This bouncer exposes CrowdSec's active decisions via provided HTTP endpoints in pre-defined formats. It can be used by network appliances which support consumption of blocklists via HTTP.
Installation from packages
$ sudo apt install crowdsec-blocklist-mirror
$ sudo yum install crowdsec-blocklist-mirror
Installation using docker:
Refer to docker hub docs
Manual installation via script
First, download the latest
$ tar xzvf crowdsec-blocklist-mirror.tgz
$ sudo ./install.sh
Run the following commands:
$ git clone https://github.com/crowdsecurity/cs-blocklist-mirror.git
$ cd cs-blocklist-mirror/
$ make release
$ cd crowdsec-blocklist-mirror-v*/
$ sudo ./install.sh
Before starting the
crowdsec-blocklist-mirror service, please edit the configuration file to add your API URL and key.
The default configuration file is located under :
$ vim /etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml
- format: plain_text # Supported formats are either of "plain_text"
type: none # Supported types are either of "none", "ip_based", "basic"
trusted_ips: # IP ranges, or IPs which don't require auth to access this blocklist
The URL of CrowdSec LAPI. It should be accessible from whichever network the bouncer has access.
It can be obtained by running the following on the machine CrowdSec LAPI is deployed on.
sudo cscli -oraw bouncers add blocklistMirror # -oraw flag can discarded for human friendly output.
The bouncer will poll the CrowdSec every
Ignore IPs banned for triggering scenarios not containing either of provided word.
Ignore IPs banned for triggering scenarios containing either of provided word.
Only include IPs banned due to decisions orginating from provided sources. eg value ["cscli", "crowdsec"]
Set to true to skip verifying certificate.
Location where the mirror will start server.
Path to certificate to use if TLS is to be enabled on the mirror server.
Path to certificate key file.
Boolean (true|false). Set to true to enable serving and collecting metrics.
Endpoint to serve the metrics on.
List of blocklists to serve. Each blocklist has the following configuration.
Format of the blocklist. Currently only
mikrotik are supported.
Endpoint to serve the blocklist on.
Authentication related config.
Currently "basic" and "ip_based" authentication is supported. You can disable authentication completely by setting this to 'none'.
basic: It's Basic HTTP Authentication. Only requests with valid
passwordas specified in below config would pass through
ip_based: Only requests originating from
trusted_ipswould be allowed.
Valid username if using
Password for the provided user and using
List of valid IPv4 and IPv6 IPs and ranges which have access to blocklist. It's only applicable when authentication
Global RunTime Query Parameters
?ipv4only - Only return IPv4 addresses
?ipv6only - Only return IPv6 addresses
?nosort - Do not sort IP's
Only use if you do not care about the sorting of the list, can result in average 1ms improvement
?origin= - Only return IP's by origin
You can then start the service via:
sudo systemctl start crowdsec-blocklist-mirror
If you need to make changes to the configuration file and be sure they will never be modified or reverted
by package upgrades, starting from v0.0.2 you can write them in a
crowdsec-blocklist-mirror.yaml.local file as described in
Package upgrades may have good reasons to modify the configuration, so be careful if you use a
The bouncer can expose the blocklist in the following formats. You can configure the format of the blocklist by setting it's
format parameter to any of the supported formats described below.
If your mikrotik router does not support ipv6, then you can use the global query parameters to only return ipv4 addresses.
/ip firewall address-list remove [find list=CrowdSec]
/ipv6 firewall address-list remove [find list=CrowdSec]
/ip firewall address-list add list=CrowdSec address=126.96.36.199 comment="crowdsecurity/ssh-bf for 152h40m24.308868973s"
/ip firewall address-list add list=CrowdSec address=188.8.131.52 comment="crowdsecurity/postfix-spam for 166h40m25.280338424s"/ipv6 firewall address-list add list=CrowdSec address=2001:470:1:c84::17 comment="crowdsecurity/ssh-bf for 165h13m42.405449876s"
mikrotik query parameters
?listname=foo - Set the list name to
foo, by default
listname is set to
/ip firewall address-list remove [find list=foo]
/ipv6 firewall address-list remove [find list=foo]
/ip firewall address-list add list=foo address=184.108.40.206 comment="crowdsecurity/ssh-bf for 152h40m24.308868973s"
/ip firewall address-list add list=foo address=220.127.116.11 comment="crowdsecurity/postfix-spam for 166h40m25.280338424s"/ipv6 firewall address-list add list=foo address=2001:470:1:c84::17 comment="crowdsecurity/ssh-bf for 165h13m42.405449876s"