Skip to content

feat: CrowdSec IP Whitelist Management #939

Description

@Wikid82

Problem

CrowdSec false-positive bans are blocking legitimate admin and user traffic. Scenarios like http-probing and http-generic-403-bf trigger on normal browsing patterns when enough 403/404/400 responses accumulate (10 distinct paths within 10 seconds on the same FQDN). This creates a feedback loop: the ban generates more 403s, which re-trigger the ban after the 5-minute blackhole expires — effectively an infinite ban until the container is rebuilt.

There is currently no mechanism to whitelist trusted IPs from CrowdSec analysis. The existing Cerberus admin_whitelist only bypasses ACL/WAF/Rate Limiting middleware — it does not protect against CrowdSec bans.

Impact

  • Admin loses access to all proxied services
  • Any user whose browsing pattern triggers enough error responses gets banned
  • Only fix today is rebuilding the container image (wipes CrowdSec DB)
  • ISP changes require manual CLI intervention to update whitelists

Current State

Component Status
crowdsecurity/whitelists parser Not installed by default
Custom whitelist YAML None shipped with image
Whitelist API endpoints None
Whitelist UI None
Cerberus admin_whitelist → CrowdSec sync None

Proposed Solution

1. Default Whitelist Parser Installation

  • Add crowdsecurity/whitelists to configs/crowdsec/install_hub_items.sh so it ships with every new build
  • This automatically whitelists RFC1918 private ranges (already handled by the parser)

2. Custom Whitelist File Generation

  • Generate /etc/crowdsec/parsers/s02-enrich/custom-whitelists.yaml at container startup from:
    • An environment variable (e.g., CROWDSEC_TRUSTED_IPS)
    • AND/OR the existing Cerberus admin_whitelist CIDRs from the database

3. API Endpoints

Add CRUD endpoints under /admin/crowdsec/whitelist:

  • GET /admin/crowdsec/whitelist — List whitelisted IPs/CIDRs
  • POST /admin/crowdsec/whitelist — Add IP/CIDR to whitelist
  • DELETE /admin/crowdsec/whitelist/:entry — Remove IP/CIDR from whitelist

Backend should write changes to the persistent custom whitelist YAML and reload CrowdSec.

4. Frontend UI

Add a "Trusted IPs" section to the CrowdSec Config page (CrowdSecConfig.tsx):

  • Table showing whitelisted IPs/CIDRs with reason
  • Add/Remove controls
  • Option to sync from Cerberus admin_whitelist
  • Detect and display the user's current public IP for easy self-whitelisting

5. Cerberus ↔ CrowdSec Sync (Optional Enhancement)

  • When IPs are added to the Cerberus admin_whitelist, automatically propagate them to the CrowdSec whitelist
  • This ensures a single "trusted IPs" concept protects against both middleware AND CrowdSec bans

Temporary Workaround Applied

A manual custom-whitelists.yaml has been created in the running production container at /app/data/crowdsec/config/parsers/s02-enrich/custom-whitelists.yaml. This survives container restarts but will be lost on image rebuild if not baked into the build process.

Acceptance Criteria

  • crowdsecurity/whitelists parser installed by default on new builds
  • Custom whitelist YAML generated from env var or database at startup
  • API endpoints for whitelist CRUD
  • UI for managing CrowdSec trusted IPs
  • Admin IP never false-positive banned by CrowdSec
  • E2E and unit tests for new endpoints/UI
  • Documentation updated

Metadata

Metadata

Assignees

Labels

backendServer-side codecrowdsecCrowdSec integrationdatabaseDatabase-relatedenhancementNew feature or requestfrontendUI/UX codesecuritySecurity-related

Projects

Status
Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions