Crowdsec

[zerodarkzone]

Hi,

It would be nice to include crowdsec in the docker compose example. This would make wiredoor a litle more secure for exposing services.

[dmesad]

Great suggestion!

Are you familiar with how to integrate it properly in a Docker Compose setup? If you have any recommendations or would like to contribute a working example, feel free to share it. Even better if you’re up for submitting a PR! We’d be happy to review it.

[zerodarkzone]

That compose file works but it does not have the bouncer so it only logs the problems but it does not stop them.
I've modified the Dockerfile of wiredoor to install the bouncer so it actually stops threads.

[dmesad]

I think a sidecar container with the bouncer properly configured is a very interesting approach... we’re leaning in that direction as it avoids modifying the main wiredoor image.

[dmesad]

Hey @buildplan, thanks for sharing this config! It looks very clean and well thought out. Really appreciate the contribution! It’ll definitely help shape an official example.

[buildplan]

That compose file works but it does not have the bouncer so it only logs the problems but it does not stop them. I've modified the Dockerfile of wiredoor to install the bouncer so it actually stops threads.

Yes, I installed a firewall bouncer at the host in addition to this container and use API key from the container to link it up.

[zerodarkzone]

Thats a good way to do it

[zerodarkzone]

Hi @dmesad,

This is a working basic configuration which could serve as a guide to a formal implementation:

zerodarkzone#1

I think it would need some changes to better implement it. The crowdsec bouncer is only packaged with debian so I changed the base Docker image to use debian instead of alpine. (It should be possible to install it on alpine but I didn't manage to do it).

[dmesad]

Thanks again for the PR

At this stage, we’d prefer to avoid modifying the Wiredoor base image, so we're not moving forward with the changes for now. Instead, we’re planning to adopt a sidecar container approach

[dmesad]

Just wanted to share an update: I've added CrowdSec to the docker-setup and also integrated Prometheus and Grafana to monitor it. I'm using the official dashboards from crowdsecurity.

Everything works smoothly inside Docker. The only remaining step is configuring the firewall bouncer on the host so it can block malicious IPs at the network level.

To set up the firewall bouncer on the host:

1. Install the bouncer following this guide: https://docs.crowdsec.net/u/bouncers/firewall/.
2. Generate a bouncer API key inside crowdsec container:

cd /path/to/docker-setup
docker compose exec crowdsec cscli bouncers add firewall-bouncer

3. Update /etc/crowdsec/bouncers/cs-firewall-bouncer.yaml on the host:

api_url: http://127.0.0.1:8080
api_key: <your-api-key-here>

4. Start the bouncer:

sudo systemctl enable --now crowdsec-firewall-bouncer

The bouncer will now talk to the CrowdSec API exposed from the container on localhost:8080 and apply decisions at the firewall level.

Feel free to test it and let me know if everything works as expected!

[dmesad]

I just published a full guide on how to add CrowdSec + Firewall Bouncer to the Wiredoor Setup:

https://www.wiredoor.net/guides/how-to-block-malicious-ip-in-wiredoor-using-crowdsec-firewall-bouncer

[zerodarkzone]

Great, this is usefull and everything is working fine.