Hello everyone,
has anyone successfully managed to connect OpenZiti and CrowdSec?
An Openziti log parser could, for example, detect incorrect login attempts to the ZAC, the routers, ... and report them to the LAPI.
I see a huge advantage in the fact that CrowdSec can then also block private Ziti tunneler addresses if they have been compromised or if someone makes unusual calls.
This would provide an additional layer of security.
Thinking one step further, it would also be possible to create an Openziti bouncer that analyzes the blocked IPs and, if it is one of the tunneler addresses, deactivates it completely for the duration => the “attacker” is completely locked out of the Ziti network.
I am looking forward to your experiences and opinions 
Hi @ZzenlD, I've not seen anyone mention it yet. To be honest, I'm not sure familiar with CrowdSec enough to know if it'd be helpful, but since you generally need to have an identity to access a service provided by OpenZiti, and because the DNS entries are often unresolvable WITHOUT that identity, I don't know if it would do much?
OpenZiti is "deny by default" so we don't generally worry about IPs (or "blocked" IPs) at all. There might be something interesting there, but if there's something, I'm just not familiar enough with it to be able to have a real opinion. I do know that I haven't seen anyone talking about it, at least not lately. cheers
Building on what @TheLumberjack says, if you believe malicious behaviour occurs, just remove the service from the identity and, as he says, no access. Also, wrt to stopping connections from non-Ziti endpoints to the overlay, this is exactly part of the reason behind 'Ziti Firewall' (or ZFW) - GitHub - netfoundry/zfw: An EBPF based IPv4/IPv6 firewall with integrations for OpenZiti Zero-Trust Framework edge-routers and tunnellers. We have recently implemented it in the NetFoundry routers to make DDoS and other network attacks from non-Ziti endpoints pretty much irrelevant.
Of course I would remove the malicious service from the overlay network, but with a CrowdSec integration this would be done automatically in less time => less time to find/exploit a vulnerability.
In addition, the CrowdSec block is always only temporary, i.e. the client can use the services again after a certain period of time without me having to unlock it manually.
If the service/client remains conspicuous, I remove it completely from the overlay network and CrowdSec would no longer sound the alarm.
I just see this as another practical layer of security, but maybe I'm being a bit too paranoid