canasta crowdsec

From canasta

canasta > crowdsec

canasta crowdsec

Manage CrowdSec threat detection

Synopsis

Manage the optional CrowdSec security feature on a Compose or Kubernetes instance. Enable or disable CrowdSec itself with canasta config set CANASTA_ENABLE_CROWDSEC=true|false (the same pattern as the other optional features). The subcommands below allow further configuration and monitoring once CrowdSec is enabled:

  • bouncer-enroll registers the Caddy bouncer with the CrowdSec engine, captures the generated API key, stores it as CROWDSEC_BOUNCER_API_KEY, and restarts so the bouncer starts enforcing decisions. This now happens automatically the first time the instance starts after CrowdSec is enabled; run it by hand only to force a fresh key (--force).
  • console-enroll connects the engine to the CrowdSec Console (app.crowdsec.net) for the full community blocklist. Optional — the engine already pulls the smaller "Lite" community blocklist via the Central API by default.
  • reload restarts just the engine to apply changes (an accepted console enrollment, whitelist edits) without restarting the whole instance.
  • status shows the registered bouncers and the currently active IP decisions.
  • scenarios lists the loaded collections and scenarios so you can confirm behavioral detection is active.
  • alerts shows the attacks CrowdSec has detected (the detection history), complementing status (the bans in force right now).
  • metrics shows engine throughput — the quickest check that the Caddy access log is actually being read.
  • ban / unban add or remove a manual decision for an IP, independent of CrowdSec's automatic detection.

Durable detection tuning (whitelisting trusted IPs, custom rules) is done by editing config/crowdsec/whitelists.yaml in the instance directory — a version-controlled file, like Caddyfile.global.

On Kubernetes the engine runs as a sidecar in the Caddy pod and the same subcommands work via kubectl exec. Because Caddy always sits behind the in-cluster ingress there, CrowdSec auto-trusts the cluster pod CIDRs (override with CADDY_TRUSTED_PROXY_CIDRS) so it attributes decisions to the real client IP rather than the ingress.

Subcommands

This command requires a subcommand:

  • alerts — Show recent CrowdSec alerts (detected attacks)
  • ban — Block an IP via a manual CrowdSec decision
  • bouncer-enroll — Register the Caddy bouncer with the CrowdSec engine
  • console-enroll — Connect CrowdSec to the Console for the full community blocklist
  • metrics — Show CrowdSec engine throughput metrics
  • reload — Restart the CrowdSec engine to apply changes
  • scenarios — List the loaded CrowdSec detection (collections and scenarios)
  • status — Show CrowdSec bouncers and active decisions
  • unban — Remove a manual CrowdSec decision for an IP

Global flags

Flag Shorthand Description Default Required Orchestrator
--help -h Show help message and exit Both
--verbose -v Enable verbose output Both