Integrations · CrowdSec

Import a HoneyLabs blocklist into CrowdSec

CrowdSec accepts external intelligence as decisions: the same object its own scenarios produce, enforced by whatever bouncers you already run. cscli decisions import reads a plain list of values, which is exactly what the HoneyLabs text feed is.

  1. 01

    Save a query

    Sign in (free) and save the HoneyLabs query you want the feed to track on the feeds page. Any lookup query works: a port, an ASN, a tag, or a boolean combination. The feed returns the source IPs currently matching it, so a tighter query means a tighter blocklist.

    # Example saved queries and what they feed you
    port:22 AND NOT tag:scanner     # SSH brute-forcers, known researchers removed
    tag:scanner                     # every recognized scanner IP
    cve:CVE-2024-4577               # IPs probing one specific CVE
    asn:14061 AND port:445          # SMB scans out of DigitalOcean
  2. 02

    Mint a feed token

    On the same page, mint a feed URL for the saved query. The token alone authorizes the fetch: no cookies, no headers, safe to paste into an appliance. Mint one token per consumer so you can revoke a leaked URL without breaking the others.

    # Your feed URL looks like
    https://honeylabs.net/feed/<token>        # plain text, one IP per line
    https://honeylabs.net/feed/<token>.csv    # ip,first_seen,last_seen,events,asn,country
    https://honeylabs.net/feed/<token>.json   # same fields as JSON
  3. 03

    Import the feed as decisions

    Pull the text feed and import it. The values format takes one IP per line as-is. Set the duration to your refresh interval or longer so decisions do not expire between runs.

    curl -fsS 'https://honeylabs.net/feed/<token>' -o /tmp/honeylabs.txt
    cscli decisions import -i /tmp/honeylabs.txt --format values --duration 24h
    
    # Verify
    cscli decisions list | head
  4. 04

    Schedule the refresh

    A daily import with a 24h duration keeps the decision set tracking the feed: IPs that stop matching your query age out on their own.

    # /etc/cron.d/honeylabs-crowdsec
    0 6 * * * root curl -fsS 'https://honeylabs.net/feed/<token>' -o /tmp/honeylabs.txt \
      && cscli decisions import -i /tmp/honeylabs.txt --format values --duration 24h

Worth knowing

  • Existing bouncers (firewall, nginx, Traefik) enforce imported decisions automatically; nothing else to configure.
  • Re-importing the same IP refreshes its decision rather than duplicating it.

The feed is plain text (one IP per line), CSV, or JSON, is revocable per token, and is edge-cached for five minutes, so a tight refresh schedule never hammers anything. Create yours on the feeds page, or browse the other integrations.