CrowdSec IPS Security Hardening ป้องกันแฮก —

Q: CrowdSec คืออะไร

CrowdSec เป็น Open Source IPS (Intrusion Prevention System) แบบ Crowd-sourced วิเคราะห์ Log หา Attack Pattern เช่น Brute Force SQL Injection DDoS แล้วแชร์ IP Blocklist กับ Community ทั่วโลก ใช้ Agent วิเคราะห์ Log ตาม Scenario ที่กำหนด เมื่อพบ Attack สร้าง Decision ส่งให้ Bouncer บล็อก IP ที่ Firewall Nginx Cloudflare ฟรี ติดตั้งง่าย

Q: ติดตั้ง CrowdSec อย่างไร

Linux ติดตั้งผ่าน Package Manager curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash แล้ว apt install crowdsec ติดตั้ง Bouncer เช่น cs-firewall-bouncer สำหรับ iptables cs-nginx-bouncer สำหรับ Nginx กำหนด Scenario ใน /etc/crowdsec/scenarios/ กำหนด Parser ใน /etc/crowdsec/parsers/ ลงทะเบียน Console ที่ app.crowdsec.net ดู Dashboard

Q: Scenario และ Bouncer คืออะไร

Scenario คือ Rule ที่กำหนดว่า Attack Pattern คืออะไร เช่น SSH Brute Force Login Fail 5 ครั้งใน 30 วินาที HTTP Scan Path Traversal 10 ครั้ง ใน 1 นาที เมื่อตรง Scenario สร้าง Alert และ Decision Bouncer คือ Component ที่รับ Decision แล้วบล็อก IP เช่น Firewall Bouncer บล็อกที่ iptables Nginx Bouncer บล็อกที่ Web Server Cloudflare Bouncer บล็อกที่ CDN

Q: Hardening Server ด้วย CrowdSec อย่างไร

ติดตั้ง CrowdSec Agent บนทุก Server ติดตั้ง Scenarios สำหรับ SSH HTTP WordPress ติดตั้ง Bouncer ที่เหมาะสม Firewall หรือ Nginx Subscribe Community Blocklist บล็อก Known Bad IP ตั้ง Whitelist สำหรับ Trusted IP ตั้ง Alert Notification ไป Slack Email ดู Dashboard ที่ Console Review Decision ทุกสัปดาห์ Update Scenarios สม่ำเสมอ

CrowdSec IPS

CrowdSec IPS Security Hardening Crowd-sourced Intrusion Prevention Log Analysis Scenario Bouncer Blocklist Community Brute Force DDoS SQL Injection Firewall Nginx

IPS Tool	Type	Detection	Community	Resource Usage	เหมาะกับ
CrowdSec	Log-based	Scenario Rules	Crowd-sourced	ต่ำ	Web Server VPS
Fail2ban	Log-based	Regex Filter	ไม่มี	ต่ำ	Simple Ban
Suricata	Network-based	Signatures + ML	ET Rules	สูง	Network IDS/IPS
ModSecurity	WAF	CRS Rules	OWASP CRS	ปานกลาง	Web Application
OSSEC	Host-based	Rules + Rootkit	Limited	ปานกลาง	Server HIDS

Installation

# === CrowdSec Installation ===

# Debian/Ubuntu
# curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
# sudo apt install crowdsec
# sudo apt install crowdsec-firewall-bouncer-iptables

# CentOS/RHEL
# curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash
# sudo yum install crowdsec
# sudo yum install crowdsec-firewall-bouncer-iptables

# Docker
# docker run -d --name crowdsec \
# -v /var/log:/var/log:ro \
# -v /etc/crowdsec:/etc/crowdsec \
# -v crowdsec-db:/var/lib/crowdsec/data \
# -e COLLECTIONS="crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd" \
# crowdsecurity/crowdsec

# Install Collections (Scenarios + Parsers)
# sudo cscli collections install crowdsecurity/linux
# sudo cscli collections install crowdsecurity/nginx
# sudo cscli collections install crowdsecurity/sshd
# sudo cscli collections install crowdsecurity/http-cve
# sudo cscli collections install crowdsecurity/wordpress

# Register with Console
# sudo cscli console enroll YOUR_ENROLLMENT_KEY

# Check Status
# sudo cscli metrics
# sudo cscli decisions list
# sudo cscli alerts list

# Whitelist Trusted IPs
# /etc/crowdsec/parsers/s02-enrich/whitelist.yaml
# name: my-whitelist
# description: Whitelist trusted IPs
# whitelist:
# reason: "Trusted office IP"
# ip:
# - "203.0.113.10"
# - "10.0.0.0/8"

from dataclasses import dataclass

@dataclass
class CrowdSecCollection:
 collection: str
 scenarios: int
 parsers: int
 protects: str
 popularity: str

collections = [
 CrowdSecCollection("crowdsecurity/linux", 5, 8, "SSH Brute Force Su Abuse", "Very High"),
 CrowdSecCollection("crowdsecurity/nginx", 8, 4, "HTTP Attacks Scans CVE", "Very High"),
 CrowdSecCollection("crowdsecurity/sshd", 3, 2, "SSH Login Failures", "Very High"),
 CrowdSecCollection("crowdsecurity/http-cve", 15, 2, "Known CVE Exploits", "High"),
 CrowdSecCollection("crowdsecurity/wordpress", 6, 3, "WP Login Xmlrpc Enum", "High"),
 CrowdSecCollection("crowdsecurity/postfix", 4, 3, "SMTP Abuse Spam", "Medium"),
]

print("=== CrowdSec Collections ===")
for c in collections:
 print(f" [{c.collection}] Scenarios: {c.scenarios} | Parsers: {c.parsers}")
 print(f" Protects: {c.protects} | Popularity: {c.popularity}")

Scenarios and Bouncers

# === Custom Scenario ===

# /etc/crowdsec/scenarios/my-api-bruteforce.yaml
# type: leaky
# name: my-api-bruteforce
# description: "API brute force detection"
# filter: "evt.Meta.log_type == 'nginx_access' && evt.Meta.http_path startsWith '/api/login' && evt.Meta.http_status == '401'"
# groupby: evt.Meta.source_ip
# capacity: 5
# leakspeed: 30s
# blackhole: 5m
# labels:
# type: api_abuse
# remediation: true

# Bouncer Configuration
# /etc/crowdsec/bouncers/cs-firewall-bouncer.yaml
# mode: iptables
# piddir: /var/run/
# update_frequency: 10s
# daemonize: true
# log_mode: file
# log_dir: /var/log/
# log_level: info
# api_url: http://localhost:8080/
# api_key: YOUR_BOUNCER_API_KEY
# disable_ipv6: false
# deny_action: DROP
# deny_log: true
# deny_log_prefix: "crowdsec: "

# Nginx Bouncer
# sudo apt install crowdsec-nginx-bouncer
# # Adds lua module to nginx
# # Automatically checks decisions before serving

# Manual Decision Management
# sudo cscli decisions add --ip 1.2.3.4 --duration 24h --reason "manual ban"
# sudo cscli decisions delete --ip 1.2.3.4
# sudo cscli decisions list --ip 1.2.3.4

@dataclass
class BouncerType:
 bouncer: str
 blocks_at: str
 install: str
 latency: str
 use_case: str

bouncers = [
 BouncerType("cs-firewall-bouncer", "iptables/nftables", "apt install", "0ms (kernel)", "All traffic"),
 BouncerType("cs-nginx-bouncer", "Nginx Lua", "apt install", "1-2ms", "Web traffic"),
 BouncerType("cs-cloudflare-bouncer", "Cloudflare WAF", "Docker/Binary", "0ms (edge)", "CDN protected"),
 BouncerType("cs-traefik-bouncer", "Traefik middleware", "Docker", "1-2ms", "Traefik proxy"),
 BouncerType("cs-haproxy-bouncer", "HAProxy", "apt install", "1ms", "Load balancer"),
]

print("\n=== Bouncers ===")
for b in bouncers:
 print(f" [{b.bouncer}] Blocks at: {b.blocks_at}")
 print(f" Install: {b.install} | Latency: {b.latency}")
 print(f" Use Case: {b.use_case}")

Production Hardening

# === Server Hardening Checklist ===

@dataclass
class HardeningItem:
 category: str
 item: str
 command: str
 status: str
 priority: str

checklist = [
 HardeningItem("CrowdSec", "Install Agent + Collections", "cscli collections install ...", "Done", "Critical"),
 HardeningItem("CrowdSec", "Install Firewall Bouncer", "apt install cs-firewall-bouncer", "Done", "Critical"),
 HardeningItem("CrowdSec", "Subscribe Community Blocklist", "cscli console enroll", "Done", "High"),
 HardeningItem("CrowdSec", "Whitelist Trusted IPs", "Edit whitelist.yaml", "Done", "High"),
 HardeningItem("CrowdSec", "Alert Notification", "cscli notifications add slack", "Done", "Medium"),
 HardeningItem("SSH", "Disable Root Login", "PermitRootLogin no", "Done", "Critical"),
 HardeningItem("SSH", "Key-only Authentication", "PasswordAuthentication no", "Done", "Critical"),
 HardeningItem("SSH", "Change Default Port", "Port 2222", "Done", "Medium"),
 HardeningItem("Firewall", "Default Deny Inbound", "iptables -P INPUT DROP", "Done", "Critical"),
 HardeningItem("Firewall", "Allow Only Required Ports", "iptables -A INPUT -p tcp --dport 443", "Done", "Critical"),
 HardeningItem("Updates", "Auto Security Updates", "unattended-upgrades", "Done", "High"),
 HardeningItem("Nginx", "Hide Server Version", "server_tokens off", "Done", "Medium"),
 HardeningItem("Nginx", "Security Headers", "X-Frame-Options HSTS CSP", "Done", "High"),
]

print("Server Hardening Checklist:")
done = sum(1 for c in checklist if c.status == "Done")
for c in checklist:
 print(f" [{c.status}] [{c.priority}] [{c.category}] {c.item}")

metrics = {
 "IPs Blocked (24h)": "1,247",
 "Community Blocklist Size": "150,000+ IPs",
 "Alerts (24h)": "3,421",
 "Top Attack": "SSH Brute Force (68%)",
 "Bouncer Blocks (24h)": "8,932",
 "False Positive Rate": "0.01%",
}

print(f"\n\nCrowdSec Metrics:")
for k, v in metrics.items():
 print(f" {k}: {v}")

เคล็ดลับ

Collections: ติดตั้ง Collections ตาม Service ที่ใช้
Whitelist: Whitelist Office IP และ Monitoring IP เสมอ
Community: Subscribe Community Blocklist บล็อก Known Bad IP
Alert: ตั้ง Notification ไป Slack ดู Attack Real-time
Review: Review Decisions ทุกสัปดาห์ ตรวจ False Positive

CrowdSec คืออะไร

Open Source IPS Crowd-sourced Log Analysis Scenario Bouncer Blocklist Community Brute Force DDoS SQL Injection Firewall Nginx ฟรี

ติดตั้ง CrowdSec อย่างไร

Package Manager apt yum Docker Collections Scenarios Parsers Bouncer iptables Nginx Console Dashboard Whitelist Trusted IP

Scenario และ Bouncer คืออะไร

Scenario Rule Attack Pattern SSH Brute Force HTTP Scan Alert Decision Bouncer บล็อก IP Firewall iptables Nginx Cloudflare CDN

Hardening Server ด้วย CrowdSec อย่างไร

Agent Collections Bouncer Community Blocklist Whitelist Alert SSH Key-only Firewall Default Deny Security Headers Auto Updates Review

สรุป

CrowdSec IPS Security Hardening Crowd-sourced Scenario Bouncer Blocklist Community Firewall Nginx SSH Brute Force DDoS Server Protection Production

Crowdsec IPS Security Hardening ป้องกันแฮก