hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

Allowlist for multiple IP ranges published as JSON

Open arthurzenika opened this issue 3 months ago • 1 comments

We are trying to develop an allowlist that uses multiple ip ranges published as JSON. The use-case is as follows : we have HTTP requests served by CloudFront which in turn are served by ALB. So the ALB sees as originating IP the CloudFront IPs (eg. 130.176.186.238). Both ALB & CloudFront logs are being processed by CrowdSec so the problematic behaviors are processed with the public IP. We want to avoid banning CloudFront IPs

The file is https://ip-ranges.amazonaws.com/ip-ranges.json

{
  "syncToken": "1757120305",
  "createDate": "2025-09-06-00-58-25",
  "prefixes": [
    {
      "ip_prefix": "3.4.12.4/32",
      "region": "eu-west-1",
      "service": "AMAZON",
      "network_border_group": "eu-west-1"
    },
    {
      "ip_prefix": "3.5.140.0/22",
      "region": "ap-northeast-2",
      "service": "AMAZON",
      "network_border_group": "ap-northeast-2"
    },
[snip]
}

From our understanding, this is done in the enrich parsers.

arthurzenika avatar Sep 08 '25 15:09 arthurzenika

Related work in progress : https://github.com/crowdsecurity/hub/pull/1465

arthurzenika avatar Sep 08 '25 15:09 arthurzenika

As said, we're not going to allow all AWS IPs. Use the console's allowlists feature to do this.

buixor avatar Dec 02 '25 09:12 buixor