crowdsec: whitelist LAN + loopback to prevent self-bans

Adds a stage s02-enrich parser whitelist so events originating from
10.0.0.0/24 (and 127.0.0.1/::1) are dropped before scoring. Without it,
Authelia 401s from a stale browser tab on a LAN client can trip
http-bf / ssh-bf scenarios and the firewall bouncer cuts the LAN host
off from the server — happened today with the gaming desktop.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-05-06 13:05:10 +01:00
parent e7896f02d3
commit 7a96927221

View file

@ -87,6 +87,22 @@ in
# config.yaml — main agent + LAPI configuration # config.yaml — main agent + LAPI configuration
config.api.server.listen_uri = "127.0.0.1:8081"; # 8080 is qBit config.api.server.listen_uri = "127.0.0.1:8081"; # 8080 is qBit
# Drop alerts originating from LAN clients before they're scored.
# Without this, repeated Authelia 401s from inside the house (e.g.
# a stale browser session on the gaming desktop) trip ssh-bf /
# http-bf scenarios and the firewall bouncer self-bans 10.0.0.x.
parsers.s02Enrich = [
{
name = "nordhammer/lan-whitelist";
description = "Whitelist LAN + loopback to prevent self-bans";
whitelist = {
reason = "Local LAN";
ip = [ "127.0.0.1" "::1" ];
cidr = [ "10.0.0.0/24" ];
};
}
];
# Log sources to ingest # Log sources to ingest
acquisitions = [ acquisitions = [
{ {