Restrict incoming connections to DE via CrowdSec GeoIP

2026-03-18 21:53:05 +01:00 · 2026-03-18 21:53:05 +01:00 · c3adfa7e25
commit c3adfa7e25
parent 8f44273faf
1 changed files with 14 additions and 0 deletions
--- a/modules/crowdsec.nix
+++ b/modules/crowdsec.nix
@ -91,6 +91,17 @@ in

      # Remediation profiles
      localConfig.profiles = [
+        {
+          name = "block_non_de";
+          filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip' && Alert.Enriched.IsoCode != 'DE' && Alert.Enriched.IsoCode != ''" ];
+          decisions = [
+            {
+              type = "ban";
+              duration = "24h";
+            }
+          ];
+          on_success = "break";
+        }
        {
          name = "default_ip_remediation";
          filters = [ "Alert.Remediation == true && Alert.GetScope() == 'Ip'" ];
@ -106,6 +117,9 @@ in

      # Hub collections for common attack patterns
      hub = {
+        parsers = [
+          "crowdsecurity/geoip-enrich"
+        ];
        collections = [
          "crowdsecurity/linux"
          "crowdsecurity/nginx"