From a3a23cf77e55437fd51c3382a332e72c0d19f7f8 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Fri, 16 Dec 2022 22:37:09 +0100 Subject: [PATCH] Change default ban time to 1 week --- tasks/main.yml | 7 +++++-- templates/etc/crowdsec/profiles.yaml.j2 | 13 +++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 templates/etc/crowdsec/profiles.yaml.j2 diff --git a/tasks/main.yml b/tasks/main.yml index 2b20a18..a1b6f03 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -65,11 +65,14 @@ - name: Deploy main config ansible.builtin.template: - src: etc/crowdsec/config.yaml.j2 - dest: /etc/crowdsec/config.yaml + src: "etc/crowdsec/{{ item }}.yaml.j2" + dest: "/etc/crowdsec/{{ item }}.yaml.local" owner: root group: root mode: 0644 + with_items: + - "config" + - "profiles" notify: restart crowdsec - name: Deploy whitelist diff --git a/templates/etc/crowdsec/profiles.yaml.j2 b/templates/etc/crowdsec/profiles.yaml.j2 new file mode 100644 index 0000000..15dabb7 --- /dev/null +++ b/templates/etc/crowdsec/profiles.yaml.j2 @@ -0,0 +1,13 @@ +name: default_ip_remediation +#debug: true +filters: + - Alert.Remediation == true && Alert.GetScope() == "Ip" +decisions: + - type: ban + duration: 168h +# notifications: +# - slack_default # Set the webhook in /etc/crowdsec/notifications/slack.yaml before enabling this. +# - splunk_default # Set the splunk url and token in /etc/crowdsec/notifications/splunk.yaml before enabling this. +# - http_default # Set the required http parameters in /etc/crowdsec/notifications/http.yaml before enabling this. +# - email_default # Set the required email parameters in /etc/crowdsec/notifications/email.yaml before enabling this. +on_success: break