IP / CIDR
IP whitelists are best suited at Parser whitelists
level because once the log line has been parsed we already know the IP address and can save resources by discarding it earlier in the pipeline.
We will create the file mywhitelist.yaml
please see introduction for your OS specific paths.
name: "my/whitelist" ## Must be unique
description: "Whitelist events from my ip addresses"
whitelist:
reason: "my ip ranges"
ip:
- "80.x.x.x"
cidr:
- "80.x.x.x/24"
Reload CrowdSec
sudo systemctl reload crowdsec
Test the whitelist
You can run a security tool such as nikto
to test your whitelist
nikto -host myfqdn.com
sudo cscli decisions list --ip {your_whitelisted_ip}
Should show the result No active decisions
I still see an old decision?
The whitelist will only prevent new decisions so you must remove any old decisions with
sudo decisions delete --ip {your_whitelist_ip}