jpallison0625/frostlabs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fad38a229f0c57ec8e44f288cf2445c3b0112c5a
frostlabs/crowdsec/QUICK-REFERENCE.md
John 6e57ee18d7 Crowdsec Deployed to Production + Guides
2025-11-14 14:01:47 -05:00

2.9 KiB
Raw Blame History

CrowdSec Quick Reference Card

Setup Alias (Recommended)

Add to your ~/.bashrc:

alias cscli='ssh 10.0.4.14 "docker exec \$(docker ps -qf name=crowdsec_crowdsec) cscli"'

Then use: cscli decisions list instead of the full command.

Most Common Commands

View Active Bans

ssh 10.0.4.14 'docker exec $(docker ps -qf name=crowdsec_crowdsec) cscli decisions list'

Ban an IP for 4 Hours

ssh 10.0.4.14 'docker exec $(docker ps -qf name=crowdsec_crowdsec) cscli decisions add --ip 1.2.3.4 --duration 4h'

Unban an IP

ssh 10.0.4.14 'docker exec $(docker ps -qf name=crowdsec_crowdsec) cscli decisions delete --ip 1.2.3.4'

View Recent Alerts (What Triggered Bans)

ssh 10.0.4.14 'docker exec $(docker ps -qf name=crowdsec_crowdsec) cscli alerts list'

Check Status & Metrics

ssh 10.0.4.14 'docker exec $(docker ps -qf name=crowdsec_crowdsec) cscli metrics'

Verify Bouncer Connected

ssh 10.0.4.14 'docker exec $(docker ps -qf name=crowdsec_crowdsec) cscli bouncers list'

View Installed Collections

ssh 10.0.4.14 'docker exec $(docker ps -qf name=crowdsec_crowdsec) cscli collections list'

View Traefik Access Logs

tail -f /home/doc/projects/swarm-data/traefik/logs/access.log

View CrowdSec Logs

docker service logs crowdsec_crowdsec --tail 50 --follow

Add Protection to a Service

Docker Swarm Service (via labels)

deploy:
  labels:
    - "traefik.http.routers.myapp.middlewares=crowdsec@file"

External Service (in dynamic.yml)

http:
  routers:
    myservice:
      middlewares:
        - crowdsec

Troubleshooting

Restart CrowdSec

docker service update --force crowdsec_crowdsec

Restart Traefik

docker service update --force traefik_traefik

Check if Logs Are Being Read

ssh 10.0.4.14 'docker exec $(docker ps -qf name=crowdsec_crowdsec) cscli metrics show acquisition'

View Service Status

docker service ls | grep -E "crowdsec|traefik"

File Locations

Purpose Path
CrowdSec Stack /home/doc/projects/homelab/frostlabs/crowdsec/stack.yml
Log Config /home/doc/projects/homelab/frostlabs/crowdsec/acquis.yaml
Traefik Config /home/doc/projects/homelab/frostlabs/traefik/dynamic.yml
Access Logs /home/doc/projects/swarm-data/traefik/logs/access.log
CrowdSec Data /home/doc/projects/swarm-data/crowdsec/

Emergency: I Locked Myself Out

# Delete all bans
ssh 10.0.4.14 'docker exec $(docker ps -qf name=crowdsec_crowdsec) cscli decisions delete --all'

# Or unban specific IP
ssh 10.0.4.14 'docker exec $(docker ps -qf name=crowdsec_crowdsec) cscli decisions delete --ip YOUR.IP.HERE'

For detailed information, see: /home/doc/projects/homelab/frostlabs/crowdsec/GUIDE.md