Custom
๐ Documentation ๐ Hub ๐ฌ Discourse
CrowdSec Remediation Component written to invoke custom scripts.
The crowdsec-custom-bouncer will periodically fetch new, expired and removed decisions from the CrowdSec Local API and will pass them as arguments to a custom user script.
Installationโ
Repositoryโ
- Debian/Ubuntu
- RHEL/Centos/Fedora
sudo apt install crowdsec-custom-bouncer
sudo yum install crowdsec-custom-bouncer
Manualโ
Assistedโ
Download the latest crowdsec-custom-bouncer release
tar xzvf crowdsec-custom-bouncer.tgz
cd crowdsec-custom-bouncer*
sudo ./install.sh
Edit the configuration file to your desired settings:
sudo vim /etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml
Then enable the service:
sudo systemctl enable --now crowdsec-custom-bouncer
From sourceโ
Clone the repository:
git clone https://github.com/crowdsecurity/cs-custom-bouncer && cd cs-custom-bouncer
Build the binary:
make release && cd crowdsec-custom-bouncer-v*
Install the build release:
sudo ./install.sh
Edit the configuration file to your desired settings:
sudo vim /etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml
Then enable the service:
sudo systemctl enable --now crowdsec-custom-bouncer
Default configurationโ
sudo vim /etc/crowdsec/bouncers/crowdsec-custom-bouncer.yaml
bin_path: <absolute_path_to_binary>
bin_args: []
feed_via_stdin: false # Invokes binary once and feeds incoming decisions to it's stdin.
total_retries: 0
scenarios_containing: [] # ignore IPs banned for triggering scenarios not containing either of provided word, eg ["ssh", "http"]
scenarios_not_containing: [] # ignore IPs banned for triggering scenarios containing either of provided word
scopes: [] # scopes of the decisions to filter on
origins: [] # origins of the decisions to filter on
piddir: /var/run/
update_frequency: 10s
cache_retention_duration: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: <API_URL>
api_key: <API_KEY>
prometheus:
enabled: true
listen_addr: 127.0.0.1
listen_port: 60602
cache_retention_duration : The bouncer keeps track of all custom script invocations from the last cache_retention_duration interval. If a decision is identical to some decision already present in the cache, then the custom script is not invoked. The keys for hashing a decision is it's Type (eg ban, captcha etc) and Value (eg 192.168.1.1, CH etc).
You can then start the service:
sudo systemctl start crowdsec-custom-bouncer
If you need to make changes to the configuration file and be sure they will never be modified or reverted
by package upgrades, starting from v0.0.12 you can write them in a crowdsec-custom-bouncer.yaml.local file as described in
Overriding values.
Package upgrades may have good reasons to modify the configuration, so be careful if you use a .local file.
Logsโ
By default you can find the log file /var/log/crowdsec-custom-bouncer.log, however, this can change if you have changed the configuration.
Best praticesโ
We recommend using the scopes configuration to filter the scope your script is interested in. This will ensure you get the expected values in your script.
This is only applicable if you have configured your profiles to make use of scopes but is general best pratice to set it to ["Ip"] by default if that is the script aim.
The above will ensure you get values from LAPI to the script, however, you should double check the values in your script to ensure they are as expected.
Usageโ
Remember to set execution permissions for your binary or script. If it's a script, include a shebang on the first line (e.g., #!/bin/sh).
Invoke modeโ
While the default mode, it is not recommended to use it, as calling a binary for each decision can be very costly when a lot are present.
The custom binary will be called with the following arguments :
<my_custom_binary> add <value> <duration> <reason> <json_object> # to add an IP address
<my_custom_binary> del <value> <duration> <reason> <json_object> # to del an IP address
value: The value will be the decision scope value (eg192.168.1.1for IP)duration: duration of the remediation in secondsreason: reason of the decisionjson_object: the serialized decision (see the next section for more details)
Examplesโ
custom_binary.sh add 192.168.1.1/32 3600 "test blacklist" <json_object>
custom_binary.sh del 192.168.1.1/32 3600 "test blacklist" <json_object>
Stdin modeโ
In this mode, the custom binary will be executed when the bouncer starts and is expected to read data from stdin.
If the binary exits for any reason, it will be reinvoked up to max_retries times. If the maximum number of retries is exhausted, the bouncer will quit.
For each decision, the custom binary will be fed the serialized JSON object on stdin, one object per line.
The JSON object is:
{
"duration": "143h58m15s",
"origin": "CAPI",
"scenario": "ssh:bruteforce",
"scope": "Ip",
"type": "ban",
"value": "160.187.109.6",
"id": 83676344,
"action": "add"
}
duration: duration of the decision, in the go time.Duration format. Can be negative for delete decisions.origin: origin the decision. Can becrowdsec,cscli,cscli-import,CAPI,lists.scenario: scenario that triggered the decision.scope: Scope of the decision. Most likelyIporRangewith the default config, but can be any value set in your scenarios.type: Type of the decision. Most likelybanorcaptchawith the default config, but can be any value set in your profiles.value: Target of the decision.id: id of the decision in the crowdsec database.action: Eitheraddordel.
Configuration Referenceโ
bin_pathโ
string
Absolute path to the binary that will be invoked
bin_argsโ
[ ]string
Array of argument to give to the script that will be invoked.
This option is only supported if feed_via_stdin is set to true.
feed_via_stdinโ
boolean
Indicate weither or not the script will will be feed via STDIN or via its arguments
total_retriesโ
int
Number of times to restart binary. relevant if feed_via_stdin=true.
Set to -1 for infinite retries.
scenarios_containingโ
[ ]string
Get only IPs banned for triggering scenarios containing either of provided word.
scenarios_containing: ["ssh", "http"]
scenarios_not_containingโ
[ ]string
Ignore IPs banned for triggering scenarios containing either of provided word.
scenarios_not_containing: ["ssh", "http"]
scopesโ
[ ]string
Decisions will be filtered on the provided scopes.
scopes: ["Ip"]
originsโ
[ ]string
Decisions will be filtered on the provided origins.
origins: ["cscli", "crowdsec"]
cache_retention_durationโ
string
The component keeps track of all custom script invocations from the last cache_retention_duration interval.
If a decision is identical to some decision already present in the cache, then the custom script is not invoked.
The keys for hashing a decision is it's Type (eg ban, captcha etc) and Value (eg 192.168.1.1, CH etc).
piddirโ
string
This field has been depreacted and is ignored by the component
Directory to drop the PID file
update_frequencyโ
string (That is parseable by time.ParseDuration)
controls how often the component is going to query the local API
daemonizeโ
boolean
To run the component as a service
This field has now been deprecated and is ignored within the component
log_modeโ
file|stdout
Where the log contents are written (With file it will be written to log_dir with the name crowdsec-custom-bouncer.log)
log_dirโ
string
Relevant if log_mode is file. This determines where to create log file.
log_levelโ
trace|debug|info|error
Log level: can be trace, debug, info, or error
log_compressionโ
boolean
Compress logs on rotation, true or false
log_max_sizeโ
int
Maximum file size before rotation
log_max_backupsโ
int
How many backup log files to keep
log_max_ageโ
int
Log file max age before deletion
api_urlโ
string
URL of the CrowdSec Local API
api_keyโ
string
API Key to communicate with the CrowdSec Local API
insecure_skip_verifyโ
boolean
Skip verification of the LAPI certificate, usually used for self-signed certificates
prometheusโ
Prometheus configuration
enabledโ
boolean
Enable or not the prometheus server
Example:
prometheus:
enabled: true
listen_addr: 127.0.0.1
listen_port: 60602
listen_addrโ
string
IP Address to listen on for the prometheus server
listen_portโ
int
Port to listen on for the prometheus server