Change remediation from ban to captcha for certain IPs | CrowdSec | Page 1

dawn ridge May 30, 2025, 11:54 AM

#

I am trying to change the remediation for crowdsecurity/nextcloud-bf from ban to captcha for certain IPs. I have HAProxy set up as a bouncer in front of NextCloud. I know captcha is working because I do sudo cscli decisions add --ip x.x.x.x --duration 5m --type captcha and get a captcha

To start with I'm trying a blanket ban > captcha. In my profiles.yaml.local I have

`---
name: nextcloud_bf
filters:

Alert.Remediation == true && Alert.GetScope() == "IP" && Alert.GetScenario() in ["crowdsecurity/nextcloud-bf"]
decisions:
type: captcha
duration: 1h
notifications:
- email_default
  on_success: break
  ---`

Then I try and test with:

sudo cscli decisions add --ip x.x.x.x --duration 5m --reason crowdsecurity/nextcloud-bf

I get banned and don't see a captcha. What am I doing wrong?

topaz duneBOT May 30, 2025, 11:54 AM

#

Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

fickle vault May 30, 2025, 12:25 PM

#

dawn ridge I am trying to change the remediation for crowdsecurity/nextcloud-bf from ban to...

cscli decisions add does not get evaluated agaisnt profiles, it bypasses it and sends an alert with the default type of ban there is a type flag you can set to captcha. The profiles only get evaluated from overflown scenarios during runtime. (it may send a notification but it will ignore the decisions generated)

dawn ridge May 30, 2025, 12:51 PM

#

How do I test this then? Also - does it look sane?

fickle vault May 30, 2025, 1:12 PM

#

Yes it looks fine as it matching the full scenario name and that will match just that one scenario

#

You can reinject the alert back using cscli notification reinject but it will only tell you if it matches the profile.

#

just note about the flow, as i see its inbetween two profiles so as long as it wont match the above it will break on this one for this scenario.

dawn ridge May 30, 2025, 1:31 PM

#

Thanks

If I only want this to apply to certain IPs does this make sence?

`name: nextcloud_bf
filters:

Alert.Remediation == true &&
Alert.GetScope() == "IP" &&
Alert.GetScenario() in ["crowdsecurity/nextcloud-bf"] &&
Alert.Source.IP in [
"x.x.x.x",
"x.x.x.x",
"x.x.x.x",
"x.x.x.x",
"x.x.x.x"
]
decisions:
type: captcha
duration: 1h
notifications:
email_default
on_success: break`

dawn ridge Jun 2, 2025, 11:29 AM

#

bump

rare tapir Jun 2, 2025, 12:10 PM

#

It should be Alert.GetScope() == "Ip", but looks good otherwise.
You just need to make sure it gets evaluated before more generic profiles (for examples, if you still have the default profile, your custom one needs to be before in the file)

#Change remediation from ban to captcha for certain IPs