Hey all, i’ve decided I should probably setup something else to help block nefarious IP addresses. I’ve been looking into CrowdSec and Fail2Ban but i’m not really sure the best one to use.

My setup is OpnSense -> Nginx Proxy Manager -> Servers. I think I need to setup CrowdSec/Fail2Ban on the Nginx Proxy Manager to filter the access logs, then ideally it would setup the blocks on OpnSense - but i’m not sure that can be done?

Any experience in a setup like this? I’ve found a few guides but some of them seem fairly outdated.

Edit: thanks everybody for the great info. General consensus seems to be with crowdsec so I’ll go down that path and see how it goes.

  • Tournesol@feddit.frEnglish
    231·
    1 day ago

    I actually refrain from using Crowdsec since we found ourselves with a friend banning each other for no known reasons. (I swear I’m a good boy)

    • irmadlad@lemmy.worldEnglish
      131·
      23 hours ago

      As you probably know the crowdsec bouncer doesn’t directly parse logs or do checks like F2B filters. It queries the crowdsec LAPI for decisions and applies them. The “allowed” or “whitelisted” IP logic is handled at the Security Engine or LAPI level, not by the bouncer itself.

      You can whitelist an ip in /etc/crowdsec/whitelists.yaml or even whitelist decisions in the whitelist.yaml as such:

      name: private-ips
description: Whitelist local and private IPs
whitelist:
  reason: "Allow local and private IPs"
  ip:
    - "127.0.0.1"
    - "192.168.1.0/24"
  cidr:
    - "10.0.0.0/8"

      Then issue sudo systemctl reload crowdsec. Kind of the same concept as F2B’s ignoreip option. If you are using Tailscale to administer the server, then it’s easier to whitelist. IIRC, you can use cscli decisions add --type whitelist --ip 192.168.1.100 --duration 1y but it doesn’t add them to the whitelist.yaml. Instead it keeps them in crowdsec’s database managed by LAPI. To undo: cscli decisions delete --ip 192.168.1.100 --type whitelist

      https://docs.crowdsec.net/u/getting_started/post_installation/whitelists/

      • Tournesol@feddit.frEnglish
        31·
        1 day ago

        I don’t have much to elaborate on ^^’ but yeah, could have been an hyper specific case but that was my experience with it. I assumed my ip was banned on the crowd or something like that and even if my friend unbanned me twice, the ban came back. Don’t know what really happened for sure.

        • just_another_person@lemmy.worldEnglish
          31·
          23 hours ago

          Ok…but crowdsec bans abusive IPs. Are you saying your actions got you banned for some reason?

          Also, whitelist first. Ban second.

          • Tournesol@feddit.frEnglish
            1·
            18 hours ago

            I truly don’t think I did anything to get banned. The only thing “non-standard” I do, is having a seedbox