Crowdsec is an open-source distrubuted like IPS which consists of
- LAPI Server which holds the local blocked IP's and can get/send IP's from/to the Crowdsec Central API
- Agent that can monitor logfiles for anomalies and send those IP's to the LAPI
- Bouncers which can get the blocked IP's from the LAPI and take actions accordingly (Create nft rule, up HAProxy config, etc...)
My idea would be to use a bouncer only on VyOS. So in order to make this useful, one needs to run their own LAPI somewhere and connect VyOS to it.
Just like sshguard does, it can create it's own IPv4/IPv6 table with the needed chains, and update that when needed. That way, all traffic is dynamically blocked by Crowdsec.
Configuring could be done like:
set service ips crowdsec disable set service ips crowdsec update-frequency 10s set service ips crowdsec api-url https://api.server.tld:8080/ set service ips crowdsec api-key xxxxx
And the config yaml:
mode: nftables
pid_dir: /var/run/
update_frequency: {% update-frequency %}
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: {% api-url %}
api_key: {% api-key %}
insecure_skip_verify: false
disable_ipv6: false
deny_action: DROP
deny_log: false
supported_decisions_types:
- ban
deny_log_prefix: "crowdsec: "
blacklists_ipv4: crowdsec-blacklists
blacklists_ipv6: crowdsec6-blacklists
## nftables
nftables:
ipv4:
enabled: true
set-only: false
table: crowdsec
chain: crowdsec-chain
ipv6:
enabled: true
set-only: false
table: crowdsec6
chain: crowdsec6-chainIf this is a feature that is wanted I can have a stab at it to see how far I can get.