From 7a96927221ad18f93d714124ddae7a1f8332313e Mon Sep 17 00:00:00 2001 From: ediblerope Date: Wed, 6 May 2026 13:05:10 +0100 Subject: [PATCH] crowdsec: whitelist LAN + loopback to prevent self-bans MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a stage s02-enrich parser whitelist so events originating from 10.0.0.0/24 (and 127.0.0.1/::1) are dropped before scoring. Without it, Authelia 401s from a stale browser tab on a LAN client can trip http-bf / ssh-bf scenarios and the firewall bouncer cuts the LAN host off from the server — happened today with the gaming desktop. Co-Authored-By: Claude Opus 4.7 --- services/crowdsec.nix | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/services/crowdsec.nix b/services/crowdsec.nix index 654bb9e..b39cf3d 100644 --- a/services/crowdsec.nix +++ b/services/crowdsec.nix @@ -87,6 +87,22 @@ in # config.yaml — main agent + LAPI configuration config.api.server.listen_uri = "127.0.0.1:8081"; # 8080 is qBit + # Drop alerts originating from LAN clients before they're scored. + # Without this, repeated Authelia 401s from inside the house (e.g. + # a stale browser session on the gaming desktop) trip ssh-bf / + # http-bf scenarios and the firewall bouncer self-bans 10.0.0.x. + parsers.s02Enrich = [ + { + name = "nordhammer/lan-whitelist"; + description = "Whitelist LAN + loopback to prevent self-bans"; + whitelist = { + reason = "Local LAN"; + ip = [ "127.0.0.1" "::1" ]; + cidr = [ "10.0.0.0/24" ]; + }; + } + ]; + # Log sources to ingest acquisitions = [ {