Crowdsec

Crowdsec – Collaborative Security

Crowdsec is a relatively new tool in the security world, it’s an Intrusion Prevention Systems (IPS), it allow the detection of threats and the adding of necessary firewall rules if needed.

Crowdsec differs from other IPS because of the collaboration aspect. It also offer an on-premise or cloud dashboard.

You may have heard, or used Fail2ban, it basically do the same things, but with more functionalities.

Pros

  • Open-Source
  • Collaborative security
  • Decoupled detection and action software
  • Ease of use
  • IPv6 Ready
  • GDPR Compliant
  • Easy to install & setup
  • Large support for many services

Cons

  • Not easily understandable
  • Can be hard to setup depending on your setup

Type of recognized threats

Threats recognized by Crowdsec

How does it works ?

First it gather the logs and parse them from any source, it also applies scenarios to identify cyber-threats, then rules are set depending of the desired behavior.

Crowdsec has two main components, the scenarios and the bouncers. The scenarios detect the type of threat and the bouncers make an action to ban/correct it. You can also choose to only use one of the two parts.

Base installation

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
Add the Crowdsec repository
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
Add the Crowdsec repository
sudo apt-get install crowdsec
Install Crowdsec

Understanding bouncers

Bouncers are used to « apply » decisions, from threats detected by the Crowdsec software.

Before installing the basic bouncer that will act on your firewall rules, you need to check if your system is using iptable or nftable to determine where your system should act to prevent the attacks.

Then, you can use the basic firewall bouncer. It will check for the most common cases of attacks on your server (Brute-force, Slow brute-force, …).

apt install crowdsec-firewall-bouncer-iptables
Install the Linux firewall bouncer

Then, depending of the service(s) you are running on your server, you can use one more other bouncers.

  • WordPress bouncer
  • Caddy bouncer
  • HAproxy bouncer
  • Traefik bouncer
  • Nginx bouncer
  • And more …
🔎
You can check the full bouncer list on the Crowdsec website
💡
Keep in mind that some bouncers are experimental !

See it in action

You can then use some commands to see Crowdsec in action after a few hours/days.

sudo cscli decisions list
Check if IP bans are been applied
sudo cscli decisions delete --ip 1.2.3.4
Delete the ban of the IP 1.2.3.4

Commentaires

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *