Crowdsec on IT it's FUNhttps://mksit.sknt.ru/tags/crowdsec/Recent content in Crowdsec on IT it's FUNHugoruMon, 12 Jan 2026 00:00:00 +0000Crowdsec. Кастомные параметры в коллекцияхhttps://mksit.sknt.ru/posts/crowdsec.-%D0%BA%D0%B0%D1%81%D1%82%D0%BE%D0%BC%D0%BD%D1%8B%D0%B5-%D0%BF%D0%B0%D1%80%D0%B0%D0%BC%D0%B5%D1%82%D1%80%D1%8B-%D0%B2-%D0%BA%D0%BE%D0%BB%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8F%D1%85/Mon, 12 Jan 2026 00:00:00 +0000https://mksit.sknt.ru/posts/crowdsec.-%D0%BA%D0%B0%D1%81%D1%82%D0%BE%D0%BC%D0%BD%D1%8B%D0%B5-%D0%BF%D0%B0%D1%80%D0%B0%D0%BC%D0%B5%D1%82%D1%80%D1%8B-%D0%B2-%D0%BA%D0%BE%D0%BB%D0%BB%D0%B5%D0%BA%D1%86%D0%B8%D1%8F%D1%85/<p>Например, необходимо изменить параметры блокировки. Правим конфиг:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># /etc/crowdsec/scenarios/exim-bf.yaml</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># было</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">leakspeed</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10s&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">blackhole</span><span class="p">:</span><span class="w"> </span><span class="l">1m</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="c"># стало</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">leakspeed</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;10m&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nt">blackhole</span><span class="p">:</span><span class="w"> </span><span class="l">5h</span><span class="w"> </span></span></span></code></pre></div><p>Но тогда при эта коллекция будет помечена как <strong>tainted</strong> (испорчен)</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">cscli hub list </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">... </span></span><span class="line"><span class="cl">crowdsecurity/exim ⚠️ enabled,tainted 0.1 /etc/crowdsec/collections/exim.yaml </span></span></code></pre></div><p>Чтобы увидеть что именно &ldquo;испорченно&rdquo; делаем так:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="cl">cscli collections inspect --diff crowdsecurity/exim </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Let&#39;s see why collections:crowdsecurity/exim is tainted.</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">-&gt; scenarios:crowdsecurity/exim-bf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">--- /etc/crowdsec/scenarios/exim-bf.yaml </span></span><span class="line"><span class="cl">+++ /tmp/cscli-diff-176304198 </span></span><span class="line"><span class="cl">@@ -5,8 +5,8 @@ </span></span><span class="line"><span class="cl"> filter: <span class="s2">&#34;evt.Meta.log_type == &#39;exim_failed_auth&#39;&#34;</span> </span></span><span class="line"><span class="cl"> groupby: evt.Meta.source_ip </span></span><span class="line"><span class="cl"> capacity: <span class="m">5</span> </span></span><span class="line"><span class="cl">-leakspeed: <span class="s2">&#34;10m&#34;</span> </span></span><span class="line"><span class="cl">-blackhole: 5h </span></span><span class="line"><span class="cl">+leakspeed: <span class="s2">&#34;10s&#34;</span> </span></span><span class="line"><span class="cl">+blackhole: 1m </span></span><span class="line"><span class="cl"> labels: </span></span><span class="line"><span class="cl"> confidence: <span class="m">3</span> </span></span><span class="line"><span class="cl"> spoofable: <span class="m">0</span> </span></span><span class="line"><span class="cl">@@ -25,8 +25,8 @@ </span></span><span class="line"><span class="cl"> groupby: evt.Meta.source_ip </span></span><span class="line"><span class="cl"> distinct: evt.Meta.username </span></span><span class="line"><span class="cl"> capacity: <span class="m">5</span> </span></span><span class="line"><span class="cl">-leakspeed: <span class="s2">&#34;10m&#34;</span> </span></span><span class="line"><span class="cl">-blackhole: 5h </span></span><span class="line"><span class="cl">+leakspeed: <span class="s2">&#34;10s&#34;</span> </span></span><span class="line"><span class="cl">+blackhole: 1m </span></span><span class="line"><span class="cl"> labels: </span></span><span class="line"><span class="cl"> confidence: <span class="m">3</span> </span></span><span class="line"><span class="cl"> spoofable: <span class="m">0</span> </span></span></code></pre></div><p>Такая коллекция не будет обновляться, странно что нельзя переопределять параметры без того чтобы не поломать коллекцию.</p>