crowdsec: whitelist LAN + loopback to prevent self-bans
Adds a stage s02-enrich parser whitelist so events originating from 10.0.0.0/24 (and 127.0.0.1/::1) are dropped before scoring. Without it, Authelia 401s from a stale browser tab on a LAN client can trip http-bf / ssh-bf scenarios and the firewall bouncer cuts the LAN host off from the server — happened today with the gaming desktop. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
parent
e7896f02d3
commit
7a96927221
1 changed files with 16 additions and 0 deletions
|
|
@ -87,6 +87,22 @@ in
|
|||
# config.yaml — main agent + LAPI configuration
|
||||
config.api.server.listen_uri = "127.0.0.1:8081"; # 8080 is qBit
|
||||
|
||||
# Drop alerts originating from LAN clients before they're scored.
|
||||
# Without this, repeated Authelia 401s from inside the house (e.g.
|
||||
# a stale browser session on the gaming desktop) trip ssh-bf /
|
||||
# http-bf scenarios and the firewall bouncer self-bans 10.0.0.x.
|
||||
parsers.s02Enrich = [
|
||||
{
|
||||
name = "nordhammer/lan-whitelist";
|
||||
description = "Whitelist LAN + loopback to prevent self-bans";
|
||||
whitelist = {
|
||||
reason = "Local LAN";
|
||||
ip = [ "127.0.0.1" "::1" ];
|
||||
cidr = [ "10.0.0.0/24" ];
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
# Log sources to ingest
|
||||
acquisitions = [
|
||||
{
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue