add crowdsec policies for 403 and 429; use nginx to rate limit brute force attacks and then ban them [ci skip]

modules/kubernetes/crowdsec/main.tf

@@ -16,6 +16,48 @@ resource "kubernetes_namespace" "crowdsec" {
   }
 }
 
+resource "kubernetes_config_map" "crowdsec_custom_scenarios" {
+  metadata {
+    name      = "crowdsec-custom-scenarios"
+    namespace = "crowdsec"
+    labels = {
+      "app.kubernetes.io/name" = "crowdsec"
+    }
+  }
+
+  data = {
+    "http-403-abuse.yaml" = <<-YAML
+      type: leaky
+      name: crowdsecurity/http-403-abuse
+      description: "Detect IPs triggering too many HTTP 403s in NGINX ingress logs"
+      filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.status == '403'"
+      groupby: "evt.Meta.source_ip"
+      leakspeed: "10s"
+      capacity: 5
+      blackhole: 1m
+      labels:
+        service: http
+        behavior: abusive_403
+        remediation: true
+    YAML
+    "http-429-abuse.yaml" : <<-YAML
+      type: leaky
+      name: crowdsecurity/http-429-abuse
+      description: "Detect IPs repeatedly triggering rate-limit (HTTP 429)"
+      filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.status == '429'"
+      groupby: "evt.Meta.source_ip"
+      leakspeed: "10s"
+      capacity: 5
+      blackhole: 1m
+      labels:
+        service: http
+        behavior: rate_limit_abuse
+        remediation: true
+      YAML
+  }
+}
+
+
 resource "helm_release" "crowdsec" {
   namespace        = "crowdsec"
   create_namespace = true

modules/kubernetes/crowdsec/values.yaml

@@ -18,6 +18,20 @@ agent:
     # As we are running Nginx, we want to install the Nginx collection
     - name: COLLECTIONS
       value: "crowdsecurity/nginx"
+  # Mount custom scenarios into /etc/crowdsec/scenarios
+  extraVolumeMounts:
+    - name: custom-scenarios
+      mountPath: /etc/crowdsec/scenarios/http-403-abuse.yaml
+      subPath: "http-403-abuse.yaml"
+      readonly: true
+    - name: custom-scenarios
+      mountPath: /etc/crowdsec/scenarios/http-429-abuse.yaml
+      subPath: "http-429-abuse.yaml"
+      readonly: true
+  extraVolumes:
+    - name: custom-scenarios
+      configMap:
+        name: crowdsec-custom-scenarios
 lapi:
   replicas: 3
   extraSecrets:

modules/kubernetes/ingress_factory/main.tf

@@ -88,9 +88,9 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
       "nginx.ingress.kubernetes.io/proxy-buffering" : "on"
 
       # DDOS protection
-      "nginx.ingress.kubernetes.io/limit-connections" : 500
+      "nginx.ingress.kubernetes.io/limit-connections" : 100
       "nginx.ingress.kubernetes.io/limit-rps" : 10
-      "nginx.ingress.kubernetes.io/limit-rpm" : 60
+      "nginx.ingress.kubernetes.io/limit-rpm" : 30
       "nginx.ingress.kubernetes.io/limit-burst-multiplier" : 10
       "nginx.ingress.kubernetes.io/limit-rate-after" : 10
       "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF