Cybersecurity

Crowdsec IPS Monitoring และ Alerting

crowdsec ips monitoring และ alerting
Crowdsec IPS Monitoring และ Alerting | SiamCafe Blog
2025-07-17· อ. บอม — SiamCafe.net· 8,385 คำ

CrowdSec IPS

CrowdSec เป็น Open-source IPS ใช้ Crowd Intelligence วิเคราะห์ Logs ตรวจจับ Attacks แชร์ IP อันตรายกับ Community คล้าย Fail2ban แต่มี Community Blocklist

Monitoring ด้วย Dashboard Alerting ผ่าน Slack Email Telegram Bouncers Block IP อัตโนมัติ iptables Nginx Cloudflare

Installation และ Configuration

# === CrowdSec Installation ===

# 1. Install CrowdSec (Debian/Ubuntu)
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec

# 2. Install Bouncer (Firewall)
sudo apt install crowdsec-firewall-bouncer-iptables

# 3. ตรวจสอบ Status
sudo systemctl status crowdsec
sudo cscli metrics
sudo cscli decisions list
sudo cscli alerts list

# 4. Configuration Files
# /etc/crowdsec/config.yaml          — Main config
# /etc/crowdsec/acquis.yaml          — Log sources
# /etc/crowdsec/profiles.yaml        — Decision profiles
# /etc/crowdsec/scenarios/           — Detection scenarios
# /etc/crowdsec/parsers/             — Log parsers
# /etc/crowdsec/postoverflows/       — Post-processing

# 5. acquis.yaml — กำหนด Log Sources
# filenames:
#   - /var/log/nginx/access.log
#   - /var/log/nginx/error.log
# labels:
#   type: nginx
# ---
# filenames:
#   - /var/log/auth.log
# labels:
#   type: syslog
# ---
# filenames:
#   - /var/log/apache2/access.log
# labels:
#   type: apache2

# 6. Install Collections (Detection Rules)
sudo cscli collections install crowdsecurity/nginx
sudo cscli collections install crowdsecurity/sshd
sudo cscli collections install crowdsecurity/linux
sudo cscli collections install crowdsecurity/http-cve
sudo cscli collections install crowdsecurity/wordpress

# 7. ดู Collections ที่ติดตั้ง
sudo cscli collections list
sudo cscli scenarios list
sudo cscli parsers list

# 8. ทดสอบ — Ban IP ด้วยมือ
sudo cscli decisions add --ip 192.168.1.100 --duration 1h --reason "manual test"
sudo cscli decisions list
sudo cscli decisions delete --ip 192.168.1.100

# 9. Enroll to CrowdSec Console (Dashboard)
sudo cscli console enroll YOUR_ENROLLMENT_KEY
# ดู Dashboard ที่ https://app.crowdsec.net

echo "CrowdSec Installation Complete"
echo "  Config: /etc/crowdsec/"
echo "  Logs: /var/log/crowdsec.log"
echo "  CLI: cscli"
echo "  Dashboard: https://app.crowdsec.net"

Alerting Configuration

# === CrowdSec Alerting ===

# 1. Slack Notification
# /etc/crowdsec/notifications/slack.yaml
# type: slack
# name: slack_default
# log_level: info
# format: |
#   🚨 *CrowdSec Alert*
#   *IP:* {{.Alert.Source.IP}}
#   *Scenario:* {{.Alert.Scenario}}
#   *Country:* {{.Alert.Source.Cn}}
#   *Events:* {{.Alert.EventsCount}}
#   *Decision:* {{range .Alert.Decisions}}{{.Type}} for {{.Duration}}{{end}}
# webhook: https://hooks.slack.com/services/YOUR/WEBHOOK/URL

# 2. Telegram Notification
# /etc/crowdsec/notifications/telegram.yaml
# type: http
# name: telegram_default
# log_level: info
# format: |
#   🚨 CrowdSec Alert
#   IP: {{.Alert.Source.IP}}
#   Scenario: {{.Alert.Scenario}}
#   Country: {{.Alert.Source.Cn}}
# url: https://api.telegram.org/botYOUR_TOKEN/sendMessage
# method: POST
# headers:
#   Content-Type: application/json
# body: |
#   {"chat_id": "YOUR_CHAT_ID", "text": "{{.}}", "parse_mode": "Markdown"}

# 3. Email Notification
# /etc/crowdsec/notifications/email.yaml
# type: email
# name: email_default
# log_level: info
# format: |
#   CrowdSec Alert: {{.Alert.Scenario}}
#   IP: {{.Alert.Source.IP}}
#   Country: {{.Alert.Source.Cn}}
# smtp_host: smtp.gmail.com
# smtp_port: 587
# smtp_username: alerts@company.com
# smtp_password: app-password
# sender_email: alerts@company.com
# receiver_emails:
#   - security@company.com

# 4. profiles.yaml — กำหนดว่า Scenario ไหนแจ้งเตือน
# name: default_ip_remediation
# filters:
#   - Alert.Remediation == true && Alert.GetScope() == "Ip"
# decisions:
#   - type: ban
#     duration: 4h
# notifications:
#   - slack_default
#   - telegram_default
# on_success: break

# 5. Severity-based Alerting
# name: critical_alerts
# filters:
#   - Alert.Scenario contains "ssh" || Alert.Scenario contains "cve"
# decisions:
#   - type: ban
#     duration: 24h
# notifications:
#   - slack_default
#   - email_default
#   - telegram_default
# on_success: break

# 6. Reload Configuration
sudo systemctl reload crowdsec

# 7. Test Notification
sudo cscli notifications test slack_default

echo "Alerting Configuration:"
echo "  Slack: /etc/crowdsec/notifications/slack.yaml"
echo "  Telegram: /etc/crowdsec/notifications/telegram.yaml"
echo "  Email: /etc/crowdsec/notifications/email.yaml"
echo "  Profiles: /etc/crowdsec/profiles.yaml"

Monitoring Dashboard

# monitoring_dashboard.py — CrowdSec Monitoring
import json
from dataclasses import dataclass, field
from typing import List, Dict
from datetime import datetime, timedelta
from collections import Counter

@dataclass
class Alert:
    ip: str
    scenario: str
    country: str
    events_count: int
    decision: str
    duration: str
    timestamp: str

class CrowdSecMonitor:
    """CrowdSec Monitoring Dashboard"""

    def __init__(self):
        self.alerts: List[Alert] = []
        self.decisions: List[Dict] = []

    def add_alert(self, alert: Alert):
        self.alerts.append(alert)

    def dashboard(self):
        """Main Dashboard"""
        print(f"\n{'='*60}")
        print(f"CrowdSec Monitoring Dashboard")
        print(f"{'='*60}")

        # Summary
        total = len(self.alerts)
        countries = Counter(a.country for a in self.alerts)
        scenarios = Counter(a.scenario for a in self.alerts)

        print(f"\n  Total Alerts: {total}")
        print(f"  Unique IPs: {len(set(a.ip for a in self.alerts))}")

        # Top Countries
        print(f"\n  Top Attack Countries:")
        for country, count in countries.most_common(5):
            bar = "#" * min(count * 2, 20)
            print(f"    {country:>5}: {count:>4} {bar}")

        # Top Scenarios
        print(f"\n  Top Scenarios:")
        for scenario, count in scenarios.most_common(5):
            print(f"    {scenario:<40} {count:>4}")

        # Recent Alerts
        print(f"\n  Recent Alerts:")
        for alert in self.alerts[-5:]:
            print(f"    [{alert.country}] {alert.ip:<16} "
                  f"{alert.scenario:<30} ({alert.decision} {alert.duration})")

    def threat_report(self):
        """Threat Intelligence Report"""
        print(f"\n  Threat Report:")
        scenarios = Counter(a.scenario for a in self.alerts)

        categories = {
            "Brute Force": [s for s in scenarios if "bf" in s or "brute" in s],
            "Web Attacks": [s for s in scenarios if "http" in s or "web" in s],
            "SSH Attacks": [s for s in scenarios if "ssh" in s],
            "CVE Exploits": [s for s in scenarios if "cve" in s],
        }

        for category, matched in categories.items():
            total = sum(scenarios[s] for s in matched)
            if total > 0:
                print(f"    {category}: {total} alerts")

# ตัวอย่าง
monitor = CrowdSecMonitor()

alerts = [
    Alert("198.51.100.1", "crowdsecurity/ssh-bf", "CN", 50, "ban", "4h", "2024-01-15T10:00:00"),
    Alert("203.0.113.5", "crowdsecurity/http-probing", "RU", 30, "ban", "4h", "2024-01-15T10:05:00"),
    Alert("192.0.2.10", "crowdsecurity/http-cve-2021-41773", "US", 5, "ban", "24h", "2024-01-15T10:10:00"),
    Alert("198.51.100.20", "crowdsecurity/ssh-bf", "KR", 100, "ban", "4h", "2024-01-15T10:15:00"),
    Alert("203.0.113.15", "crowdsecurity/nginx-req-limit", "BR", 200, "ban", "2h", "2024-01-15T10:20:00"),
    Alert("192.0.2.50", "crowdsecurity/http-bad-user-agent", "DE", 15, "ban", "4h", "2024-01-15T10:25:00"),
    Alert("198.51.100.30", "crowdsecurity/ssh-bf", "CN", 80, "ban", "4h", "2024-01-15T10:30:00"),
]

for a in alerts:
    monitor.add_alert(a)

monitor.dashboard()
monitor.threat_report()

# cscli commands สำหรับ Monitoring
commands = {
    "cscli metrics": "แสดง Metrics ทั้งหมด (parsers, scenarios, bouncers)",
    "cscli alerts list": "แสดง Alerts ล่าสุด",
    "cscli decisions list": "แสดง Active Decisions (Bans)",
    "cscli bouncers list": "แสดง Registered Bouncers",
    "cscli machines list": "แสดง Registered Machines",
    "cscli hub list": "แสดง Installed Collections/Parsers/Scenarios",
}

print(f"\n  Useful Commands:")
for cmd, desc in commands.items():
    print(f"    {cmd}")
    print(f"      {desc}")

Best Practices

CrowdSec คืออะไร

Open-source IPS Crowd Intelligence วิเคราะห์ Logs ตรวจจับ Attacks แชร์ IP อันตราย Community คล้าย Fail2ban Community Blocklist หลาย Platforms

CrowdSec ต่างจาก Fail2ban อย่างไร

CrowdSec Community Intelligence แชร์ IP Blocklist Dashboard Distributed หลาย Servers Fail2ban เครื่องเดียว ไม่ Community CrowdSec API Bouncers Firewall Nginx Cloudflare

Bouncer คืออะไร

Component Block IP อันตราย cs-firewall-bouncer iptables nftables cs-nginx-bouncer Nginx cs-cloudflare-bouncer Cloudflare เลือกตาม Infrastructure

วิธีตั้งค่า Alerting ทำอย่างไร

Notification Plugins Slack Email Telegram PagerDuty profiles.yaml Scenario แจ้งเตือน Severity Level Rate Limiting Alert Fatigue CrowdSec Console Dashboard Real-time

สรุป

CrowdSec เป็น Open-source IPS ใช้ Crowd Intelligence ตรวจจับ Attacks แชร์ Blocklist กับ Community Bouncers Block IP อัตโนมัติ Alerting ผ่าน Slack Email Telegram CrowdSec Console Dashboard Multi-server ด้วย LAPI

📖 บทความที่เกี่ยวข้อง

Crowdsec IPS Agile Scrum Kanbanอ่านบทความ → AWS App Runner Monitoring และ Alertingอ่านบทความ → Crowdsec IPS Batch Processing Pipelineอ่านบทความ → Crowdsec IPS SSL TLS Certificateอ่านบทความ → Crowdsec IPS Real-time Processingอ่านบทความ →

📚 ดูบทความทั้งหมด →

บทความแนะนำ: เรียนรู้ Forex Trading | สัญญาณ Forex ฟรี | โซลูชั่น IT & Network | Siam2Rich

อ่านเพิ่มเติม: สอนเทรด Forex | XM Signal | IT Hardware | อาชีพ IT