Skip to content

Ban Management

Info

Please see your local help ban for up-to-date documentation.

List bans

 ban list
example 
bui@sd:~$ cli ban list
4 local decisions:
+--------+----------------+----------------------+------+--------+---------+--------------------------------+--------+------------+
| SOURCE |       IP       |        REASON        | BANS | ACTION | COUNTRY |               AS               | EVENTS | EXPIRATION |
+--------+----------------+----------------------+------+--------+---------+--------------------------------+--------+------------+
| cli    | 1.1.1.1        | spammer              |    1 | ban    |         |                                |      0 | 23h59m58s  |
| local  | 2.2.2.2        | crowdsecurity/ssh-bf |    1 | ban    | FR      | 3215 Orange                    |      6 | 3h7m30s    |
| local  | 3.3.3.3        | crowdsecurity/ssh-bf |    1 | ban    | US      | 3266 Joao Carlos de Almeida    |      6 | 57m17s     |
|        |                |                      |      |        |         | Silveira trading as Bitcanal   |        |            |
| local  | 4.4.4.4        | crowdsecurity/ssh-bf |    1 | ban    | FR      | 15557 SFR SA                   |      6 | 5m11s      |
+--------+----------------+----------------------+------+--------+---------+--------------------------------+--------+------------+
And 64 records from API, 32 distinct AS, 19 distinct countries
  • SOURCE is the source of the decision :
    • "local" : the decision has been taken by Crowdsec
    • "cli" : the decision has been made with cscli (ie. cscli ban ip 1.2.3.4 24h "because")
    • "api" : the decision has been pushed to you by the API (because there is a consensus about this ip)
  • IP is the IP or the IP range impacted by the decision
  • REASON is the scenario that was triggered (or human-supplied reason)
  • BANS is the number of "active" remediation against this IP
  • COUNTRY and AS are provided by GeoIP enrichment if present
  • EXPIRATION is the time left on remediation

Check command usage for additional filtering and output control flags.

Delete a ban

delete the ban on IP 1.2.3.4

 ban del ip 1.2.3.4

delete the ban on range 1.2.3.0/24

 ban del range 1.2.3.0/24

Add a ban manually

Add a ban on IP 1.2.3.4 for 24 hours, with reason 'web bruteforce'

 ban add ip 1.2.3.4 24h "web bruteforce"

Add a ban on range 1.2.3.0/24 for 24 hours, with reason 'web bruteforce'

 ban add range 1.2.3.0/24 "web bruteforce"

Flush all existing bans

Flush all the existing bans

 ban flush

Warning

This will as well remove any existing ban