CrowdSec and Fail2ban

I’ve been using Fail2ban for some months now. but after some investigation on trying to understand how CrowdSec works, I think they can work pretty well together.

CrowdSec filters community flagged malicious IPs and Fail2ban helps you by blocking new malicious IPs that have not been red flagged by CrowdSec yet, but are somehow attacking your server(s).

I won’t describe how to install/configure CrowdSec or install Fail2Ban. We’ll be focusing on the Fail2ban configuration for this specific case.

Basically, we’ll configure a Fail2ban action which will add new IPs to the CrowdSec decisions’ list. This Action will be used by one or more Jails (I actually set it as a default action for all of my jails). The Action will then run each time a log event matches a regex of a Filter, which is being used by a Jail.

We’ll start by creating a new action file in /etc/fail2ban/action.d:

vi /etc/fail2ban/action.d/my_custom_action.local`.

And paste the following code:

[INCLUDES]

## Here you can include some other action files

[Definition]

## This will the block the new IP for the next 4 hours.
## The reason will be the Jail's name.
actionban = /usr/bin/cscli decisions add --ip <ip> --duration 4h --reason <name>

## You can add an unban action, but CrowdSec will take care of removing the decision
## automatically.
actionunban =

Then, we can add this new action, named my_custom_action (same name as the file name but without .local ), to the jail that will trigger it or to the default config. I’ll use the [DEFAULT] stanza, because I want this action to run in every Jail.

Edit the Jail: vi /etc/fail2ban/jail.d/my_jail.local

[DEFAULT]

## You can have multiple actions. Just add a new line with the action name.
action = my_custom_action
         my_other_custom_action

If your Fail2ban Filters work similarly to mine, you’ll notice that a lot more unwanted traffic is being dropped by your manually added cscli decisions.