Unsure if Crowdsec bouncer is working with Swag

Geeyoff · 13 February 2025 22:22

Hi. I installed swag and crowdsec according to the LSIO blog post. My reverse proxy works, and Crowdsec is up and running, but I don’t think that the bouncer is working. From an external network, I keep intentionally doing failed logins to one of my running services (Navidrome, for what it’s worth), but no matter how many times I purposefully fail, I maintain access to my system.

Here’s my docker-compose.yaml for the swag & crowdsec stack:

 services:
   swag:
     image: lscr.io/linuxserver/swag:latest
     container_name: swag
     cap_add:
       - NET_ADMIN
     environment:
       - PUID=1001
       - PGID=100
       - TZ=America/New_York
       - URL=myexample.xyz
       - VALIDATION=dns
       - SUBDOMAINS=wildcard #optional
       - CERTPROVIDER=zerossl #optional
       - DNSPLUGIN=cloudflare #optional
       - EMAIL=myemail@duck.com #optional
       - DOCKER_MODS=linuxserver/mods:swag-crowdsec|linuxserver/mods:swag-dashboard
       - CROWDSEC_API_KEY=${CROWDSEC_API_KEY}
       - CROWDSEC_LAPI_URL=http://crowdsec:8080
     volumes:
       - /srv/dev-disk-by-uuid-9ccb815e-8ccb-4577-b698-1cd0f335afb0/appdata/swag/config:/config
     ports:
       - 443:443
       - 80:80 #optional
       - 81:81
     networks:
       - swag-net
     security_opt:
       - no-new-privileges=true
     restart: unless-stopped
   crowdsec:
     image: docker.io/crowdsecurity/crowdsec:latest
     container_name: crowdsec
     environment:
       - GID=100
       - COLLECTIONS=crowdsecurity/nginx crowdsecurity/http-cve crowdsecurity/whitelist-good-actors
       - CUSTOM_HOSTNAME=myhomeserver
       - BOUNCER_KEY_SWAG=${CROWDSEC_API_KEY}
     ports: 
       - '127.0.0.1:8080:8080'
     volumes:
       - /srv/dev-disk-by-uuid-9ccb815e-8ccb-4577-b698-1cd0f335afb0/appdata/crowdsec/config:/etc/crowdsec:rw
       - /srv/dev-disk-by-uuid-9ccb815e-8ccb-4577-b698-1cd0f335afb0/appdata/crowdsec/data:/var/lib/crowdsec/data:rw
       - /srv/dev-disk-by-uuid-9ccb815e-8ccb-4577-b698-1cd0f335afb0/appdata/swag/config/log/nginx:/var/log/swag:ro
       - /var/log:/var/log/host:ro
     networks:
       - swag-net
     restart: unless-stopped
     security_opt:
       - no-new-privileges=true
 networks:
   swag-net:
     external: true

I’m passing ${CROWDSEC_API_KEY} from the .env file.

Here’s the output of running cscli bouncers list

──────────────────────────────────────────────────────────────────────────────────────────────────────
  Name             IP Address  Valid  Last API pull         Type                    Version  Auth Type
 ──────────────────────────────────────────────────────────────────────────────────────────────────────
  SWAG             172.23.0.4  ✔️     2025-02-12T23:16:23Z  crowdsec-nginx-bouncer  v1.0.8   api-key
  SWAG@172.23.0.3  172.23.0.3  ✔️     2025-02-10T03:30:54Z  crowdsec-nginx-bouncer  v1.0.8   api-key
  swag             172.23.0.3  ✔️     2025-02-13T12:47:19Z  crowdsec-nginx-bouncer  v1.0.8   api-key
 ──────────────────────────────────────────────────────────────────────────────────────────────────────

From my phone, I disconnect from the wifi, then I connect to a vpn. I’ve then manually blocked that vpn’s ip address:
cscli decisions add --ip 198.12.xx.xx --type ban --duration 10m

And the block seems to have worked. I run ‘cscli decisions list’ and I see this:

 ╭────────┬──────────┬───────────────────┬───────────────────────────────────┬────────┬─────────┬───────────────────────┬────────┬────────────┬──────────╮
 │   ID   │  Source  │    Scope:Value    │               Reason              │ Action │ Country │           AS          │ Events │ expiration │ Alert ID │
 ├────────┼──────────┼───────────────────┼───────────────────────────────────┼────────┼─────────┼───────────────────────┼────────┼────────────┼──────────┤
 │ 348015 │ cscli    │ Ip:198.12.xx.xx   │ manual 'ban' from 'myhomeserver'  │ ban    │         │                       │ 1      │ 4m57s      │ 59       │
 │ 348014 │ crowdsec │ Ip:172.93.107.98  │ crowdsecurity/http-open-proxy     │ ban    │ US      │ 23470 RELIABLESITE    │ 1      │ 3h54m46s   │ 58       │
 │ 348012 │ crowdsec │ Ip:167.94.146.56  │ crowdsecurity/http-bad-user-agent │ ban    │ US      │ 398705 CENSYS-ARIN-02 │ 2      │ 2h29m37s   │ 56       │
 │ 333011 │ crowdsec │ Ip:70.39.90.4     │ crowdsecurity/http-bad-user-agent │ ban    │ US      │ 46844 SHARKTECH       │ 2      │ 1h50m25s   │ 54       │
 │ 333010 │ crowdsec │ Ip:167.94.146.54  │ crowdsecurity/http-bad-user-agent │ ban    │ US      │ 398705 CENSYS-ARIN-02 │ 2      │ 1h39m8s    │ 53       │
 │ 318009 │ crowdsec │ Ip:199.45.154.159 │ crowdsecurity/http-bad-user-agent │ ban    │ US      │ 398722 CENSYS-ARIN-03 │ 2      │ 1m23s      │ 51       │
 ╰────────┴──────────┴───────────────────┴───────────────────────────────────┴────────┴─────────┴───────────────────────┴────────┴────────────┴──────────╯

However, as I said earlier, I still have full access from my phone to https://myexample.xyz and https://navidrome.myexample.xyz. It’s as if nothing at all is standing in my way.

How do I get Crowdsec to properly block me from my own system?

Thanks, everyone!

Geeyoff · 19 February 2025 19:14

Problem solved. I had Cloudflare proxying turned on, so Crowdsec was seeing different ip addresses than what I’d expected. Once I installed the Crowdflare-Real-IP mod for swag, things worked.