CrowdSec Discord Alerts

Intro

In this post I will explain how you can configure CrowdSec to send alerts to a Discord server. In this post you will not require to install anything extra; as we will be taking advantage of the inbuilt http notification plugin. You will however need a Discord server where you are an administrator.

If you don’t know what CrowdSec is; it advertises itself as a:

open-source and participative IPS

It basically allows us to have a system to help protect against known bad actors and malicious behaviors. A very important thing to have on any public facing machine.

Setup

Let’s move on to setting up the alerts.

Discord Setup

First we will need to make a new Webhook on your selected Discord server to receive the alerts. You can do this by:

1. Open Server Settings
2. Click on Integrations
3. Click on Webhooks
4. Click “New Webhook”

Now you have created the Webhook; feel free to customise the name and what channel you want to send alerts to. After you have done that click on the “Copy Webhook URL” button and save it somewhere safe temporarily, we will need this later.

CrowdSec Setup

Next we need to access the server that CrowdSec is running on and navigate into the CrowdSec config folder, this is generally found in: /etc/crowdsec/.

We can then copy the below text into a file called “discord.yaml” inside the “notifications” directory.

Replace the indicated url field with the Webhook url we generated earlier.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

#
# /etc/crowdsec/notifications/discord.yaml
#

type: http
name: discord
log_level: info
format: |
  {
    "content": "```\n{{range . -}}{{$alert := . -}}{{range .Decisions -}}- {{.Value}} will get **{{.Type}}** for the next '{{.Duration}}' for triggering '{{.Scenario}}'\n{{end -}}{{end -}}\n```"
  }  
url: https://discord.com/api/webhooks/<webhook id>/<webhook token>
#                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#                                          Your ID+Token Here
method: POST
headers:
  Content-Type: application/json

If any alerts are created they still won’t appear on Discord, this is because we have to tell CrowdSec when and where we want a notification to appear. We do this in the “profiles.yaml” file. As you can see in the example config the discord notification is added in the “notifications” section. Depending on your setup you may have different profiles setup.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

#
# /etc/crowdsec/profiles.yaml
#

name: default_ip_remediation
filters:
  - Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
  - type: ban
    duration: 4h
notifications:
  # trigger discord.yaml notification
  - discord
on_success: break

After that it’s best to restart CrowdSec to ensure the new settings are loaded:

1

systemctl restart crowdsec

After this applies and you find yourself getting too many messages; you may want to move the notification to it’s own profile and set filters to only alert you to specific scenarios.

Result

This is an example of the message you will get on Discord when there is an alert:

Conclusion

As you can see CrowdSec allows us to easily extend it; ensuring it is exactly setup how we want. I hope you enjoyed reading this article and found it useful.

This post was not endorsed or sponsored by any of the mentioned parties. My views are my own.

Links

• CrowdSec
• Discord Webhook Docs