Crowdsec is an open-source distrubuted like IPS which consists of
- LAPI Server which holds the local blocked IP's and can get/send IP's from/to the Crowdsec Central API
- Agent that can monitor logfiles for anomalies and send those IP's to the LAPI
- Bouncers which can get the blocked IP's from the LAPI and take actions accordingly (Create nft rule, up HAProxy config, etc...)
My idea would be to use a bouncer only on VyOS. So in order to make this useful, one needs to run their own LAPI somewhere and connect VyOS to it.
Just like sshguard does, it can create it's own IPv4/IPv6 table with the needed chains, and update that when needed. That way, all traffic is dynamically blocked by Crowdsec.
Configuring could be done like:
set service ips crowdsec disable set service ips crowdsec update-frequency 10s set service ips crowdsec api-url https://api.server.tld:8080/ set service ips crowdsec api-key xxxxx
And the config yaml:
mode: nftables pid_dir: /var/run/ update_frequency: {% update-frequency %} daemonize: true log_mode: file log_dir: /var/log/ log_level: info log_compression: true log_max_size: 100 log_max_backups: 3 log_max_age: 30 api_url: {% api-url %} api_key: {% api-key %} insecure_skip_verify: false disable_ipv6: false deny_action: DROP deny_log: false supported_decisions_types: - ban deny_log_prefix: "crowdsec: " blacklists_ipv4: crowdsec-blacklists blacklists_ipv6: crowdsec6-blacklists ## nftables nftables: ipv4: enabled: true set-only: false table: crowdsec chain: crowdsec-chain ipv6: enabled: true set-only: false table: crowdsec6 chain: crowdsec6-chain
If this is a feature that is wanted I can have a stab at it to see how far I can get.