Skip to main content
Version: v1.2

Simulation

sudo cscli simulation status
INFO[0000] global simulation: disabled
INFO[0000] Scenarios in simulation mode :
INFO[0000] - crowdsecurity/ssh-bf

cscli simulation allows to manage a list of scenarios that have their remediation "simulated" : they won't be effective (but will still be showed by cscli decisions list). This configuration file is present in /etc/crowdsec/simulation.yaml and is handled by the agent.

You can add and remove scenarios to the simulation list :

sudo cscli simulation enable crowdsecurity/ssh-bf
INFO[0000] simulation mode for 'crowdsecurity/ssh-bf' enabled
INFO[0000] Run 'sudo systemctl reload crowdsec' for the new configuration to be effective.
$ sudo systemctl reload crowdsec
$ sudo tail -f /var/log/crowdsec.log
....
time="01-11-2020 14:08:58" level=info msg="Ip 1.2.3.6 performed 'crowdsecurity/ssh-bf' (6 events over 986.769µs) at 2020-11-01 14:08:58.575885389 +0100 CET m=+437.524832750"
time="01-11-2020 14:08:58" level=info msg="Ip 1.2.3.6 decision : 1h (simulation) ban"
....

$ cscli decisions list
+----+----------+--------------+-----------------------------------+------------+---------+----+--------+------------------+
| ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION |
+----+----------+--------------+-----------------------------------+------------+---------+----+--------+------------------+
| 4 | crowdsec | Ip:1.2.3.6 | crowdsecurity/ssh-bf | (simul)ban | US | | 6 | 59m38.293036072s |
+----+----------+--------------+-----------------------------------+------------+---------+----+--------+------------------+

You can also turn on "global simulation" : in this case, only scenarios in the exclusion list will have their decisions applied.

Decisions coming from the CAPI (Central API) are not being simulated. These are blocked directly.

CrowdSec ConsoleCrowdSec Console