The Sentinel — CrowdSec WAF & DDoS Guard
The Sentinel (docker-crowdsec) stands vigilant at the noosphere’s edge, analyzing logs and blocking malicious IPs in real-time.
How It Works
Section titled “How It Works”CrowdSec analyzes Traefik logs (/srv/docker/traefik/logs/traefik.log)
and maintains a decision list (bans, captchas). The Traefik bouncer plugin
crowdsec-bouncer-traefik-plugin consults CrowdSec in real-time to block IPs.
crowdsec-manager provides a web UI on port 3000 (internal).
Health Check
Section titled “Health Check”curl -s http://localhost:8080/health# ordocker exec crowdsec wget -q -O /dev/null http://localhost:8080/healthUseful cscli Commands
Section titled “Useful cscli Commands”# Enter the CrowdSec containerdocker exec -it crowdsec sh
# List active decisions (bans)cscli decisions list
# Ban an IP manuallycscli decisions add --ip 1.2.3.4 --duration 24h --reason "manual test"
# Lift a bancscli decisions delete --ip 1.2.3.4
# View recent alertscscli alerts list
# Status of installed collectionscscli collections listPersistent Data
Section titled “Persistent Data”/srv/docker/crowdsec.clochette.friloux.me/├── data/ # SQLite database, GeoIP└── etc/ # Configuration, parsers, scenarios, decisionsThese directories are included in Borg backup.
Traefik Dependency
Section titled “Traefik Dependency”Traefik requires CrowdSec at startup:
systemd.services.traefik = { after = ["crowdsec.service"]; requires = ["crowdsec.service"];};If CrowdSec fails to start, temporarily disable this dependency to diagnose:
systemctl edit docker-traefik# Add [Unit] section, remove CrowdSec-related After/Requires# Warning: temporary only — revert to Nix config afterwards