Remediation Component inclusion: crowdsec-unifi-bouncer

[wolffcatskyy]

Hello,

I would like to request inclusion of crowdsec-unifi-bouncer on the CrowdSec Hub as a remediation component.

Repository Info

• Source repository: https://github.com/wolffcatskyy/crowdsec-unifi-bouncer
• License: MIT
• Current status: Stable (used in production, active user community with 100+ GitHub stars)
• Language: Bash (lightweight, runs directly on UniFi OS)
• Latest release: v2.3.0

Context

There is already a cs-unifi-bouncer by Teifun2 listed on the Hub. Our project takes a different approach — it installs and persists the official CrowdSec firewall bouncer (crowdsec-firewall-bouncer) directly on UniFi OS devices rather than implementing a custom bouncer. This means it inherits all the capabilities of the official bouncer (stream mode, LAPI metrics, nftables/iptables support) while solving the UniFi-specific challenges of persistence across firmware updates and SSH-based deployment.

Documentation

• README: https://github.com/wolffcatskyy/crowdsec-unifi-bouncer/blob/main/README.md
• Covers installation, uninstallation, configuration, troubleshooting, and firmware update recovery

Tests

• CI workflow with ShellCheck linting and installation tests
• GitHub Actions: https://github.com/wolffcatskyy/crowdsec-unifi-bouncer/blob/main/.github/workflows/ci.yml

Features

Mode

• Stream mode (default): Uses the official crowdsec-firewall-bouncer which pulls decisions from LAPI and manages firewall rules via nftables/iptables

Key Capabilities

• Direct on-device bouncer for UniFi OS (UDM, UDM SE, UDR, UXG)
• Manages ipset/iptables/nftables rules directly on the firewall
• Automatic persistence across UniFi firmware updates via systemd boot service
• Stream-aware decision capping with intelligent sidecar proxy for prioritizing local vs CAPI decisions
• AbuseIPDB confidence score reporting
• Prometheus metrics exposure for monitoring
• Docker image available on GHCR for sidecar proxy component
• Pre-built binary packages for ARM64 (UniFi hardware)

Deployment

• One-command SSH install script
• Automatic download and installation of the correct crowdsec-firewall-bouncer binary
• Systemd service management with automatic restart on failure
• Non-destructive firmware update recovery

Short Description

Install and persist the official CrowdSec firewall bouncer on UniFi OS devices (UDM, UDM SE, UDR) with automatic recovery from firmware updates

Social Preview Image

Set on the repository.

Releases

Yes — v2.3.0 (latest), with multiple prior releases.

[wolffcatskyy]

Friendly ping — any thoughts on including this? Happy to adjust the submission if anything's needed.

---

🤖 This response was generated by Claude AI assisting the maintainer.