Skip to main content
Version: Next

IP / CIDR

IP whitelists are best suited at Parser whitelists level because once the log line has been parsed we already know the IP address and can save resources by discarding it earlier in the pipeline.

We will create the file mywhitelist.yaml please see introduction for your OS specific paths.

name: "my/whitelist" ## Must be unique
description: "Whitelist events from my ip addresses"
whitelist:
reason: "my ip ranges"
ip:
- "80.x.x.x"
cidr:
- "80.x.x.x/24"
Reload CrowdSec
sudo systemctl reload crowdsec

Test the whitelist

You can run a security tool such as nikto to test your whitelist

nikto -host myfqdn.com
sudo cscli decisions list --ip {your_whitelisted_ip}

Should show the result No active decisions

I still see an old decision?

The whitelist will only prevent new decisions so you must remove any old decisions with

sudo decisions delete --ip {your_whitelist_ip}