Hey all, i’ve decided I should probably setup something else to help block nefarious IP addresses. I’ve been looking into CrowdSec and Fail2Ban but i’m not really sure the best one to use.

My setup is OpnSense -> Nginx Proxy Manager -> Servers. I think I need to setup CrowdSec/Fail2Ban on the Nginx Proxy Manager to filter the access logs, then ideally it would setup the blocks on OpnSense - but i’m not sure that can be done?

Any experience in a setup like this? I’ve found a few guides but some of them seem fairly outdated.

Edit: thanks everybody for the great info. General consensus seems to be with crowdsec so I’ll go down that path and see how it goes.

Edit 2: So after having it up and running for the better part of a day, i’m going to remove it again. For some reason there was a performance impact loading websites, probably because it was waiting for a response from the Crowdsec hub? Either way, after stopping it from running everything is back to normal again. So I might revisit how I do it and probably try Fail2Ban now instead. Thanks everybody

  • betterdeadthanreddit@lemmy.worldEnglish
    1·
    20 days ago

    CrowSec, it’s not one that you mentioned but once they locate the source of the malicious traffic, they send out a murder of trained attack birds to resolve the issue.

  • Tournesol@feddit.frEnglish
    1·
    21 days ago

    I actually refrain from using Crowdsec since we found ourselves with a friend banning each other for no known reasons. (I swear I’m a good boy)

      • Tournesol@feddit.frEnglish
        1·
        21 days ago

        I don’t have much to elaborate on ^^’ but yeah, could have been an hyper specific case but that was my experience with it. I assumed my ip was banned on the crowd or something like that and even if my friend unbanned me twice, the ban came back. Don’t know what really happened for sure.

        • just_another_person@lemmy.worldEnglish
          01·
          20 days ago

          Ok…but crowdsec bans abusive IPs. Are you saying your actions got you banned for some reason?

          Also, whitelist first. Ban second.

          • Tournesol@feddit.frEnglish
            1·
            20 days ago

            I truly don’t think I did anything to get banned. The only thing “non-standard” I do, is having a seedbox

    • irmadlad@lemmy.worldEnglish
      0·
      20 days ago

      As you probably know the crowdsec bouncer doesn’t directly parse logs or do checks like F2B filters. It queries the crowdsec LAPI for decisions and applies them. The “allowed” or “whitelisted” IP logic is handled at the Security Engine or LAPI level, not by the bouncer itself.

      You can whitelist an ip in /etc/crowdsec/whitelists.yaml or even whitelist decisions in the whitelist.yaml as such:

      name: private-ips
description: Whitelist local and private IPs
whitelist:
  reason: "Allow local and private IPs"
  ip:
    - "127.0.0.1"
    - "192.168.1.0/24"
  cidr:
    - "10.0.0.0/8"

      Then issue sudo systemctl reload crowdsec. Kind of the same concept as F2B’s ignoreip option. If you are using Tailscale to administer the server, then it’s easier to whitelist. IIRC, you can use cscli decisions add --type whitelist --ip 192.168.1.100 --duration 1y but it doesn’t add them to the whitelist.yaml. Instead it keeps them in crowdsec’s database managed by LAPI. To undo: cscli decisions delete --ip 192.168.1.100 --type whitelist

      https://docs.crowdsec.net/u/getting_started/post_installation/whitelists/

      • Matty_r@programming.devOPEnglish
        0·
        19 days ago

        With the bouncer setup, I assume I need to pass in where to look for logs or something for those to be passed into the lapi? I followed this CrowdSec and Nginx Proxy Manager , as far as I can tell everything is connected an running, I have crowdsec running on OpnSense via the plugin - it appears to be healthy as per the CrowdSec Console.

        npm  | [nginx       ] nginx: [error] [lua] crowdsec.lua:62: init(): error loading captcha plugin: no recaptcha site key provided, can't use recaptcha       
npm  | [nginx       ] nginx: [error] [lua] ban.lua:37: new(): BAN_TEMPLATE_PATH and REDIRECT_LOCATION variable are empty, will return HTTP 403 for ban decisions
npm  | [nginx       ] nginx: [alert] [lua] crowdsec_openresty.conf:5):11: [Crowdsec] Initialisation done                                                    
npm  | [supervisor  ] starting service 'app'...                                                                                                             
npm  | [app         ] [5/5/2025] [11:26:30 PM] [Global   ] › ℹ  info      Using Sqlite: /data/database.sqlite                                               
npm  | [supervisor  ] all services started.
        • irmadlad@lemmy.worldEnglish
          0·
          18 days ago

          Hey bro. I apologize for getting back to you so late. Did you ever get this resolved? I’m not hugely knowledgeable about the intricacies of nginx. I went with Caddy, but there is probably some commonality between the two. lmk

          • Matty_r@programming.devOPEnglish
            1·
            18 days ago

            All good, yea its because I need crowdsec installed on the proxy as well - not just the bouncer - in order to actually send the logs to Opnsense.

            I ended up having some weird performance issues so I pulled it all out for now and will revisit another time.

  • SayCyberOnceMore@feddit.ukEnglish
    1·
    20 days ago

    Crowdsec will block external, public, IPs

    Fail2Ban will block login attempts (ie from anywhere)

    I have a similar setup with pfSense, pfBlockerNG, HAProxy, etc, but I keep F2B running on my DMZ server in case something is ever compromised as it’ll block / slow down anyone trying to move around the network.

  • dan@upvote.auEnglish
    1·
    20 days ago

    Crowdsec is much more efficient than fail2ban. Fail2ban is a lot of old single-threaded Python code with inefficient log parsing/tailing routines. Crowdsec is a more modern Go codebase.

    If you’re looking at old-school solutions, there’s also DenyHosts.

  • Noggog@programming.devEnglish
    0·
    20 days ago

    I’ve been using crowdsec … but I’ve yet to see anyone banned but myself so far. Is everyone else having to write tons of whitelist parsers? I could whitelist my IP but I feel like that’s sidestepping the issue and doesn’t address friends/family also getting banned, coffeeshops, etc.

    Feels like I’m missing something as so far it’s been quite a pain to configure

      • Noggog@programming.devEnglish
        1·
        20 days ago

        It’s set up on the same box as my caddy install. I believe it’s getting passed the real IP because that’s what gets banned, and what I type in to unban it.

        It just sees normal operations as http probing. Like if some other service goes down, my GetHomepage will then 404 and that’s seen as probing. It bans surprisingly quick. Even after just one or two events (normal for someone just visiting the homepage) it’ll just kick em right out

        I’ve been having to inspect every alert and hand write whitelist parsers to whitelist 404s or whatever it may be for that app. Slowly accumulating a workable collection… but seems like I’m missing something as no one else seems to complain about this in threads like these

        Another example is my brother got banned for normal audiobookshelf usage. He just thought the server was buggy. It was just blocking him without us really noticing or thinking much of it at the time. Not great