Crowdsec – Collaborative Security

Crowdsec is a relatively new tool in the security world, it’s an Intrusion Prevention Systems (IPS), it allow the detection of threats and the adding of necessary firewall rules if needed.

Crowdsec differs from other IPS because of the collaboration aspect. It also offer an on-premise or cloud dashboard.

You may have heard, or used Fail2ban, it basically do the same things, but with more functionalities.

Pros

Open-Source
Collaborative security
Decoupled detection and action software
Ease of use
IPv6 Ready
GDPR Compliant
Easy to install & setup
Large support for many services

Cons

Not easily understandable
Can be hard to setup depending on your setup

Type of recognized threats

Threats recognized by Crowdsec

How does it works ?

First it gather the logs and parse them from any source, it also applies scenarios to identify cyber-threats, then rules are set depending of the desired behavior.

Crowdsec has two main components, the scenarios and the bouncers. The scenarios detect the type of threat and the bouncers make an action to ban/correct it. You can also choose to only use one of the two parts.

Base installation

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash

Add the Crowdsec repository

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash

Add the Crowdsec repository

sudo apt-get install crowdsec

Install Crowdsec

Understanding bouncers

Bouncers are used to “apply” decisions, from threats detected by the Crowdsec software.

Before installing the basic bouncer that will act on your firewall rules, you need to check if your system is using iptable or nftable to determine where your system should act to prevent the attacks.

Then, you can use the basic firewall bouncer. It will check for the most common cases of attacks on your server (Brute-force, Slow brute-force, …).

apt install crowdsec-firewall-bouncer-iptables

Install the Linux firewall bouncer

Then, depending of the service(s) you are running on your server, you can use one more other bouncers.

WordPress bouncer
Caddy bouncer
HAproxy bouncer
Traefik bouncer
Nginx bouncer
And more …

🔎

You can check the full bouncer list on the Crowdsec website

💡

Keep in mind that some bouncers are experimental !

See it in action

You can then use some commands to see Crowdsec in action after a few hours/days.

sudo cscli decisions list

Check if IP bans are been applied

sudo cscli decisions delete --ip 1.2.3.4

Delete the ban of the IP 1.2.3.4