CrowdSec IPS
CrowdSec IPS Intrusion Prevention Behavior Analysis Community Threat Intelligence Bouncer Compliance GDPR PCI DSS ISO 27001 Automation Block IP Linux Docker Kubernetes
| IPS Tool | Detection | Threat Intel | License | เหมาะกับ |
|---|---|---|---|---|
| CrowdSec | Behavior Analysis | Community | MIT | Modern Stack |
| Fail2ban | Regex | ไม่มี | GPL | Simple Setup |
| Suricata | Signature + Anomaly | ET Rules | GPL | Network IDS/IPS |
| Snort | Signature | Snort Rules | GPL | Classic IDS |
CrowdSec Setup
# === CrowdSec Installation ===
# Install CrowdSec
# curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
# sudo apt install crowdsec
# Install Firewall Bouncer
# sudo apt install crowdsec-firewall-bouncer-iptables
# Install Nginx Bouncer
# sudo apt install crowdsec-nginx-bouncer
# Check Status
# sudo cscli metrics
# sudo cscli decisions list
# sudo cscli alerts list
# Configuration — /etc/crowdsec/acquis.yaml
# ---
# filenames:
# - /var/log/nginx/access.log
# - /var/log/nginx/error.log
# labels:
# type: nginx
# ---
# filenames:
# - /var/log/auth.log
# labels:
# type: syslog
# ---
# filenames:
# - /var/log/apache2/access.log
# labels:
# type: apache2
# Install Collections (Parsers + Scenarios)
# sudo cscli collections install crowdsecurity/nginx
# sudo cscli collections install crowdsecurity/sshd
# sudo cscli collections install crowdsecurity/linux
# sudo cscli collections install crowdsecurity/http-cve
# Whitelist your IP
# sudo cscli decisions delete --ip YOUR_IP
# echo "name: whitelist\nreason: admin\nip: YOUR_IP" > /etc/crowdsec/parsers/s02-enrich/whitelist.yaml
from dataclasses import dataclass
from typing import List
@dataclass
class ThreatEvent:
timestamp: str
source_ip: str
scenario: str
action: str
duration: str
country: str
events = [
ThreatEvent("14:23:15", "185.220.101.45", "crowdsecurity/ssh-bf", "ban 4h", "4 hours", "RU"),
ThreatEvent("14:25:30", "45.155.205.233", "crowdsecurity/http-probing", "ban 4h", "4 hours", "CN"),
ThreatEvent("14:28:45", "192.168.1.100", "crowdsecurity/http-bf-wordpress", "ban 4h", "4 hours", "TH"),
ThreatEvent("14:30:00", "103.152.220.44", "crowdsecurity/CVE-2021-44228", "ban 24h", "24 hours", "VN"),
ThreatEvent("14:32:10", "91.240.118.172", "crowdsecurity/http-crawl-non_statics", "ban 4h", "4 hours", "UA"),
]
print("=== CrowdSec Alert Log ===")
for e in events:
print(f" [{e.timestamp}] {e.source_ip} ({e.country})")
print(f" Scenario: {e.scenario} | Action: {e.action}")Compliance Framework
# === Compliance Automation ===
# CrowdSec helps with:
# PCI DSS 3.2.1:
# Req 1: Firewall configuration (Bouncer)
# Req 10: Log monitoring (Parser + Scenarios)
# Req 11: IDS/IPS testing (Behavior Analysis)
#
# GDPR:
# Article 32: Security measures (automated blocking)
# Article 33: Breach notification (alerting)
#
# ISO 27001:
# A.12.4: Logging and monitoring
# A.13.1: Network security management
@dataclass
class ComplianceControl:
framework: str
requirement: str
crowdsec_feature: str
status: str
evidence: str
controls = [
ComplianceControl("PCI DSS", "Req 1 — Firewall", "Firewall Bouncer auto-block", "Pass", "Decision logs"),
ComplianceControl("PCI DSS", "Req 10 — Logging", "Log parsing + analysis", "Pass", "acquis.yaml + metrics"),
ComplianceControl("PCI DSS", "Req 11 — IDS/IPS", "Behavior scenarios", "Pass", "Alert history"),
ComplianceControl("GDPR", "Art 32 — Security", "Auto-blocking threats", "Pass", "Decision + metrics"),
ComplianceControl("GDPR", "Art 33 — Notification", "Alert webhook", "Pass", "Slack/Email alerts"),
ComplianceControl("ISO 27001", "A.12.4 — Monitoring", "Real-time log analysis", "Pass", "Dashboard + SIEM"),
]
print("\n=== Compliance Status ===")
for c in controls:
print(f" [{c.status}] {c.framework} — {c.requirement}")
print(f" Feature: {c.crowdsec_feature} | Evidence: {c.evidence}")
# Automated Report
report_metrics = {
"Threats Blocked (30d)": "12,450",
"Unique Source IPs": "3,280",
"Top Scenario": "SSH Brute Force (45%)",
"Top Country": "China (28%), Russia (18%)",
"Avg Response Time": "< 2 seconds",
"False Positive Rate": "0.3%",
"Community CTI Signals": "150,000+ IPs shared",
"Uptime": "99.99%",
}
print(f"\nCompliance Report:")
for k, v in report_metrics.items():
print(f" {k}: {v}")Enterprise Deployment
# === Enterprise Multi-server ===
# Docker Compose
# services:
# crowdsec:
# image: crowdsecurity/crowdsec:latest
# environment:
# - COLLECTIONS=crowdsecurity/nginx crowdsecurity/sshd
# - ENROLL_KEY=your-console-key
# volumes:
# - /var/log/nginx:/var/log/nginx:ro
# - /var/log/auth.log:/var/log/auth.log:ro
# - crowdsec-db:/var/lib/crowdsec/data
# - crowdsec-config:/etc/crowdsec
# restart: always
#
# bouncer-nginx:
# image: crowdsecurity/crowdsec-openresty-bouncer
# environment:
# - CROWDSEC_BOUNCER_API_KEY=bouncer-key
# - CROWDSEC_BOUNCER_HOST=crowdsec:8080
# depends_on: [crowdsec]
# Kubernetes — Helm
# helm repo add crowdsec https://crowdsecurity.github.io/helm-charts
# helm install crowdsec crowdsec/crowdsec \
# --set agent.acquisition[0].namespace=nginx \
# --set agent.acquisition[0].podName=nginx-* \
# --set lapi.env[0].name=ENROLL_KEY \
# --set lapi.env[0].value=your-key
# SIEM Integration
# sudo cscli notifications install email
# sudo cscli notifications install slack
# sudo cscli notifications install http # webhook to SIEM
# Elasticsearch Export
# profiles.yaml:
# - name: default_ip_remediation
# notifications:
# - http_elastic
# on_success: apply
# decisions:
# - type: ban
automation_tasks = [
"Auto-block: IP ที่ Brute Force ถูก Ban อัตโนมัติ",
"Auto-report: สร้าง Compliance Report ทุกเดือน",
"Auto-update: อัพเดท Scenarios Collections อัตโนมัติ",
"Auto-alert: แจ้ง Slack Email เมื่อมี Critical Alert",
"Auto-whitelist: Import Whitelist จาก CMDB อัตโนมัติ",
"Auto-escalate: Escalate ถ้า Alert > Threshold",
"Auto-export: ส่ง Log ไป SIEM ทุก Event",
]
print("Automation Tasks:")
for i, t in enumerate(automation_tasks, 1):
print(f" {i}. {t}")เคล็ดลับ
- Collections: ติดตั้ง Collections ที่ตรงกับ Stack เช่น nginx sshd
- Console: ลงทะเบียน Console ดู Dashboard จัดการหลายเครื่อง
- Whitelist: Whitelist IP Admin ป้องกัน Lock ตัวเอง
- SIEM: ส่ง Alert ไป SIEM สำหรับ Audit Trail
- Update: อัพเดท Scenarios สม่ำเสมอ ป้องกัน CVE ใหม่
การนำไปใช้งานจริงในองค์กร
สำหรับองค์กรขนาดกลางถึงใหญ่ แนะนำให้ใช้หลัก Three-Tier Architecture คือ Core Layer ที่เป็นแกนกลางของระบบ Distribution Layer ที่ทำหน้าที่กระจาย Traffic และ Access Layer ที่เชื่อมต่อกับผู้ใช้โดยตรง การแบ่ง Layer ชัดเจนช่วยให้การ Troubleshoot ง่ายขึ้นและสามารถ Scale ระบบได้ตามความต้องการ
เรื่อง Network Security ก็สำคัญไม่แพ้กัน ควรติดตั้ง Next-Generation Firewall ที่สามารถ Deep Packet Inspection ได้ ใช้ Network Segmentation แยก VLAN สำหรับแต่ละแผนก ติดตั้ง IDS/IPS เพื่อตรวจจับการโจมตี และทำ Regular Security Audit อย่างน้อยปีละ 2 ครั้ง
CrowdSec คืออะไร
Open Source IPS Behavior Analysis Community Threat Intelligence Bouncer Block IP Log Linux Docker Kubernetes MIT ฟรี
CrowdSec ต่างจาก Fail2ban อย่างไร
Behavior Analysis แทน Regex Community CTI หลาย Bouncer Dashboard API Console หลายเครื่อง Fail2ban Regex Local ง่าย CrowdSec Production
Compliance Automation ทำอย่างไร
PCI DSS Req 1 10 11 GDPR Art 32 33 ISO 27001 A.12.4 Auto-block Log Alert Report SIEM Dashboard Audit Trail Evidence
ติดตั้ง CrowdSec อย่างไร
apt install crowdsec Bouncer iptables nginx acquis.yaml Log Source Collections nginx sshd Console app.crowdsec.net Dashboard
สรุป
CrowdSec IPS Compliance Automation Behavior Analysis Community CTI Bouncer Block PCI DSS GDPR ISO 27001 SIEM Alert Docker Kubernetes Enterprise Production
