklist" <json_object>
custom_binary.sh del 1.2.3.4/32 3600 "test blacklist" <json_object>
Configuration Reference​
bin_path
​
string
Absolute path to the binary that will be invoked
bin_args
​
[ ]string
Array of argument to give to the script that will be invoked
feed_via_stdin
​
boolean
Indicate weither or not the script will will be feed via STDIN or via its arguments
total_retries
​
int
Number of times to restart binary. relevant if feed_via_stdin=true
.
Set to -1 for infinite retries.
scenarios_containing
​
[ ]string
Get only IPs banned for triggering scenarios containing either of provided word.
scenarios_containing: ["ssh", "http"]
scenarios_not_containing
​
[ ]string
Ignore IPs banned for triggering scenarios containing either of provided word.
scenarios_not_containing: ["ssh", "http"]
scopes
​
[ ]string
Decisions will be filtered on the provided scopes.
scopes: ["Ip"]
origins
​
[ ]string
Decisions will be filtered on the provided origins.
origins: ["cscli", "crowdsec"]
cache_retention_duration
​
string
The component keeps track of all custom script invocations from the last cache_retention_duration
interval.
If a decision is identical to some decision already present in the cache, then the custom script is not invoked.
The keys for hashing a decision is it's Type
(eg ban
, captcha
etc) and Value
(eg 1.2.3.4
, CH
etc).
piddir
​
string
This field has been depreacted and is ignored by the component
Directory to drop the PID file
update_frequency
​
string (That is parseable by time.ParseDuration)
controls how often the component is going to query the local API
daemonize
​
boolean
To run the component as a service
This field has now been deprecated and is ignored within the component
log_mode
​
file
|stdout
Where the log contents are written (With file
it will be written to log_dir
with the name crowdsec-custom-bouncer.log
)
log_dir
​
string
Relevant if log_mode
is file
. This determines where to create log file.
log_level
​
trace
|debug
|info
|error
Log level: can be trace
, debug
, info
, or error
log_compression
​
boolean
Compress logs on rotation, true
or false
log_max_size
​
int
Maximum file size before rotation
log_max_backups
​
int
How many backup log files to keep
log_max_age
​
int
Log file max age before deletion
api_url
​
string
URL of the CrowdSec Local API
api_key
​
string
API Key to communicate with the CrowdSec Local API
insecure_skip_verify
​
boolean
Skip verification of the LAPI certificate, usually used for self-signed certificates
prometheus
​
Prometheus configuration
enabled
​
boolean
Enable or not the prometheus server
Example:
prometheus:
enabled: true
listen_addr: 127.0.0.1
listen_port: 60602
listen_addr
​
string
IP Address to listen on for the prometheus server
listen_port
​
int
Port to listen on for the prometheus server