Skip to main content
Version: v1.2


sudo cscli simulation statusINFO[0000] global simulation: disabled                  INFO[0000] Scenarios in simulation mode :               INFO[0000]   - crowdsecurity/ssh-bf                     

cscli simulation allows to manage a list of scenarios that have their remediation "simulated" : they won't be effective (but will still be showed by cscli decisions list). This configuration file is present in /etc/crowdsec/simulation.yaml and is handled by the agent.

You can add and remove scenarios to the simulation list :

sudo cscli simulation enable crowdsecurity/ssh-bfINFO[0000] simulation mode for 'crowdsecurity/ssh-bf' enabled INFO[0000] Run 'sudo systemctl reload crowdsec' for the new configuration to be effective. $ sudo systemctl reload crowdsec$ sudo tail -f /var/log/crowdsec.log  ....time="01-11-2020 14:08:58" level=info msg="Ip performed 'crowdsecurity/ssh-bf' (6 events over 986.769µs) at 2020-11-01 14:08:58.575885389 +0100 CET m=+437.524832750"time="01-11-2020 14:08:58" level=info msg="Ip decision : 1h (simulation) ban"  ....
$  cscli decisions list+----+----------+--------------+-----------------------------------+------------+---------+----+--------+------------------+| ID |  SOURCE  | SCOPE:VALUE  |              REASON               |   ACTION   | COUNTRY | AS | EVENTS |    EXPIRATION    |+----+----------+--------------+-----------------------------------+------------+---------+----+--------+------------------+|  4 | crowdsec | Ip:   | crowdsecurity/ssh-bf              | (simul)ban | US      |    |      6 | 59m38.293036072s |+----+----------+--------------+-----------------------------------+------------+---------+----+--------+------------------+

You can also turn on "global simulation" : in this case, only scenarios in the exclusion list will have their decisions applied.

Decisions coming from the CAPI (Central API) are not being simulated. These are blocked directly.