Profiles
Profiles are a list of rules that determine what actions CrowdSec takes after a detection. This can be as simple as banning an IP, or as complex as scaling ban duration based on prior detections.
The profiles.yaml file, situated at the root of the configuration directory, outlines profiles to be used. It is loaded during startup and can be refreshed while the system is running.
Here is the default profiles.yaml path by platform:
- Linux
/etc/crowdsec/profiles.yaml - Freebsd
/usr/local/etc/crowdsec/profiles.yaml - Windows
C:\ProgramData\CrowdSec\config\profiles.yaml - Kubernetes By default, in
/etc/crowdsec/profiles.yamlincrowdsec-lapi-*pod. You can overwrite it invalues.yaml -> config.profiles.yaml
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
We do not cover every directive here. See the profiles.yaml reference for full details.
Example Modifications
Here are a few examples of how you might modify your profiles to better suit your needs.
Enable Notifications
This adjustment can be made by configuring the plugin files located under:
- Linux
/etc/crowdsec/notifications/ - Freebsd
/usr/local/etc/crowdsec/notifications/ - Windows
C:\ProgramData\CrowdSec\config\notifications\
We do not cover configuration here. See the notification plugins documentation. After configuring, remove the comment (#) from the notifications lines to enable them.
Modified profiles.yaml
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
notifications:
- slack_default
on_success: break
Scaling Decision Duration
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
Enable this by removing the comment (#) from the duration_expr line. The default formula uses GetDecisionsCount to determine how many times the value was detected. We add 1 so the first ban is always 4 hours.
The resulting duration is calculated by multiplying this count by 4, then the Sprintf function formats the result into a string with the h suffix. The h suffix is used to denote hours within Go's time package.
For example, if an IP has been banned 3 times, the resulting string is 12h (12 hours).
Modified profiles.yaml
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
Captcha Decision
Upon detecting an incident, instead of immediately imposing a ban, you could opt to challenge the individual with a Captcha. This approach can be implemented by inserting an extra profile prior to the ban profile.
name: captcha_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http"
## Any scenario with http in its name will trigger a captcha challenge
decisions:
- type: captcha
duration: 4h
on_success: break
---
name: default_ip_remediation
...
The highlighted line above is the separator between profiles. on_success is set to break so the alert does not continue to other profiles; the offender receives only the captcha decision.
Modified profiles.yaml
name: captcha_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip" && Alert.GetScenario() contains "http"
## Any scenario with http in its name will trigger a captcha challenge
decisions:
- type: captcha
duration: 4h
on_success: break
---
name: default_ip_remediation
#debug: true
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
#duration_expr: Sprintf('%dh', (GetDecisionsCount(Alert.GetValue()) + 1) * 4)
# notifications:
# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this.
# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this.
# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this.
# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this.
on_success: break
Next steps
After modifying profiles, restart the CrowdSec service to apply changes:
- Linux/Freebsd
- Windows
- Kubernetes
sudo crowdsec -t && sudo systemctl restart crowdsec
Restart-Service crowdsec
helm upgrade --install crowdsec crowdsecurity/crowdsec --namespace crowdsec -f values.yaml
