2. CrowdSec → Cloudflare Sync (crowdsec-cf-sync.py)

Location: /usr/local/bin/crowdsec-cf-sync.py Service: crowdsec-cf-sync.service Logs: /var/log/crowdsec/cf-sync.log

Location: /usr/local/bin/crowdsec-cf-sync.py Systemd service: crowdsec-cf-sync.service Logs: /var/log/crowdsec/cf-sync.log

Installation

cp crowdsec-cf-sync.py /usr/local/bin/
chmod +x /usr/local/bin/crowdsec-cf-sync.py
systemctl enable crowdsec-cf-sync
systemctl start crowdsec-cf-sync

Features

• Syncs active CrowdSec bans → Cloudflare IP Access Rules (tag crowdsec-local-ban)
• Reports banned IPs → AbuseIPDB (48h window, deduplicated)
• Repeat-offender escalation: 1st CrowdSec ban handles | 2nd → 24h | 3rd+ → 7d (7d window)
• ModSecurity score ≥ 5 → immediate 2h CF ban (tag modsec-ban) + AbuseIPDB report
• Automatic /24 ban: 2+ IPs from same block in 7d → CF + CrowdSec ban 24h (tag crowdsec-cidr-ban)

Bug fixes (April 2026)

• cs_origin vs origin in get_recent_local_bans() — the JSON field is cs_origin
• REST API pagination /v1/decisions?limit=1000 misses cscli bans → replaced with cscli decisions list --origin
• Items → items (lowercase) in CrowdSec allowlist JSON parsing

⚠️ Important: real tokens (CF_API_TOKEN, CF_ZONE_ID, CS_API_KEY, ABUSEIPDB_KEY) must be stored in /etc/secrets/ with chmod 600 and loaded via environment variables, not hardcoded in the script. The VOTRE_* values below are placeholders.

]]>