CrowdSec ?????????????????????
CrowdSec ???????????? open source intrusion prevention system (IPS) ???????????????????????????????????? crowd-sourced security ??????????????? server ?????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????? community ??????????????? servers ?????????????????????????????????????????????????????????????????? ???????????????????????? Waze ??????????????????????????????????????????????????????
CrowdSec ??????????????? 2 ???????????????????????? Agent ???????????? logs ???????????????????????????????????? scenarios ???????????????????????? ??????????????????????????????????????????????????????????????????????????????????????? decision (ban, captcha, throttle) Bouncer ????????? decisions ????????? Agent ??????????????????????????????????????? ???????????? block IP ????????? firewall ???????????? return captcha ????????? web server
???????????????????????? CrowdSec ??????????????????????????????????????? fail2ban ????????? ?????????????????? multi-server, community blocklist, ???????????? bouncers (firewall, nginx, cloudflare), dashboard ?????????, scenarios ????????????????????????????????????, ???????????????????????????????????????????????? (??????????????????????????? Go), API-driven architecture
????????????????????? CrowdSec ?????? Production Server
Install CrowdSec ????????? configure ?????????????????? production
# === CrowdSec Installation ===
# 1. Install CrowdSec Agent
curl -s https://install.crowdsec.net | sudo sh
sudo apt install crowdsec
# 2. Check version and status
cscli version
sudo systemctl status crowdsec
# 3. Install Collections (detection rules)
# Web server attacks
sudo cscli collections install crowdsecurity/nginx
sudo cscli collections install crowdsecurity/apache2
# SSH brute force
sudo cscli collections install crowdsecurity/sshd
# Linux system
sudo cscli collections install crowdsecurity/linux
# HTTP attacks (generic)
sudo cscli collections install crowdsecurity/http-cve
# WordPress attacks
sudo cscli collections install crowdsecurity/wordpress
# 4. Configure Acquisition (log sources)
cat > /etc/crowdsec/acquis.yaml << 'EOF'
# Nginx access logs
filenames:
- /var/log/nginx/access.log
labels:
type: nginx
---
# Nginx error logs
filenames:
- /var/log/nginx/error.log
labels:
type: nginx
---
# SSH auth logs
filenames:
- /var/log/auth.log
labels:
type: syslog
---
# System logs
source: journalctl
journalctl_filter:
- "_SYSTEMD_UNIT=sshd.service"
labels:
type: syslog
EOF
# 5. Production Configuration
cat > /etc/crowdsec/config.yaml.local << 'EOF'
common:
log_level: info
log_dir: /var/log/crowdsec/
db_config:
type: sqlite
db_path: /var/lib/crowdsec/data/crowdsec.db
flush:
max_items: 5000
max_age: 7d
api:
server:
listen_uri: 127.0.0.1:8080
profiles_path: /etc/crowdsec/profiles.yaml
online_client:
credentials_path: /etc/crowdsec/online_api_credentials.yaml
prometheus:
enabled: true
level: full
listen_addr: 127.0.0.1
listen_port: 6060
EOF
# 6. Enroll to CrowdSec Console (free dashboard)
sudo cscli console enroll YOUR_ENROLLMENT_KEY
# 7. Restart
sudo systemctl restart crowdsec
sudo systemctl enable crowdsec
echo "CrowdSec installed and configured"Configure Bouncers ????????? Scenarios
????????????????????? Bouncers ?????????????????? enforcement
# === Bouncer Configuration ===
# 1. Install Firewall Bouncer (iptables/nftables)
sudo apt install crowdsec-firewall-bouncer-iptables
# Or nftables version:
sudo apt install crowdsec-firewall-bouncer-nftables
# Register bouncer
sudo cscli bouncers add firewall-bouncer
# Output: API key: xxxxxxxx
# Configure bouncer
cat > /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml << 'EOF'
mode: iptables
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: http://localhost:8080/
api_key: YOUR_API_KEY_HERE
# Whitelists (never block these IPs)
deny_action: DROP
deny_log: false
supported_decisions_types:
- ban
- captcha
# Blackhole duration
blacklists_ipv4: crowdsec-blacklists
blacklists_ipv6: crowdsec6-blacklists
EOF
sudo systemctl restart crowdsec-firewall-bouncer
# 2. Install Nginx Bouncer
sudo apt install crowdsec-nginx-bouncer
# Configure nginx bouncer
cat > /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf << 'EOF'
API_URL=http://localhost:8080
API_KEY=YOUR_NGINX_BOUNCER_KEY
CACHE_EXPIRATION=1
CACHE_SIZE=1000
BAN_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/ban.html
CAPTCHA_TEMPLATE_PATH=/var/lib/crowdsec/lua/templates/captcha.html
CAPTCHA_PROVIDER=recaptcha
CAPTCHA_SITE_KEY=your_site_key
CAPTCHA_SECRET_KEY=your_secret_key
EOF
# 3. Custom Scenario
cat > /etc/crowdsec/scenarios/custom-api-abuse.yaml << 'EOF'
type: leaky
name: custom/api-rate-limit
description: "Detect API abuse (>100 requests/minute)"
filter: "evt.Meta.log_type == 'nginx' && evt.Parsed.request contains '/api/'"
groupby: "evt.Meta.source_ip"
capacity: 100
leakspeed: "1s"
blackhole: 5m
labels:
type: api_abuse
remediation: true
EOF
sudo systemctl reload crowdsec
echo "Bouncers and scenarios configured"Integration ????????? Web Server ????????? Firewall
Integrate CrowdSec ????????? infrastructure
#!/usr/bin/env python3
# crowdsec_manager.py ??? CrowdSec Management Tool
import json
import logging
import requests
from datetime import datetime
from typing import Dict, List
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger("crowdsec")
class CrowdSecManager:
def __init__(self, api_url="http://localhost:8080", api_key=None):
self.api_url = api_url
self.headers = {}
if api_key:
self.headers["X-Api-Key"] = api_key
def get_decisions(self):
"""Get active decisions (bans)"""
resp = requests.get(f"{self.api_url}/v1/decisions", headers=self.headers)
return resp.json() if resp.status_code == 200 else []
def get_alerts(self, limit=20):
"""Get recent alerts"""
resp = requests.get(
f"{self.api_url}/v1/alerts",
headers=self.headers,
params={"limit": limit}
)
return resp.json() if resp.status_code == 200 else []
def add_decision(self, ip, duration="24h", reason="manual_ban"):
"""Manually ban an IP"""
payload = [{
"duration": duration,
"origin": "cscli",
"scenario": reason,
"scope": "ip",
"type": "ban",
"value": ip,
}]
resp = requests.post(
f"{self.api_url}/v1/decisions",
headers=self.headers,
json=payload
)
return resp.status_code == 200
def delete_decision(self, ip):
"""Unban an IP"""
resp = requests.delete(
f"{self.api_url}/v1/decisions",
headers=self.headers,
params={"ip": ip}
)
return resp.status_code == 200
def get_metrics(self):
"""Get CrowdSec metrics"""
resp = requests.get(f"{self.api_url}/v1/metrics", headers=self.headers)
return resp.json() if resp.status_code == 200 else {}
def security_report(self):
"""Generate security summary"""
decisions = self.get_decisions()
alerts = self.get_alerts(limit=100)
return {
"timestamp": datetime.utcnow().isoformat(),
"active_bans": len(decisions) if decisions else 0,
"recent_alerts": len(alerts) if alerts else 0,
"attack_types": self._categorize_alerts(alerts),
"top_attackers": self._top_ips(decisions),
}
def _categorize_alerts(self, alerts):
categories = {}
if not alerts:
return categories
for alert in alerts:
scenario = alert.get("scenario", "unknown")
categories[scenario] = categories.get(scenario, 0) + 1
return dict(sorted(categories.items(), key=lambda x: x[1], reverse=True)[:10])
def _top_ips(self, decisions):
ips = {}
if not decisions:
return ips
for d in decisions:
ip = d.get("value", "unknown")
ips[ip] = ips.get(ip, 0) + 1
return dict(sorted(ips.items(), key=lambda x: x[1], reverse=True)[:10])
# Demo
manager = CrowdSecManager()
report = manager.security_report()
print("Security Report:", json.dumps(report, indent=2))Multi-Server Deployment
Deploy CrowdSec ????????? multi-server
# === Multi-Server CrowdSec Setup ===
# Architecture:
# Central API Server (LAPI) ??? Agent Server 1
# ??? Agent Server 2
# ??? Agent Server 3
# All share decisions and community blocklists
# 1. Central LAPI Server Setup
# On the central server, CrowdSec runs normally
# Enable remote API access:
cat > /etc/crowdsec/config.yaml.local << 'EOF'
api:
server:
listen_uri: 0.0.0.0:8080
profiles_path: /etc/crowdsec/profiles.yaml
EOF
sudo systemctl restart crowdsec
# Register remote agents
sudo cscli machines add agent-web01 --auto
sudo cscli machines add agent-web02 --auto
sudo cscli machines add agent-db01 --auto
# 2. Remote Agent Setup (on each server)
# Install CrowdSec on remote server
curl -s https://install.crowdsec.net | sudo sh
sudo apt install crowdsec
# Configure to connect to central LAPI
cat > /etc/crowdsec/config.yaml.local << 'EOF'
api:
server:
enable: false
client:
insecure_skip_verify: false
credentials_path: /etc/crowdsec/local_api_credentials.yaml
EOF
# Set LAPI URL
cat > /etc/crowdsec/local_api_credentials.yaml << 'EOF'
url: http://central-lapi:8080
login: agent-web01
password: AUTO_GENERATED_PASSWORD
EOF
sudo systemctl restart crowdsec
# 3. Shared Bouncer
# Each server runs its own bouncer
# But reads decisions from central LAPI
# Register bouncer on central LAPI:
sudo cscli bouncers add bouncer-web01 -k BOUNCER_API_KEY
# On remote server, configure bouncer to point to central LAPI:
# api_url: http://central-lapi:8080/
# api_key: BOUNCER_API_KEY
# 4. Docker Compose for Central LAPI
cat > docker-compose-crowdsec.yml << 'EOF'
version: "3.8"
services:
crowdsec:
image: crowdsecurity/crowdsec:latest
environment:
- COLLECTIONS=crowdsecurity/nginx crowdsecurity/sshd crowdsecurity/linux
- GID=1000
ports:
- "8080:8080"
- "6060:6060"
volumes:
- ./acquis.yaml:/etc/crowdsec/acquis.yaml
- crowdsec_db:/var/lib/crowdsec/data/
- crowdsec_config:/etc/crowdsec/
- /var/log/nginx:/var/log/nginx:ro
- /var/log/auth.log:/var/log/auth.log:ro
volumes:
crowdsec_db:
crowdsec_config:
EOF
echo "Multi-server deployment configured"Monitoring ????????? Maintenance
Monitor CrowdSec ????????? maintenance tasks
# === CrowdSec Monitoring ===
# 1. CLI Commands for Daily Monitoring
# View active decisions (bans)
sudo cscli decisions list
# View recent alerts
sudo cscli alerts list --limit 20
# View installed collections
sudo cscli collections list
# View bouncers status
sudo cscli bouncers list
# View machines (multi-server)
sudo cscli machines list
# Metrics
sudo cscli metrics
# 2. Prometheus Metrics
# CrowdSec exposes metrics at :6060/metrics
# Key metrics:
# cs_active_decisions ??? number of active bans
# cs_alerts_total ??? total alerts triggered
# cs_bucket_overflow_total ??? scenario triggers
# cs_parser_hits_total ??? log lines parsed
# Prometheus scrape config:
# - job_name: "crowdsec"
# static_configs:
# - targets: ["localhost:6060"]
# 3. Grafana Dashboard
# Import dashboard ID: 18620 (CrowdSec Dashboard)
# Panels: Active Decisions, Alerts/hour, Top Scenarios,
# Top Attacker IPs, Parser Performance
# 4. Maintenance Cron Jobs
cat > /etc/cron.d/crowdsec-maintenance << 'EOF'
# Update hub (collections, scenarios, parsers) weekly
0 3 * * 1 root cscli hub update && cscli hub upgrade
# Prune old decisions (keep 30 days)
0 4 * * * root cscli decisions delete --all --contained --range 720h
# Backup config monthly
0 5 1 * * root tar czf /backup/crowdsec-config-$(date +\%Y\%m\%d).tar.gz /etc/crowdsec/
# Health check every 5 minutes
*/5 * * * * root systemctl is-active crowdsec || systemctl restart crowdsec
EOF
# 5. Whitelist Management
cat > /etc/crowdsec/parsers/s02-enrich/whitelist.yaml << 'EOF'
name: custom/whitelist
description: "Whitelist trusted IPs"
whitelist:
reason: "trusted network"
ip:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
- "YOUR_OFFICE_IP/32"
expression:
- evt.Meta.source_ip startsWith '10.'
EOF
sudo systemctl reload crowdsec
echo "Monitoring and maintenance configured"FAQ ??????????????????????????????????????????
Q: CrowdSec ????????? fail2ban ???????????????????????????????????????????
A: fail2ban ???????????? single-server tool ???????????? logs ???????????? ban IP ???????????? iptables ???????????????????????????????????????????????????????????? share ?????????????????????????????? servers CrowdSec ???????????? multi-server IPS ????????? share threat intelligence ???????????? community ?????? API-driven architecture, ???????????? bouncers (firewall, nginx, cloudflare, traefik), scenarios ????????????????????????????????????, dashboard ?????????, ??????????????????????????? Go ???????????????????????????????????????????????? fail2ban (Python/regex) ????????? ?????????????????? production server ??????????????? CrowdSec ?????????????????? personal server fail2ban ?????????????????????
Q: Community Blocklist ???????????????????????????????
A: ????????????????????? CrowdSec ????????? consensus mechanism ???????????? IP ?????????????????? blocklist ?????????????????????????????? agents ?????????????????? ??????????????????????????? 1 server IP ??????????????????????????? blocklist ???????????????????????????????????????????????????????????????????????? ?????????????????? ban ???????????? ?????????????????? whitelist IP ??????????????????????????????????????? block ????????? Community blocklist ???????????? opt-in ??????????????????????????? ?????????????????????????????????????????? community ??????????????? IP, scenario, timestamp ??????????????? log content ???????????????????????????????????????????????????
Q: CrowdSec ????????? resources ??????????????????????
A: ????????????????????? ??????????????????????????? Go ????????? RAM ?????????????????? 50-100MB ?????? production CPU usage ?????????????????? (< 2% ?????? modern server) Disk usage ????????????????????? database size (decisions + alerts) ????????????????????????????????? 100MB Bouncer ????????? resources ????????????????????????????????? ???????????????????????? performance ????????? web server ???????????? application ?????????????????????????????????????????? fail2ban ?????????????????? Python + regex CrowdSec ???????????????????????? 10-60 ??????????????????????????? parse logs
Q: ????????????????????? CrowdSec ?????? Docker ???????????????????
A: ????????? CrowdSec ?????? official Docker image (crowdsecurity/crowdsec) ????????? docker compose ???????????????????????? Mount log files ?????????????????????????????? monitor ???????????? container Bouncer ???????????? Docker image ????????? ?????????????????? Kubernetes ?????? Helm chart ????????????????????????????????????????????? deploy ???????????? DaemonSet ??????????????? monitor ????????? node ???????????? deploy ???????????? sidecar container ????????????????????????????????? ???????????? mount log files ????????????????????? ???????????? persist database volume ????????????????????? decisions ?????????????????????????????? restart container
