add crowdsec policies for 403 and 429; use nginx to rate limit brute force attacks and then ban them [ci skip]

2025-10-13 20:12:37 +00:00 · 2025-10-13 20:12:37 +00:00 · f17d73cc62
commit f17d73cc62
parent b15246a2cb
3 changed files with 58 additions and 2 deletions
--- a/modules/kubernetes/crowdsec/main.tf
+++ b/modules/kubernetes/crowdsec/main.tf
@ -16,6 +16,48 @@ resource "kubernetes_namespace" "crowdsec" {
  }
 }

+resource "kubernetes_config_map" "crowdsec_custom_scenarios" {
+  metadata {
+    name      = "crowdsec-custom-scenarios"
+    namespace = "crowdsec"
+    labels = {
+      "app.kubernetes.io/name" = "crowdsec"
+    }
+  }
+
+  data = {
+    "http-403-abuse.yaml" = <<-YAML
+      type: leaky
+      name: crowdsecurity/http-403-abuse
+      description: "Detect IPs triggering too many HTTP 403s in NGINX ingress logs"
+      filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.status == '403'"
+      groupby: "evt.Meta.source_ip"
+      leakspeed: "10s"
+      capacity: 5
+      blackhole: 1m
+      labels:
+        service: http
+        behavior: abusive_403
+        remediation: true
+    YAML
+    "http-429-abuse.yaml" : <<-YAML
+      type: leaky
+      name: crowdsecurity/http-429-abuse
+      description: "Detect IPs repeatedly triggering rate-limit (HTTP 429)"
+      filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.status == '429'"
+      groupby: "evt.Meta.source_ip"
+      leakspeed: "10s"
+      capacity: 5
+      blackhole: 1m
+      labels:
+        service: http
+        behavior: rate_limit_abuse
+        remediation: true
+      YAML
+  }
+}
+
+
 resource "helm_release" "crowdsec" {
  namespace        = "crowdsec"
  create_namespace = true
--- a/modules/kubernetes/crowdsec/values.yaml
+++ b/modules/kubernetes/crowdsec/values.yaml
@ -18,6 +18,20 @@ agent:
    # As we are running Nginx, we want to install the Nginx collection
    - name: COLLECTIONS
      value: "crowdsecurity/nginx"
+  # Mount custom scenarios into /etc/crowdsec/scenarios
+  extraVolumeMounts:
+    - name: custom-scenarios
+      mountPath: /etc/crowdsec/scenarios/http-403-abuse.yaml
+      subPath: "http-403-abuse.yaml"
+      readonly: true
+    - name: custom-scenarios
+      mountPath: /etc/crowdsec/scenarios/http-429-abuse.yaml
+      subPath: "http-429-abuse.yaml"
+      readonly: true
+  extraVolumes:
+    - name: custom-scenarios
+      configMap:
+        name: crowdsec-custom-scenarios
 lapi:
  replicas: 3
  extraSecrets:
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@ -88,9 +88,9 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
      "nginx.ingress.kubernetes.io/proxy-buffering" : "on"

      # DDOS protection
-      "nginx.ingress.kubernetes.io/limit-connections" : 500
+      "nginx.ingress.kubernetes.io/limit-connections" : 100
      "nginx.ingress.kubernetes.io/limit-rps" : 10
-      "nginx.ingress.kubernetes.io/limit-rpm" : 60
+      "nginx.ingress.kubernetes.io/limit-rpm" : 30
      "nginx.ingress.kubernetes.io/limit-burst-multiplier" : 10
      "nginx.ingress.kubernetes.io/limit-rate-after" : 10
      "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF