A while ago, I’ve upgraded from fail2ban to CrowdSec. Similar to fail2ban, it analyses various logfiles to detect malicious acts and actors. But CrowdSec also pulls lists of malicious actors that other users have detected – and blocks them before they even get a chance to try their luck. (Which means it also reports incidents monitored in your environment back to the “crowd”.)
To get a feeling about what’s going on, I wanted to get notifications about when a new “threat” was detected. For this, CrowdSec comes with several notification plugins. As I wanted to use Pushover which uses a simple HTTP POST to send a notification, the HTTP plugin was the way to go.
Luckily, someone had the same idea and published his solution in a GIST on GitHub. This file needs to go to the /etc/crowdsec/notifications/ directory. Maybe give it a more recognisable name – I’ve named mine pushover.yaml. (CrowdSec will parse all the *.yaml files and the name doesn’t have any meaning.)
After adding my Pushover App- and User-tokens to the file, I’ve also changed line 10 to name this plugin pushover_mbirth instead, as http_default is already taken by the example implementation that came with CrowdSec. I’ve also added "priority": "1" to the HTTP parameters sent to Pushover.
What’s left now is to configure when you want to be notified. This is done in the /etc/crowdsec/profiles.yaml. I’ve just used the two example events, increased the duration of a ban to 12 hours, and added my new notification plugin pushover_mbirth to the list under notifications:. The final file looks like this:
name: default_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 12h
notifications:
- pushover_mbirth
on_success: break
---
name: default_range_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Range"
decisions:
- type: ban
duration: 12h
notifications:
- pushover_mbirth
on_success: breakAfter restarting CrowdSec, I now get notifications when something triggers a remediation action.