Create crowdsec.conf

config/action.d/crowdsec.conf

@@ -0,0 +1,122 @@
+# Crowdsec configuration file
+#
+# Action to report IP address to Crowdsec local API
+#
+# NOTE: These reports may include sensitive Info.
+#
+# IMPORTANT: This action relies on a credentials being added to the above action conf,
+# and the appropriate categories set.
+#
+# Example, for ssh bruteforce (in section [sshd] of `jail.local`):
+# action = %(known/action)s
+# crowdsec[lapi_url="http://local-api:8080", machine_id="ReverseProxy", password="******"]
+#
+
+[Definition]
+
+# bypass action for restored tickets
+norestored = 1
+
+# Option: actionstart
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+# Values: CMD
+#
+actionstop =
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+#
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = <lookup-<lookup>/lookupinfo>
+ TIME=$(LC_ALL=C date -d "@<time>" +"%%Y-%%m-%%dT%%H:%%M:%%S%%:z")
+ JSON_STRING=$(/usr/bin/jq -s -R -n \
+ --arg ip "<ip>" \
+ --arg scenario "fail2ban/<name>" \
+ --arg msg "Ip <ip> performed illegal connection attempt." \
+ --arg bantime "<bantime>s" \
+ --arg ti "$TIME" \
+ --arg cn "$WHOIS_COUNTRY" \
+ --arg an "$WHOIS_ASN" \
+ --arg nm "$WHOIS_ASNAME" \
+ '[{
+ "scenario": $scenario,
+ "scenario_hash": "",
+ "scenario_version": "0.1",
+ "message": $msg,
+ "events_count": 1,
+ "start_at": $ti,
+ "stop_at": $ti,
+ "capacity": 0,
+ "leakspeed": "0s",
+ "simulated": false,
+ "events": [
+ {
+ "timestamp": $ti,
+ "meta": [
+ {
+ "key": "source_ip",
+ "value": $ip
+ }
+ ]
+ }
+ ],
+ "remediation": true,
+ "decisions": [
+ {
+ "origin": "fail2ban",
+ "type": "ban",
+ "scope": "Ip",
+ "value": $ip,
+ "duration": $bantime,
+ "scenario": $scenario
+ }
+ ],
+ "source": {
+ "scope": "Ip",
+ "value": $ip,
+ "ip": $ip,
+ "range": "",
+ "as_number": $an,
+ "as_name": $nm,
+ "cn": $cn }}]')
+ nohup curl -H "Authorization: Bearer $(curl -s -X POST -H 'Content-Type: application/json' -d '{"machine_id": "<machine_id>","password": "<password>"}' <lapi_url>/v1/watchers/login | jq -r ".token")" -X POST <lapi_url>/v1/alerts -H 'Content-Type: application/json' -d "$JSON_STRING" > /dev/null 2>&1
+
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban =
+
+# Option `lookup` (default `none`) - supply `whois` to perform a lookup for country and ASN using whois command
+lookup = none
+
+[lookup-none]
+lookupinfo = WHOIS_COUNTRY=''
+ WHOIS_ASN=''
+ WHOIS_ASNAME=''
+
+[lookup-whois]
+lookupinfo = WHOIS_RESULT=$(whois <ip>)
+ WHOIS_COUNTRY=$(echo "$WHOIS_RESULT" | grep -a -i -m 1 Country | sed -n -e 's/^.*[Cc]ountry:\s*//p')
+ WHOIS_ASN=$(echo "$WHOIS_RESULT" | grep -a -i Origin | tail -1 | sed -n -e 's/^.*[Oo]rigin.*:\s*AS//p')
+ WHOIS_ASNAME=$(echo "$WHOIS_RESULT" | grep -a netname | tail -1 | sed -n -e 's/^.*netname:\s*//p')
+
+[Init]