Hey all, i’ve decided I should probably setup something else to help block nefarious IP addresses. I’ve been looking into CrowdSec and Fail2Ban but i’m not really sure the best one to use.
My setup is OpnSense -> Nginx Proxy Manager -> Servers. I think I need to setup CrowdSec/Fail2Ban on the Nginx Proxy Manager to filter the access logs, then ideally it would setup the blocks on OpnSense - but i’m not sure that can be done?
Any experience in a setup like this? I’ve found a few guides but some of them seem fairly outdated.
Edit: thanks everybody for the great info. General consensus seems to be with crowdsec so I’ll go down that path and see how it goes.
I had fail2ban running for several years before switching to CrowdSec late last year. They both work in a similar fashion and watch your logfiles for break in attempts. With the small difference that CrowdSec also lets you use blocklists from the “crowd” to block malicious actors before they even get to try their luck on your machine(s).
I’m using CrowdSec with Traefik and nftables. But there are some bouncer plugins for nginx and OpnSense, too.
I just followed their example configurations for Docker, Docker Compose and then started tinkering with the config until everything worked as desired.
Thanks those links were helpful to get me on the right path. I like that there is a plugin for Opnsense directly and has that central LAPI, because I’d need something similar if I was to use f2b.
I have traefik running with all config done via the docker compose files and I just couldn’t figure out how to get the bouncer middleware to work without causing problems. Doesn’t help that most examples seem to be based on the static yaml based config so I’m trying to convert jt. Would appreciate anyone who might know of a resource that explains with docker compose environment tags.
I also have middle ware for things like authentik which complicates things.
In the Traefik static configuration (usually
traefik.yml), add this to load the CrowdSec plugin:experimental: plugins: crowdsec-bouncer-traefik-plugin: moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin" version: "v1.4.2"(The name for the plugin is defined here as
crowdsec-bouncer-traefik-plugin.)Then, in your dynamic configuration, add this (I’ve used a separate file
dynamic_conf/050-plugin-crowdsec-bouncer.yml):http: middlewares: crowdsec-bouncer: plugin: crowdsec-bouncer-traefik-plugin: CrowdsecLapiKey: "...YOUR CROWDSEC LAPI KEY HERE..." Enabled: true(The name for this new middleware defined here is
crowdsec-bouncer. It uses thecrowdsec-bouncer-traefik-plugindefined in the previous step. Make sure these names match.)You can get the LAPI key by registering a new bouncer in CrowdSec.
And, finally, make sure all incoming traffic routes through the bouncer plugin. You can do this individually, or in general via the static config:
entryPoints: websecure: address: :443 http: middlewares: - crowdsec-bouncer@file - secure-headers@fileThe middlewares are processed top to bottom.
Any change to the static configuration requires a restart of Traefik to become active.
In addition to the explanation you got from the other user: once you’ve set up the bouncer middleware in the configs (don’t know if there even exists a good way to do that outside of the configs files), you simply assign the middleware in the compose file as usual.