Crowdsec IPS Scaling Strategy วิธี Scale — ขยาย
CrowdSec IPS Scaling
CrowdSec IPS Scaling Strategy Multi-node LAPI Agent Bouncer PostgreSQL Kubernetes Community Blocklist Brute Force DDoS Production
| Architecture | Servers | LAPI | Database | Use Case |
|---|---|---|---|---|
| Single Node | 1-5 | Local (SQLite) | SQLite | Small Server VPS |
| Multi-node | 5-50 | Central LAPI | PostgreSQL | Medium Infrastructure |
| Kubernetes | 50+ | LAPI Deployment HA | PostgreSQL HA | Large K8s Cluster |
| Enterprise | 100+ | Multi-LAPI LB | PostgreSQL Cluster | Multi-region Enterprise |
Multi-node Setup
# === CrowdSec Multi-node Architecture ===
# Central LAPI Server Setup
# apt install crowdsec
# Edit /etc/crowdsec/config.yaml:
# db_config:
# type: postgres
# host: db.example.com
# port: 5432
# user: crowdsec
# password: ""
# db_name: crowdsec
# sslmode: require
#
# api:
# server:
# listen_uri: 0.0.0.0:8080
# profiles_path: /etc/crowdsec/profiles.yaml
#
# # Register Agent machines
# cscli machines add web-01 --password "agent-pass-01"
# cscli machines add web-02 --password "agent-pass-02"
# cscli machines add db-01 --password "agent-pass-03"
#
# # Register Bouncers
# cscli bouncers add nginx-bouncer-01
# # → API key: abc123...
from dataclasses import dataclass
@dataclass
class NodeConfig:
node_type: str
install: str
config: str
verify: str
nodes = [
NodeConfig("Central LAPI",
"apt install crowdsec + PostgreSQL Client",
"db_config: postgres | listen: 0.0.0.0:8080 | machines add",
"cscli lapi status → Connected"),
NodeConfig("Agent (Web Server)",
"apt install crowdsec (agent only)",
"api.client.url: http://lapi:8080 | login/password",
"cscli machines list (on LAPI) → agent online"),
NodeConfig("Agent (DB Server)",
"apt install crowdsec (agent only)",
"api.client.url: http://lapi:8080 | mysql/pgsql collection",
"cscli alerts list → DB alerts visible"),
NodeConfig("Bouncer (Nginx)",
"apt install crowdsec-nginx-bouncer",
"api_url: http://lapi:8080 | api_key: xxx",
"curl blocked-ip → 403 Forbidden"),
NodeConfig("Bouncer (iptables)",
"apt install crowdsec-firewall-bouncer-iptables",
"api_url: http://lapi:8080 | api_key: xxx",
"iptables -L → crowdsec chain rules"),
]
print("=== Multi-node Setup ===")
for n in nodes:
print(f" [{n.node_type}]")
print(f" Install: {n.install}")
print(f" Config: {n.config}")
print(f" Verify: {n.verify}")Kubernetes Deployment
# === CrowdSec on Kubernetes ===
# Helm Chart
# helm repo add crowdsec https://crowdsecurity.github.io/helm-charts
# helm install crowdsec crowdsec/crowdsec \
# --set lapi.env.PGHOST=postgres-service \
# --set lapi.env.PGUSER=crowdsec \
# --set lapi.env.PGPASSWORD=secret \
# --set lapi.env.PGDATABASE=crowdsec \
# --set agent.acquisition[0].namespace=default \
# --set agent.acquisition[0].podName="nginx-*"
# DaemonSet Agent config
# apiVersion: apps/v1
# kind: DaemonSet
# metadata:
# name: crowdsec-agent
# spec:
# template:
# spec:
# containers:
# - name: crowdsec-agent
# image: crowdsecurity/crowdsec:latest
# env:
# - name: AGENT_USERNAME
# valueFrom: { secretKeyRef: {name: cs-secret, key: agent-user} }
# volumeMounts:
# - name: logs
# mountPath: /var/log
@dataclass
class K8sComponent:
component: str
k8s_resource: str
replicas: str
scaling: str
k8s = [
K8sComponent("LAPI Server",
"Deployment + Service (ClusterIP)",
"2 (HA) + PostgreSQL",
"HPA ตาม CPU/Request Rate"),
K8sComponent("Agent",
"DaemonSet (ทุก Node)",
"1 per Node (auto)",
"Auto-scale กับ Node Count"),
K8sComponent("Nginx Bouncer",
"Sidecar ใน Nginx Pod หรือ Ingress Plugin",
"1 per Nginx Pod",
"Scale กับ Nginx Pods"),
K8sComponent("Firewall Bouncer",
"DaemonSet (ทุก Node)",
"1 per Node",
"Auto-scale กับ Node Count"),
K8sComponent("PostgreSQL",
"StatefulSet หรือ Managed (RDS CloudSQL)",
"1 Primary + 1 Replica",
"Vertical Scale (CPU/RAM)"),
]
print("=== Kubernetes Deployment ===")
for k in k8s:
print(f" [{k.component}] {k.k8s_resource}")
print(f" Replicas: {k.replicas}")
print(f" Scaling: {k.scaling}")Monitoring & Alert
# === CrowdSec Monitoring ===
# Prometheus scrape config
# scrape_configs:
# - job_name: 'crowdsec'
# static_configs:
# - targets: ['lapi:6060']
# metrics_path: /metrics
@dataclass
class MonitorMetric:
metric: str
source: str
alert_threshold: str
action: str
metrics = [
MonitorMetric("Active Decisions Count",
"cscli decisions list | Prometheus cs_active_decisions",
"Spike > 500 new decisions/hour",
"ตรวจ Attack Pattern อาจเป็น DDoS"),
MonitorMetric("Alert Count per Scenario",
"cscli alerts list | Prometheus cs_alerts",
"ssh-bf > 50/hour OR http-crawl > 200/hour",
"ตรวจ Source IP Range Block ถ้าจำเป็น"),
MonitorMetric("Agent Heartbeat",
"cscli machines list | last_heartbeat",
"Agent ไม่ส่ง Heartbeat > 5 นาที",
"ตรวจ Agent Process Network Connection"),
MonitorMetric("LAPI Response Time",
"Prometheus cs_lapi_request_duration",
"P99 > 2 seconds",
"ตรวจ Database Performance Scale LAPI"),
MonitorMetric("Bouncer Poll Status",
"cscli bouncers list | last_pull",
"Bouncer ไม่ Poll > 2x interval",
"ตรวจ Bouncer Process API Key Network"),
]
print("=== Monitoring Metrics ===")
for m in metrics:
print(f" [{m.metric}] Source: {m.source}")
print(f" Alert: {m.alert_threshold}")
print(f" Action: {m.action}")เคล็ดลับ
- PostgreSQL: ใช้ PostgreSQL แทน SQLite สำหรับ Multi-node
- Console: สมัคร CrowdSec Console ดู Dashboard ฟรี
- Community: เปิด Community Blocklist รับ IP ร้ายจาก Community
- Collections: ติดตั้ง Collections ตาม Service (nginx sshd mysql)
- Whitelist: Whitelist IP ของตัวเอง ป้องกัน False Positive
CrowdSec คืออะไร
Open Source IPS Agent Bouncer LAPI Crowd Intelligence Community Blocklist Brute Force DDoS Nginx iptables Fail2ban Alternative