Comment by ajsnigrutin
12 hours ago
And you'd ban the ip, their one day lease on the VM+IP would expire, someone else will get the same IP on a new VM and be blocked from everywhere.
Would be usable to ban the ip for a few hours to have the bot cool down for a bit and move onto a next domain.
I was referring to the rules/patterns provided by crowdsec rather than the distribution of known "bad" IPs through their Central API.
The default ban for traffic detected by your crowdsec instance is 4 hours, so that concern isn't very relevant in that case.
The decisions from the Central API from other users can be quite a bit longer (I see some at ~6 days), but you also don't have to use those if you're worried about that scenario.