{"id":24383062,"url":"https://github.com/akmalovaa/crowdsec-blocklist","last_synced_at":"2025-04-19T08:03:36.985Z","repository":{"id":238366716,"uuid":"796405940","full_name":"akmalovaa/crowdsec-blocklist","owner":"akmalovaa","description":"Crowdsec Blacklist mirror - allows you to create a local HTTP service with an up-to-date list of harmful IP addresses","archived":false,"fork":false,"pushed_at":"2024-05-19T21:42:14.000Z","size":42,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-01-19T10:12:06.627Z","etag":null,"topics":["blocklist","crowdsec","docker","docker-compose","firewall","security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/akmalovaa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-05T20:47:04.000Z","updated_at":"2024-12-25T23:02:51.000Z","dependencies_parsed_at":"2024-05-19T22:45:18.795Z","dependency_job_id":null,"html_url":"https://github.com/akmalovaa/crowdsec-blocklist","commit_stats":null,"previous_names":["akmalovaa/crowdsec-blocklist"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/akmalovaa%2Fcrowdsec-blocklist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/akmalovaa%2Fcrowdsec-blocklist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/akmalovaa%2Fcrowdsec-blocklist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/akmalovaa%2Fcrowdsec-blocklist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/akmalovaa","download_url":"https://codeload.github.com/akmalovaa/crowdsec-blocklist/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243258505,"owners_count":20262301,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blocklist","crowdsec","docker","docker-compose","firewall","security"],"created_at":"2025-01-19T10:12:13.431Z","updated_at":"2025-03-12T17:18:40.051Z","avatar_url":"https://github.com/akmalovaa.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Crowdsec Blocklist\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://raw.githubusercontent.com/crowdsecurity/cs-blocklist-mirror/main/docs/assets/bouncer.svg\" alt=\"CrowdSec-Http-blocklist-mirror-logo\" title=\"CrowdSec-Http-Blocklist-mirror-logo\" width=\"280\" height=\"300\"\u003e\n \u003c/p\u003e\n\n**Crowdsec Blacklist mirror** - allows you to create a local HTTP service with an up-to-date list of harmful IP addresses\n\nCrowdSec is an open and extensible tool for detecting and preventing cyber attacks. It is based on the collective intelligence of the community, using adaptive and aggregated data on network activity to identify and block potential threats. The platform uses machine learning and big data analysis techniques to continuously improve its algorithms and learn from new threats. \n\nIt uses behavioral patterns to identify potentially malicious activity and can block access from such addresses. CrowdSec also allows you to create individual ban lists and use common ban lists generated by the user community.\n\n- [DockerHub crowdsec](https://hub.docker.com/r/crowdsecurity/crowdsec)\n- [DockerHub blocklist-mirror](https://hub.docker.com/r/crowdsecurity/blocklist-mirror)\n- [Docs Blocklist mirror](https://docs.crowdsec.net/u/bouncers/blocklist-mirror#installation/)\n\n\n## Installation using docker compose\n\nClone repo \n\nInstall the required versions in `docker-compose.yaml`\n\nup crowdsec\n```\ndocker compose up -d\n```\n\nYou need add bouncers to get the `lapi_key` command\n\n```shell\ndocker compose exec crowdsec cscli bouncers add blocklistMirror\n```\n\nExample output:\n\u003e API key for 'blocklistMirror':\n\u003e \n\u003e hsevAVxNwExampleTkeyfdssdfrqNyTsdy51/U\n\u003e \n\u003e Please keep this key since you will not be able to retrieve it!\n\nChange the received key in the `crowdsec-blocklist-mirror.yaml` file to the value of `lapi_key` or use env `API_KEY`\n\n```shell\ndocker compose restart\n```\n\n## Сhecking\n\nOpen in a browser\n\n- **Crowdsec** - `http://YOUR_IP:6060/metrics `\n\n```\n# HELP cs_active_decisions Number of active decisions.\n# TYPE cs_active_decisions gauge\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"a1ad/mikrotik-bf\"} 55\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"a1ad/mikrotik-scan-multi_ports\"} 112\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"crowdsecurity/CVE-2017-9841\"} 618\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"crowdsecurity/CVE-2019-18935\"} 28\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"crowdsecurity/CVE-2022-26134\"} 103\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"crowdsecurity/fortinet-cve-2018-13379\"} 29\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"crowdsecurity/grafana-cve-2021-43798\"} 12\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"crowdsecurity/http-admin-interface-probing\"} 1782\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"crowdsecurity/http-backdoors-attempts\"} 177\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"crowdsecurity/ssh-bf\"} 9501\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"crowdsecurity/ssh-slow-bf\"} 9\ncs_active_decisions{action=\"ban\",origin=\"CAPI\",reason=\"crowdsecurity/thinkphp-cve-2018-20062\"} 1\n...\n```\n\n- **Blocklist** - `http://YOUR_IP:41412/metrics` \n```\n# HELP active_decision_count Total number of decisions served by any blocklist\n# TYPE active_decision_count gauge\nactive_decision_count 18777\n...\n```\n\nAbove all:\n- **Blocklist** - `http://YOUR_IP:41412/security/blocklist?ipv4only`\n\n```\n1.2.3.4\n2.3.4.5\n...\n```\n\n## Additional commands cli\n\nall block list addresses\n```shell\ndocker compose exec crowdsec cscli decisions list --origin CAPI -o raw \n```\n\ncollections list\n```shell\ndocker compose exec crowdsec cscli collections list\n```\n\nYou can change it in the `docker-compose' file.yaml` variable `COLLECTIONS`\n\n```yaml\nenvironment:\n  COLLECTIONS: \"crowdsecurity/linux a1ad/mikrotik crowdsecurity/traefik\"\n```\n\nmetrics\n```shell\ndocker compose exec crowdsec cscli metrics\n```\n\n![local api decisions](./img/local_api_decisions.png)\n\n### Results\n\nAs a result, we get a local service with current dangerous IP addresses and can block where it is possible to filter traffic by IP addresses\n\n- network devices (pfsence, mikrotik)\n- firewalls (iptables, nftables, ipset)\n- DNS (cloudflare)\n- proxy (haproxy, traefik, nginx)\n- etc\n\n**Resources** `docker stats`:\n\n![docker stats](./img/docker_stats.png)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fakmalovaa%2Fcrowdsec-blocklist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fakmalovaa%2Fcrowdsec-blocklist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fakmalovaa%2Fcrowdsec-blocklist/lists"}