Whitelisting IPs and Users in CrowdSec with Pangolin

Networking
,
1

Whitelisting IPs and Users in CrowdSec with Pangolin

This guide shows how to create a whitelist configuration for CrowdSec to prevent your IP addresses and users from being blocked.

Understanding CrowdSec Whitelisting

CrowdSec uses YAML configuration files to define whitelists. When properly configured, whitelisted IPs and users won’t trigger alerts or remediation actions even if they match attack patterns.

Creating and Applying the Whitelist

Since you’re using CrowdSec in a Docker container, the easiest way to add a whitelist is to create it on the host and copy it into the container:

1. Create a temporary whitelist file on your host

cat > /tmp/whitelists.yaml << 'EOF'
---
name: crowdsecurity/whitelists
description: "Whitelist configuration for trusted IPs and users"
whitelist:
  reason: "trusted sources"
  ip:
    # Add your home/office IP address(es) here
    - "192.168.1.0/24"    # Example: Internal network range
    - "10.0.0.0/8"        # Example: Another private range
    - "172.16.0.0/12"     # Example: Docker network range
    - "100.89.137.0/20"   # From Pangolin configuration
    # Add your specific public IP address(es) here
    - "YOUR_PUBLIC_IP_ADDRESS"  # Replace with your actual public IP

  # Optional: Whitelist specific usernames (if using authentication logs)
  username:
    - "admin"
    - "YOUR_USERNAME"  # Replace with your actual username

  # You can also whitelist by expression
  expression:
    # Don't trigger alerts from localhost
    - evt.Parsed.source_ip == '127.0.0.1'
    # Don't trigger alerts from Docker networks
    - evt.Parsed.source_ip contains '172.17.'
    # Don't trigger alerts for admin login attempts
    - evt.Parsed.program == 'auth' && evt.Parsed.username == 'admin'
EOF

2. Edit the file to add your specific IPs

nano /tmp/whitelists.yaml

Replace YOUR_PUBLIC_IP_ADDRESS with your actual public IP address and YOUR_USERNAME with your actual username.

3. Copy the file to the CrowdSec container

docker cp /tmp/whitelists.yaml crowdsec:/etc/crowdsec/parsers/s02-enrich/

4. Restart the CrowdSec container to apply changes

docker restart crowdsec

Verifying Whitelist Configuration

To check if your whitelist is properly loaded:

# Check whitelist status
docker exec crowdsec cscli parsers list | grep whitelist

Monitoring

You can check the CrowdSec logs to verify your IPs are being whitelisted:

docker logs crowdsec | grep -i whitelist

Additional Tips

  1. Dynamic IP addresses: If you have a dynamic public IP that changes frequently, consider adding an expression-based rule or updating the whitelist periodically.

  2. Traefik integration: Since you’re using Traefik with CrowdSec, the whitelist will prevent the bouncer from blocking your legitimate traffic.

  3. Debugging: If you encounter issues with the whitelist not working:

    docker exec crowdsec cscli config show
docker exec crowdsec cscli parsers inspect crowdsecurity/whitelists

Remember that whitelisting should be used carefully, as it can create security blind spots if misused. Only whitelist trusted IPs and users.

Consider Whitelist Placement:

  • Parser vs. PostOverflow:
    • Understand the difference between parser-level and postoverflow whitelists.
    • Parser-level whitelists prevent events from being processed by scenarios.
    • Postoverflow whitelists prevent decisions from being applied after a scenario has triggered.
    • Depending on your needs, you might need to use one or both.
1 Like