crowdsec: whitelist LAN + loopback to prevent self-bans
Adds a stage s02-enrich parser whitelist so events originating from 10.0.0.0/24 (and 127.0.0.1/::1) are dropped before scoring. Without it, Authelia 401s from a stale browser tab on a LAN client can trip http-bf / ssh-bf scenarios and the firewall bouncer cuts the LAN host off from the server — happened today with the gaming desktop. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
e7896f02d3
commit
7a96927221
1 changed files with 16 additions and 0 deletions
|
|
@ -87,6 +87,22 @@ in
|
||||||
# config.yaml — main agent + LAPI configuration
|
# config.yaml — main agent + LAPI configuration
|
||||||
config.api.server.listen_uri = "127.0.0.1:8081"; # 8080 is qBit
|
config.api.server.listen_uri = "127.0.0.1:8081"; # 8080 is qBit
|
||||||
|
|
||||||
|
# Drop alerts originating from LAN clients before they're scored.
|
||||||
|
# Without this, repeated Authelia 401s from inside the house (e.g.
|
||||||
|
# a stale browser session on the gaming desktop) trip ssh-bf /
|
||||||
|
# http-bf scenarios and the firewall bouncer self-bans 10.0.0.x.
|
||||||
|
parsers.s02Enrich = [
|
||||||
|
{
|
||||||
|
name = "nordhammer/lan-whitelist";
|
||||||
|
description = "Whitelist LAN + loopback to prevent self-bans";
|
||||||
|
whitelist = {
|
||||||
|
reason = "Local LAN";
|
||||||
|
ip = [ "127.0.0.1" "::1" ];
|
||||||
|
cidr = [ "10.0.0.0/24" ];
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
# Log sources to ingest
|
# Log sources to ingest
|
||||||
acquisitions = [
|
acquisitions = [
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue