Crowdsecurity
The CrowdSec Security Engine is an open-source, lightweight software that detects and blocks malicious actors from accessing your systems at various levels, using log analysis and threat patterns called scenarios.
Installation
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bashsudo apt-get updatesudo apt-get install crowdsecRecommended collections, parsers and scenarios
cscli collections install crowdsecurity/linuxcscli collections install crowdsecurity/whitelist-good-actorscscli collections install crowdsecurity/iptablescscli parsers install crowdsecurity/whitelistsBouncer
CrowdSec itself is not a blocking solution, it’s a detection engine. To block IPs, you need to install a bouncer. You can find a list of available bouncer here. To install the firewall bouncer, run one of the following commands, depending on your firewall:
sudo apt install crowdsec-firewall-bouncer-iptables# orsudo apt install crowdsec-firewall-bouncer-nftablesSupport Docker
If you are using Docker, you need to modify the bouncer configuration to block requests to Docker containers. Edit the file /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml and uncomment the line FORWARD in the iptables_chains.
Configuration
To parse logs, you need to install a parser. You can find a list of available parsers here. After that you need to configure the parser to parse the logs you want by editign the file /etc/crowdsec/acquis.yaml.
Example for nginx
cscli collections install crowdsecurity/nginx---source: dockercontainer_name: - nginxlabels: type: nginxCreate own ip whitelist
You can create your own ip whitelist by creating the file /etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml.
name: crowdsecurity/whitelistsdescription: 'Whitelist events from my ip addresses'whtielist: reason: 'my ip ranges' ip: - '1.1.1.1' - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16'