Awesome that makes a lot of sense, cheers. So I’ll install the Crowdsec agent on the Nginx Proxy Manager, and potentially also on the servers.
Comment on CrowdSec vs Fail2Ban - What to use?
SirMaple__@lemmy.ca 3 days ago
Crowdsec with a central LAPI server. You should install it on the servers themselves to monitor the application logs directly. Then every bouncer(firewall, router, edge device) connected to the LAPI will all block the same IPs. I got sick of repeat offenders and up the ban time to 1 year in hours.
Matty_r@programming.dev 3 days ago
SirMaple__@lemmy.ca 2 days ago
No problem. It’s a great piece of software. I have it monitoring logs for nextcloud, vaultwarden, mailcow(postfix & dovecot), basic nginx proxies (just to be safe and for rate limiting). I have 4 OPNsense and 1 Debian bouncers.
I had an issue with so a note about setting up the bouncer on OPNsense. If you have the LAPI on a different machine you can currently only connected OPNsense to the using the command line. The LAPI options in the web interface are for defining the interface to bind to and run the LAPI on OPNsense itself. Which isn’t an issue, I just wanted it on a VM so it’s easier to keep online instead of it going down if the OPNsense it’s on fails. Plus I like to keep SSH disabled on my OPNsense devices and spend a bit of time using cscli on the LAPI VM from time to time.
Matty_r@programming.dev 2 days ago
Cheers, I’ve since discovered that’s is “bouncers” that I want on the endpoints I.e on my Nginx Proxy Manager. I’ll just use the LAPI on the Opnsense box for now I think.
mbirth@lemmy.ml 3 days ago
I’ve recently enabled banning whole subnets if more than 3 malicious actors from that subnet are on the blocklist. This is great for all those DigitalOcean droplets and other cheap hosters used by those people…
SirMaple__@lemmy.ca 3 days ago
I’ve been thinking about going this route. What size subnet are you blocking? /24?
Only thing stopping me is I selfhost email and don’t want to ban say a whole subnet from Microsoft/Azure and end up blocking the outgoing servers for O365. I’m sure I can dig around and look at the prefixes to see which are used for which of their services just haven’t had the time yet.
mbirth@lemmy.ml 3 days ago
I let CrowdSec determine that. I’m seeing
/13,/12and even/10in my decisions list. All seem to be Amazon AWS ranges.sudneo@lemm.ee 3 days ago
Wow, those are big networks. Obviously I suppose in case of AWS it doesn’t matter as no human visitor (except maybe some VPN connection?) will visit from there.
As someone who bans /32 IPs only, is the main advantage resource consumption?