canasta crowdsec

From Canasta Wiki

canasta > crowdsec

canasta crowdsec

Manage CrowdSec threat detection

Synopsis

Manage the optional CrowdSec security feature on a Compose or Kubernetes instance. Enable or disable CrowdSec itself with canasta config set CANASTA_ENABLE_CROWDSEC=true|false (the same pattern as the other optional features); this group covers the steps that don't reduce to a single config value:

  • bouncer-enroll registers the Caddy bouncer with the CrowdSec
 engine, captures the generated API key, stores it as
 CROWDSEC_BOUNCER_API_KEY, and restarts so the bouncer starts
 enforcing decisions. This now happens automatically the first
 time the instance starts after CrowdSec is enabled; run it by
 hand only to force a fresh key (--force).
  • console-enroll connects the engine to the CrowdSec Console
 (app.crowdsec.net) for the full community blocklist. Optional —
 the engine already pulls the smaller "Lite" community blocklist
 via the Central API by default.
  • reload restarts just the engine to apply changes (an accepted
 console enrollment, whitelist edits) without restarting the whole
 instance.
  • status shows the registered bouncers and the currently active
 IP decisions.
  • scenarios lists the loaded collections and scenarios so you
 can confirm behavioral detection is active.
  • alerts shows the attacks CrowdSec has detected (the detection
 history), complementing status (the bans in force right now).
  • metrics shows engine throughput — the quickest check that the
 Caddy access log is actually being read.
  • ban / unban add or remove a manual decision for an IP,
 independent of CrowdSec's automatic detection.

Durable detection tuning (whitelisting trusted IPs, custom rules) is done by editing config/crowdsec/whitelists.yaml in the instance directory — a version-controlled file, like Caddyfile.global.

On Kubernetes the engine runs as a sidecar in the Caddy pod and the same subcommands work via kubectl exec. Because Caddy always sits behind the in-cluster ingress there, CrowdSec auto-trusts the cluster pod CIDRs (override with CADDY_TRUSTED_PROXY_CIDRS) so it attributes decisions to the real client IP rather than the ingress.

Subcommands

This command requires a subcommand:

  • alerts — Show recent CrowdSec alerts (detected attacks)
  • ban — Block an IP via a manual CrowdSec decision
  • bouncer-enroll — Register the Caddy bouncer with the CrowdSec engine
  • console-enroll — Connect CrowdSec to the Console for the full community blocklist
  • metrics — Show CrowdSec engine throughput metrics
  • reload — Restart the CrowdSec engine to apply changes
  • scenarios — List the loaded CrowdSec detection (collections and scenarios)
  • status — Show CrowdSec bouncers and active decisions
  • unban — Remove a manual CrowdSec decision for an IP

Global Flags

Flag Shorthand Description Default Required Orchestrator
--help -h Show help message and exit Both
--verbose -v Enable verbose output Both
Retrieved from "https://canasta.wiki/w/index.php?title=CLI:Canasta_crowdsec&oldid=813"
Powered by MediaWiki
Powered by Canasta