You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: crowdsec-docs/unversioned/user_guides/interactive_se_install/04_remediation.mdx
+26-9Lines changed: 26 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,27 +10,44 @@ import CodeBlock from '@theme/CodeBlock';
10
10
11
11
# Remediation
12
12
13
-
blabla
13
+
Now that the detection is setup, lets remediate those bad IPs. You can apply a remediation in many places.
14
+
The job of a remediation component (aka RC or bouncer) is to keep the list of IPs up to date within the context you want to use: from the firewall of your host iptables/nftables to your edge appliances by exposing the list of IPs to it (mirror bouncer) through AWS WAF or Cloudflare... See full list of remediation components here[link]
15
+
This list of IPs will be comprised of decisions taken by the security engine (based on scenarios), IPs from blocklists your Security Engine is subscribed to (by default the community blocklist), and manual additions you may do via various methods.
14
16
15
17
## Choosing and testing a remediation component
16
18
19
+
// Explain various ways and advantages (push to be able to appsec and has metrics)
20
+
17
21
### Instructions
18
22
...
19
23
24
+
//Help connect to SE
25
+
A remediation component can get its information from the security engine via a URL+TOKEN (some support Mutual TLS authentication)
26
+
If installed on a host with a running security engine, they usually automatically pair (you can check with cscli bouncers list) to change the pairing, follow the steps described in the documentation
27
+
20
28
### Verification
21
29
22
30
Let's check ...
23
31
24
-
#### CrowdSec installation health
25
-
26
-
> [] Check ...
27
-
32
+
#### Bouncer connectivity
33
+
> [] Check that the bouncer is connected to the Security Engine
34
+
Check that the bouncer is registered properly and active (in cscli and in the console)
28
35
```bash
29
-
...
36
+
cscli bouncers list
30
37
```
31
-
- You should see ...
32
-
- ...
33
-
38
+
- You should see the bouncer you just installed in the list, with a recent heartbeat and a valid tick mark
34
39
40
+
> [] Check that the bouncing is effective
41
+
- Have them add a decision for the IP of our canary automate (or use a free blocklist we use for the guide with 10 most aggressive IPs and one IP of our test automate canary)
42
+
- Have them provide a URL that supposedly is protected
43
+
- Have the canary try to reach and return a response
44
+
- ??? How do we do this if we don't have a canary? without asking them to ban themselves
45
+
// find an alternative while we don't have a canary system @thib@seb@laurence
35
46
36
47
### Troubleshooting
48
+
49
+
<details>
50
+
<summary>Docker communication with bouncer</summary>
51
+
52
+
Docker bouncer: warning docker chain for example with firewall bouncer for docker user chain... ask for more precise phrasing @laurence
0 commit comments