CrowdSec IPS Monitoring และ Alerting — วิธีใช้
CrowdSec IPS
CrowdSec เป็น Open-source IPS ใช้ Crowd Intelligence วิเคราะห์ Logs ตรวจจับ Attacks แชร์ IP อันตรายกับ Community คล้าย Fail2ban แต่มี Community Blocklist
Monitoring ด้วย Dashboard Alerting ผ่าน Slack Email Telegram Bouncers Block IP อัตโนมัติ iptables Nginx Cloudflare
Installation และ Configuration
=== CrowdSec Installation ===
1. Install CrowdSec (Debian/Ubuntu)
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec
2. Install Bouncer (Firewall)
sudo apt install crowdsec-firewall-bouncer-iptables
3. ตรวจสอบ Status
sudo systemctl status crowdsec
sudo cscli metrics
sudo cscli decisions list
sudo cscli alerts list
4. Configuration Files
/etc/crowdsec/config.yaml — Main config
/etc/crowdsec/acquis.yaml — Log sources
/etc/crowdsec/profiles.yaml — Decision profiles
/etc/crowdsec/scenarios/ — Detection scenarios
/etc/crowdsec/parsers/ — Log parsers
/etc/crowdsec/postoverflows/ — Post-processing
5. acquis.yaml — กำหนด Log Sources
filenames:
- /var/log/nginx/access.log
- /var/log/nginx/error.log
labels:
type: nginx
---
เนื้อหาเกี่ยวข้อง — ดูเพิ่มเติมเรื่อง QuestDB Time Series Micro-segmentation
filenames:
- /var/log/auth.log
labels:
type: syslog
---
filenames:
- /var/log/apache2/access.log
labels:
type: apache2
6. Install Collections (Detection Rules)
sudo cscli collections install crowdsecurity/nginx
sudo cscli collections install crowdsecurity/sshd
แนะนำเพิ่มเติม — คู่มือเทรดจาก SiamCafeBook
sudo cscli collections install crowdsecurity/linux
sudo cscli collections install crowdsecurity/http-cve
sudo cscli collections install crowdsecurity/wordpress
7. ดู Collections ที่ติดตั้ง
sudo cscli collections list
sudo cscli scenarios list
sudo cscli parsers list
8. ทดสอบ — Ban IP ด้วยมือ
sudo cscli decisions add --ip 192.168.1.100 --duration 1h --reason "manual test"
sudo cscli decisions list
sudo cscli decisions delete --ip 192.168.1.100
9. Enroll to CrowdSec Console (Dashboard)
sudo cscli console enroll YOUR_ENROLLMENT_KEY
ดู Dashboard ที่ https://app.crowdsec.net
echo "CrowdSec Installation Complete"
echo " Config: /etc/crowdsec/"
เนื้อหาเกี่ยวข้อง — อ่านต่อ: Generative AI คืออะไร — ทุกเรื่องที่ต้องรู้เกี่ยวกับ AI สร้างสรรค์ 2026
echo " Logs: /var/log/crowdsec.log"
echo " CLI: cscli"
echo " Dashboard: https://app.crowdsec.net"
Alerting Configuration
=== CrowdSec Alerting ===
1. Slack Notification
/etc/crowdsec/notifications/slack.yaml
type: slack
name: slack_default
log_level: info
format: |
🚨 *CrowdSec Alert*
*IP:* {{.Alert.Source.IP}}
แนะนำเพิ่มเติม — คอร์สเทรด Forex ที่ iCafeForex
*Scenario:* {{.Alert.Scenario}}
*Country:* {{.Alert.Source.Cn}}
*Events:* {{.Alert.EventsCount}}
*Decision:* {{range .Alert.Decisions}}{{.Type}} for {{.Duration}}{{end}}
webhook: https://hooks.slack.com/services/YOUR/WEBHOOK/URL
2. Telegram Notification
/etc/crowdsec/notifications/telegram.yaml
type: http
name: telegram_default
log_level: info
เนื้อหาเกี่ยวข้อง — บทความที่เกี่ยวข้อง: osi model devices — ข้อมูลครบถ้วน 2026
format: |
🚨 CrowdSec Alert
IP: {{.Alert.Source.IP}}
Scenario: {{.Alert.Scenario}}
Country: {{.Alert.Source.Cn}}
url: https://api.telegram.org/botYOUR_TOKEN/sendMessage
method: POST
headers:
Content-Type: application/json
body: |
{"chat_id": "YOUR_CHAT_ID", "text": "{{.}}", "parse_mode": "Markdown"}
3. Email Notification
/etc/crowdsec/notifications/email.yaml
type: email
name: email_default
log_level: info
format: |
CrowdSec Alert: {{.Alert.Scenario}}
IP: {{.Alert.Source.IP}}
Country: {{.Alert.Source.Cn}}
smtp_host: smtp.gmail.com
smtp_port: 587
smtp_username: alerts@company.com
เนื้อหาเกี่ยวข้อง — แนะนำให้อ่าน Ceph Storage Cluster Monitoring และ Alerting
smtp_password: app-password
sender_email: alerts@company.com
receiver_emails:
- security@company.com
4. profiles.yaml — กำหนดว่า Scenario ไหนแจ้งเตือน
name: default_ip_remediation
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 4h
notifications:
- slack_default
- telegram_default
on_success: break
5. Severity-based Alerting
name: critical_alerts
filters:
- Alert.Scenario contains "ssh" || Alert.Scenario contains "cve"
decisions:
- type: ban
duration: 24h
notifications:
- slack_default
- email_default
- telegram_default
on_success: break
6. Reload Configuration
sudo systemctl reload crowdsec
7. Test Notification
sudo cscli notifications test slack_default
echo "Alerting Configuration:"
echo " Slack: /etc/crowdsec/notifications/slack.yaml"
echo " Telegram: /etc/crowdsec/notifications/telegram.yaml"
echo " Email: /etc/crowdsec/notifications/email.yaml"
echo " Profiles: /etc/crowdsec/profiles.yaml"
Monitoring Dashboard
# monitoring_dashboard.py — CrowdSec Monitoring
import json
from dataclasses import dataclass, field
from typing import List, Dict
from datetime import datetime, timedelta
from collections import Counter
@dataclass
class Alert:
ip: str
scenario: str
country: str
events_count: int
decision: str
duration: str
timestamp: str
class CrowdSecMonitor:
"""CrowdSec Monitoring Dashboard"""
def __init__(self):
self.alerts: List[Alert] = []
self.decisions: List[Dict] = []
def add_alert(self, alert: Alert):
self.alerts.append(alert)
def dashboard(self):
"""Main Dashboard"""
print(f"\n{'='*60}")
print(f"CrowdSec Monitoring Dashboard")
print(f"{'='*60}")
# Summary
total = len(self.alerts)
countries = Counter(a.country for a in self.alerts)
scenarios = Counter(a.scenario for a in self.alerts)
print(f"\n Total Alerts: {total}")
print(f" Unique IPs: {len(set(a.ip for a in self.alerts))}")
# Top Countries
print(f"\n Top Attack Countries:")
for country, count in countries.most_common(5):
bar = "#" * min(count * 2, 20)
print(f" {country:>5}: {count:>4} {bar}")
# Top Scenarios
print(f"\n Top Scenarios:")
for scenario, count in scenarios.most_common(5):
print(f" {scenario:<40} {count:>4}")
# Recent Alerts
print(f"\n Recent Alerts:")
for alert in self.alerts[-5:]:
print(f" [{alert.country}] {alert.ip:<16} "
f"{alert.scenario:<30} ({alert.decision} {alert.duration})")
def threat_report(self):
"""Threat Intelligence Report"""
print(f"\n Threat Report:")
scenarios = Counter(a.scenario for a in self.alerts)
categories = {
"Brute Force": [s for s in scenarios if "bf" in s or "brute" in s],
"Web Attacks": [s for s in scenarios if "http" in s or "web" in s],
"SSH Attacks": [s for s in scenarios if "ssh" in s],
"CVE Exploits": [s for s in scenarios if "cve" in s],
}
for category, matched in categories.items():
total = sum(scenarios[s] for s in matched)
if total > 0:
print(f" {category}: {total} alerts")
# ตัวอย่าง
monitor = CrowdSecMonitor()
alerts = [
Alert("198.51.100.1", "crowdsecurity/ssh-bf", "CN", 50, "ban", "4h", "2024-01-15T10:00:00"),
Alert("203.0.113.5", "crowdsecurity/http-probing", "RU", 30, "ban", "4h", "2024-01-15T10:05:00"),
Alert("192.0.2.10", "crowdsecurity/http-cve-2021-41773", "US", 5, "ban", "24h", "2024-01-15T10:10:00"),
Alert("198.51.100.20", "crowdsecurity/ssh-bf", "KR", 100, "ban", "4h", "2024-01-15T10:15:00"),
Alert("203.0.113.15", "crowdsecurity/nginx-req-limit", "BR", 200, "ban", "2h", "2024-01-15T10:20:00"),
Alert("192.0.2.50", "crowdsecurity/http-bad-user-agent", "DE", 15, "ban", "4h", "2024-01-15T10:25:00"),
Alert("198.51.100.30", "crowdsecurity/ssh-bf", "CN", 80, "ban", "4h", "2024-01-15T10:30:00"),
]
for a in alerts:
monitor.add_alert(a)
monitor.dashboard()
monitor.threat_report()
# cscli commands สำหรับ Monitoring
commands = {
"cscli metrics": "แสดง Metrics ทั้งหมด (parsers, scenarios, bouncers)",
"cscli alerts list": "แสดง Alerts ล่าสุด",
"cscli decisions list": "แสดง Active Decisions (Bans)",
"cscli bouncers list": "แสดง Registered Bouncers",
"cscli machines list": "แสดง Registered Machines",
"cscli hub list": "แสดง Installed Collections/Parsers/Scenarios",
}
print(f"\n Useful Commands:")
for cmd, desc in commands.items():
print(f" {cmd}")
print(f" {desc}")Best Practices
- Collections: ติดตั้ง Collections ที่เหมาะกับ Services เช่น nginx, sshd, wordpress
- Bouncers: ใช้ Firewall Bouncer สำหรับ Block ระดับ Network
- Console: Enroll กับ CrowdSec Console ดู Dashboard แบบ Real-time
- Alerting: ตั้ง Alerts สำหรับ Critical Scenarios เช่น CVE, SSH Brute Force
- Whitelist: ตั้ง Whitelist สำหรับ IP ที่เชื่อถือ ป้องกัน False Positive
- Multi-server: ใช้ LAPI กระจาย Decisions ไปหลาย Servers
CrowdSec คืออะไร
Open-source IPS Crowd Intelligence วิเคราะห์ Logs ตรวจจับ Attacks แชร์ IP อันตราย Community คล้าย Fail2ban Community Blocklist หลาย Platforms
