Custom
📚 Documentation 💠Hub 💬 Discourse
CrowdSec Remediation Component written to invoke custom scripts.
The crowdsec-custom-bouncer will periodically fetch new, expired and removed decisions from the CrowdSec Local API and will pass them as arguments to a custom user script.
Installation​
Repository​
- Debian/Ubuntu
- RHEL/Centos/Fedora
sudo apt install crowdsec-custom-bouncer
sudo yum install crowdsec-custom-bouncer
Manual​
Assisted​
Download the latest crowdsec-custom-bouncer release
tar xzvf crowdsec-custom-bouncer.tgz
cd crowdsec-custom-bouncer*
sudo ./install.sh
Edit the configuration file to your desired settings:
sudo vim /etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml
Then enable the service:
sudo systemctl enable --now crowdsec-custom-bouncer
From source​
Clone the repository:
git clone https://github.com/crowdsecurity/cs-custom-bouncer && cd cs-custom-bouncer
Build the binary:
make release && cd crowdsec-custom-bouncer-v*
Install the build release:
sudo ./install.sh
Edit the configuration file to your desired settings:
sudo vim /etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml
Then enable the service:
sudo systemctl enable --now crowdsec-custom-bouncer
Default configuration​
sudo vim /etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml
bin_path: <absolute_path_to_binary>
bin_args: []
feed_via_stdin: false # Invokes binary once and feeds incoming decisions to it's stdin.
total_retries: 0
scenarios_containing: [] # ignore IPs banned for triggering scenarios not containing either of provided word, eg ["ssh", "http"]
scenarios_not_containing: [] # ignore IPs banned for triggering scenarios containing either of provided word
scopes: [] # scopes of the decisions to filter on
origins: [] # origins of the decisions to filter on
piddir: /var/run/
update_frequency: 10s
cache_retention_duration: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: <API_URL>
api_key: <API_KEY>
prometheus:
enabled: true
listen_addr: 127.0.0.1
listen_port: 60602
cache_retention_duration : The bouncer keeps track of all custom script invocations from the last cache_retention_duration interval. If a decision is identical to some decision already present in the cache, then the custom script is not invoked. The keys for hashing a decision is it's Type (eg ban, captcha etc) and Value (eg 192.168.1.1, CH etc).
You can then start the service:
sudo systemctl start crowdsec-custom-bouncer
If you need to make changes to the configuration file and be sure they will never be modified or reverted
by package upgrades, starting from v0.0.12 you can write them in a crowdsec-custom-bouncer.yaml.local file as described in
Overriding values.
Package upgrades may have good reasons to modify the configuration, so be careful if you use a .local file.
Logs​
By default you can find the log file /var/log/crowdsec-custom-bouncer.log, however, this can change if you have changed the configuration.
Best pratices​
We recommend using the scopes configuration to filter the scope your script is interested in. This will ensure you get the expected values in your script.
This is only applicable if you have configured your profiles to make use of scopes but is general best pratice to set it to ["Ip"] by default if that is the script aim.
The above will ensure you get values from LAPI to the script, however, you should double check the values in your script to ensure they are as expected.
Usage​
Invoke mode​
The custom binary will be called with the following arguments :
<my_custom_binary> add <value> <duration> <reason> <json_object> # to add an IP address
<my_custom_binary> del <value> <duration> <reason> <json_object> # to del an IP address
value: The value will be the decision scope value (eg192.168.1.1for IP)duration: duration of the remediation in secondsreason: reason of the decisionjson_object: the serialized decision (see the next section for more details)
Examples​
custom_binary.sh add 192.168.1.1/32 3600 "test blacklist" <json_object>
custom_binary.sh del 192.168.1.1/32 3600 "test blacklist" <json_object>
Stdin mode​
In this mode, the custom binary will be executed when the bouncer starts and is expected to read data from stdin.
If the binary exits for any reason, it will be reinvoked up to max_retries times. If the maximum number of retries is exhausted, the bouncer will quit.
For each decision, the custom binary will be fed the serialized JSON object on stdin, one object per line.
The JSON object is:
{
"duration": "143h58m15s",
"origin": "CAPI",
"scenario": "ssh:bruteforce",
"scope": "Ip",
"type": "ban",
"value": "160.187.109.6",
"id": 83676344,
"action": "add"
}
duration: duration of the decision, in the go time.Duration format. Can be negative for delete decisions.origin: origin the decision. Can becrowdsec,cscli,cscli-import,CAPI,lists.scenario: scenario that triggered the decision.scope: Scope of the decision. Most likelyIporRangewith the default config, but can be any value set in your scenarios.type: Type of the decision. Most likelybanorcaptchawith the default config, but can be any value set in your profiles.value: Target of the decision.id: id of the decision in the crowdsec database.action: Eitheraddordel.
Configuration Reference​
bin_path​
string
Absolute path to the binary that will be invoked
bin_args​
[ ]string
Array of argument to give to the script that will be invoked.
This option is only supported if feed_via_stdin is set to true.
feed_via_stdin​
boolean
Indicate weither or not the script will will be feed via STDIN or via its arguments
total_retries​
int
Number of times to restart binary. relevant if feed_via_stdin=true.
Set to -1 for infinite retries.
scenarios_containing​
[ ]string
Get only IPs banned for triggering scenarios containing either of provided word.
scenarios_containing: ["ssh", "http"]
scenarios_not_containing​
[ ]string
Ignore IPs banned for triggering scenarios containing either of provided word.
scenarios_not_containing: ["ssh", "http"]
scopes​
[ ]string
Decisions will be filtered on the provided scopes.
scopes: ["Ip"]
origins​
[ ]string
Decisions will be filtered on the provided origins.
origins: ["cscli", "crowdsec"]
cache_retention_duration​
string
The component keeps track of all custom script invocations from the last cache_retention_duration interval.
If a decision is identical to some decision already present in the cache, then the custom script is not invoked.
The keys for hashing a decision is it's Type (eg ban, captcha etc) and Value (eg 192.168.1.1, CH etc).
piddir​
string
Directory to drop the PID file
update_frequency​
string (That is parseable by time.ParseDuration)
controls how often the component is going to query the local API
daemonize​
boolean
To run the component as a service
log_mode​
file|stdout
Where the log contents are written (With file it will be written to log_dir with the name crowdsec-custom-bouncer.log)
log_dir​
string
Relevant if log_mode is file. This determines where to create log file.
log_level​
trace|debug|info|error
Log level: can be trace, debug, info, or error
log_compression​
boolean
Compress logs on rotation, true or false
log_max_size​
int
Maximum file size before rotation
log_max_backups​
int
How many backup log files to keep
log_max_age​
int
Log file max age before deletion
api_url​
string
URL of the CrowdSec Local API
api_key​
string
API Key to communicate with the CrowdSec Local API
insecure_skip_verify​
boolean
Skip verification of the LAPI certificate, usually used for self-signed certificates
prometheus​
Prometheus configuration
enabled​
boolean
Enable or not the prometheus server
Example:
prometheus:
enabled: true
listen_addr: 127.0.0.1
listen_port: 60602
listen_addr​
string
IP Address to listen on for the prometheus server
listen_port​
int
Port to listen on for the prometheus server
