Crowdsec is a relatively new tool in the security world, it’s an Intrusion Prevention Systems (IPS), it allow the detection of threats and the adding of necessary firewall rules if needed.
Crowdsec differs from other IPS because of the collaboration aspect. It also offer an on-premise or cloud dashboard.
You may have heard, or used Fail2ban, it basically do the same things, but with more functionalities.
- Collaborative security
- Decoupled detection and action software
- Ease of use
- IPv6 Ready
- GDPR Compliant
- Easy to install & setup
- Large support for many services
- Not easily understandable
- Can be hard to setup depending on your setup
Type of recognized threats
How does it works ?
First it gather the logs and parse them from any source, it also applies scenarios to identify cyber-threats, then rules are set depending of the desired behavior.
Crowdsec has two main components, the scenarios and the bouncers. The scenarios detect the type of threat and the bouncers make an action to ban/correct it. You can also choose to only use one of the two parts.
Bouncers are used to « apply » decisions, from threats detected by the Crowdsec software.
Before installing the basic bouncer that will act on your firewall rules, you need to check if your system is using iptable or nftable to determine where your system should act to prevent the attacks.
Then, you can use the basic firewall bouncer. It will check for the most common cases of attacks on your server (Brute-force, Slow brute-force, …).
Then, depending of the service(s) you are running on your server, you can use one more other bouncers.
- WordPress bouncer
- Caddy bouncer
- HAproxy bouncer
- Traefik bouncer
- Nginx bouncer
- And more …
See it in action
You can then use some commands to see Crowdsec in action after a few hours/days.