crowdsec
crowdsec copied to clipboard
crowdsecurity
Global whitelist on LAPI for all agents.
What would you like to be added?
I'm using crowdsec on my machines in a multi-server setup (currently 28 agents and 1 LAPI) But it is proving impossible to maintain my "parser whitelist" on all my agents. When some ip changes, I had to manually update the whitelist on all agents, and this takes a lot of time.
If I can make the decision to unban on LAPI, why can't I prevent the IP from being banned again?
So the idea is to create a "global whitelist", managed by LAPI, and which is checked before accepting a ban decision generated by some agent. (the "parser whitelist" will continue to work as well, but final decisions are up to LAPI)
something like
cscli whitelist add -i 1.2.3.4
cscli whitelist add -r 1.2.3.0/24
cscli whitelist delete -i 4.3.2.1
And when a ban decision comes from some agent, LAPI checks if this IP is on the whitelist and doesn't apply this decision...
It would be much easier to manage.
Why is this needed?
My structure has a lot of machines and is very dynamic, I often need to add/remove ips from the whitelist on all machines
Hello,
For now the "best" you can do to have whitelists at the Local API level is via profiles :
name: whitelist
debug: true
filters:
- Alert.GetValue() in ["2.2.2.2", "3.3.3.3"]
on_success: break
---
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
This will effectively whitelist decisions from agents that are targeting IP 2.2.2.2 or 3.3.3.3
We are looking to improve this in the upcoming releases, stay tuned, and thanks for the report !
Hello, that's a better method than the original one, but how can we whitelist IP range/CIDR using this method? Thanks
Hello, that's a better method than the original one, but how can we whitelist IP range/CIDR using this method? Thanks
Yes you can you can use range helpers
Here an example:
name: whitelist
debug: true
filters:
- IpInRange(Alert.GetValue(), '192.168.1.0/24')
on_success: break
---
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
are the Filters an AND or an OR? so, does that work?
name: whitelist
debug: true
filters:
- Alert.GetValue() in ["109.237.xxx.xxx", "159.xxx.xxx.xxx"]
- IpInRange(Alert.GetValue(), '192.168.0.0/16')
- IpInRange(Alert.GetValue(), '10.0.0.0/8')
- IpInRange(Alert.GetValue(), '172.16.0.0/12')
on_success: break
---
are the Filters an AND or an OR? so, does that work?
name: whitelist debug: true filters: - Alert.GetValue() in ["109.237.xxx.xxx", "159.xxx.xxx.xxx"] - IpInRange(Alert.GetValue(), '192.168.0.0/16') - IpInRange(Alert.GetValue(), '10.0.0.0/8') - IpInRange(Alert.GetValue(), '172.16.0.0/12') on_success: break ---
The filters are OR