Part 2 Configuring Crowdsec and bouncer integration with pangolin

hhf.technoloy · January 31, 2025, 11:29am

Part 2: Configuring CrowdSec and Bouncer Integration with Pangolin

1. CrowdSec Configuration Files

1.1 Configure acquis.yaml

Create or update /config/crowdsec/acquis.yaml:

filenames:
 - /var/log/auth.log
 - /var/log/syslog
labels:
  type: syslog
---
poll_without_inotify: false
filenames:
  - /var/log/traefik/*.log
labels:
  type: traefik
---
listen_addr: 0.0.0.0:7422
appsec_config: crowdsecurity/appsec-default
name: myAppSecComponent
source: appsec
labels:
  type: appsec

1.2 Configure Local API Credentials

Create /config/crowdsec/local_api_credentials.yaml:

url: http://0.0.0.0:8080
login: localhost
password: <generated_password>  # Will be generated when bouncer is added

1.3 Configure CrowdSec Profiles

Create /config/crowdsec/profiles.yaml:

name: captcha_remediation
filters:
  - Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http"
decisions:
 - type: captcha
   duration: 4h
on_success: break

---
name: default_ip_remediation
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
 - type: ban
   duration: 4h
on_success: break

---
name: default_range_remediation
filters:
 - Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
 - type: ban
   duration: 4h
on_success: break

2. Traefik Integration

2.1 Configure Dynamic Config

Create or update /config/traefik/dynamic_config.yml:

http:
  middlewares:
    crowdsec:
      plugin:
        crowdsec:
          enabled: true
          logLevel: INFO
          updateIntervalSeconds: 15
          defaultDecisionSeconds: 15
          crowdsecMode: live
          crowdsecAppsecEnabled: true
          crowdsecAppsecHost: crowdsec:7422
          crowdsecAppsecFailureBlock: true
          crowdsecAppsecUnreachableBlock: true
          crowdsecLapiKey: "<bouncer_key>"
          crowdsecLapiHost: crowdsec:8080
          crowdsecLapiScheme: http
          captchaProvider: turnstile
          captchaSiteKey: "<your_turnstile_site_key>"
          captchaSecretKey: "<your_turnstile_secret_key>"
          captchaGracePeriodSeconds: 1800
          forwardedHeadersTrustedIPs:
            - "0.0.0.0/0"
          clientTrustedIPs:
            - "10.0.0.0/8"
            - "172.16.0.0/12"
            - "192.168.0.0/16"
            - "100.89.137.0/20"

2.2 Update Traefik Configuration

Modify /config/traefik/traefik_config.yml:

experimental:
  plugins:
    crowdsec:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.3.5"

log:
  level: "INFO"
  format: "json"

accessLog:
  filePath: "/var/log/traefik/access.log"
  format: json

3. Setup CrowdSec Bouncer

3.1 Add Traefik Bouncer

# Add bouncer and save the API key
docker exec crowdsec cscli bouncers add traefik-bouncer

3.2 Update Configuration

Take the generated bouncer key and update:

/config/traefik/dynamic_config.yml - Update crowdsecLapiKey
/config/crowdsec/local_api_credentials.yaml - Update password
My mistake, i had to elaborate a bit more, user has corrected it. password update method.

4. Configure Turnstile Captcha

4.1 Get Turnstile Credentials

Go to Cloudflare Dashboard
Add a new Turnstile site
Get site key and secret key

4.2 Update Configuration

Update in /config/traefik/dynamic_config.yml:

captchaSiteKey: "<your_turnstile_site_key>"
captchaSecretKey: "<your_turnstile_secret_key>"

5. Verification and Testing

5.1 Verify Bouncer Configuration

# List bouncers
docker exec crowdsec cscli bouncers list

# Check bouncer metrics
curl http://localhost:6060/metrics | grep bouncer

5.2 Test Decisions

# Add test ban
docker exec crowdsec cscli decisions add -i 1.2.3.4 -t ban -d 1h

# Add test captcha
docker exec crowdsec cscli decisions add --ip 1.2.3.4 --type captcha -d 1h

# List decisions
docker exec crowdsec cscli decisions list

5.3 Monitor Logs

# Monitor CrowdSec logs
docker exec -it crowdsec tail -f /var/log/crowdsec.log

# Monitor Traefik logs
docker compose logs traefik -f

6. Troubleshooting

6.1 Common Issues

Bouncer Connection Issues:

# Check bouncer status
docker exec crowdsec cscli bouncers list

# Verify API credentials
docker exec crowdsec cat /etc/crowdsec/local_api_credentials.yaml

Log Access Problems:

# Check log permissions
docker exec -it crowdsec ls -l /var/log/traefik

Captcha Issues:

# Verify captcha configuration
grep -r "captcha" /config/traefik/dynamic_config.yml

6.2 Reset Steps

If needed, you can reset the bouncer:

# Remove bouncer
docker exec crowdsec cscli bouncers delete traefik-bouncer

# Add new bouncer
docker exec crowdsec cscli bouncers add traefik-bouncer

# Restart services
docker compose restart traefik crowdsec

Next Steps

After completing bouncer setup:

Configure advanced security policies (Part 3)
Implement custom rules and scenarios
Set up alerts and notifications
Fine-tune captcha and ban settings

Part 3 Testing and advanced configuration of Crowdsec with Pangolin - Networking - HHF Technology Forums

nwilliamsscu · March 8, 2025, 3:10am

crowdsec  | time="2025-03-08T03:07:57Z" level=info msg="Loaded 81 inband rules" component=appsec_config name=myAppSecComponent type=appsec
crowdsec  | time="2025-03-08T03:07:57Z" level=info msg="Created 1 appsec runners" name=myAppSecComponent type=appsec
crowdsec  | time="2025-03-08T03:07:57Z" level=info msg="127.0.0.1 - [Sat, 08 Mar 2025 03:07:57 UTC] \"POST /v1/watchers/login HTTP/1.1 401 95.948457ms \"crowdsec/v1.6.5-72b4354b-docker\" \""
crowdsec  | time="2025-03-08T03:07:57Z" level=info msg="attempt 1 out of 2"
crowdsec  | time="2025-03-08T03:07:57Z" level=info msg="127.0.0.1 - [Sat, 08 Mar 2025 03:07:57 UTC] \"POST /v1/watchers/login HTTP/1.1 401 81.914516ms \"crowdsec/v1.6.5-72b4354b-docker\" \""
crowdsec  | time="2025-03-08T03:07:57Z" level=info msg="attempt 2 out of 2"
crowdsec  | time="2025-03-08T03:07:57Z" level=info msg="127.0.0.1 - [Sat, 08 Mar 2025 03:07:57 UTC] \"POST /v1/watchers/login HTTP/1.1 401 81.353705ms \"crowdsec/v1.6.5-72b4354b-docker\" \""
crowdsec  | time="2025-03-08T03:07:57Z" level=info msg="max attempts reached for status code 401"
crowdsec  | time="2025-03-08T03:07:57Z" level=fatal msg="unable to start crowdsec routines: authenticate watcher (localhost): API error: incorrect Username or Password"

odoncm · March 29, 2025, 2:29am

Important!!! in point 3.2 Update Configuration 2. /config/crowdsec/local_api_credentials.yaml - Update password. DO NOT CHANGE THE ONE in Pangolin 1.1.0 with Crowdsec integration because it breaks, so you have to create the machine as indicated here:

docker exec crowdsec cscli machines list
docker exec crowdsec cscli machines delete localhost
docker exec crowdsec cscli lapi register --machine localhost --url http://0.0.0.0:8080
docker exec crowdsec cscli machines validate localhost

hhf.technoloy · March 29, 2025, 3:08am

thank you for pointing it out

Fckingnameless · April 20, 2025, 4:12am

what are these? my install has none of these files neither in traefik or crowdsec container

this is ABSOLUTELY confusing

I’m not sure which one of you is the most vague

please explain it in a procedural manner pangolin devs must be really stupid or just don’t care cause the installer generates a password in local_api file, but no bouncer and the bouncer api key is left with a place-holder in the config file

to clarify for others coming here, I don’t think you need to change that password in the first place(I’m running 1.2.0 and alerts show on crowdsec console)

hhf.technoloy · April 20, 2025, 6:13am

This guide is seperate from what pangolin offers as a basis installation. It my setup. I don’t know what you will have as setup files. You can’t mix two.

Either you setup this way or the pangolin default install. So yes No one is vague.
Plus I don’t use 8080 as api ports. That’s is also a major difference. So use my files I have attached and then you can take it from there.
Plus this guide is well before pangolin implemented crowdsec so that point also applies.

After Crowdsec update. Things also have also changed a bit regarding allowlist. Just an FYI.

hhf.technoloy · April 20, 2025, 6:17am

If people using my guide they will have to if you do the migration

hhf.technoloy · April 20, 2025, 9:32am

Its a basic install. you are supposed to manage it. if doesn’t configure it for you.
And please be respectful to the devs.
You can point out issues but don’t be disrespectful. you will be removed from the forum. this is not reddit.