CrowdSec IPS Security Hardening ป้องกันแฮก —
CrowdSec IPS
CrowdSec IPS Security Hardening Crowd-sourced Intrusion Prevention Log Analysis Scenario Bouncer Blocklist Community Brute Force DDoS SQL Injection Firewall Nginx
| IPS Tool | Type | Detection | Community | Resource Usage | เหมาะกับ |
|---|---|---|---|---|---|
| CrowdSec | Log-based | Scenario Rules | Crowd-sourced | ต่ำ | Web Server VPS |
| Fail2ban | Log-based | Regex Filter | ไม่มี | ต่ำ | Simple Ban |
| Suricata | Network-based | Signatures + ML | ET Rules | สูง | Network IDS/IPS |
| ModSecurity | WAF | CRS Rules | OWASP CRS | ปานกลาง | Web Application |
| OSSEC | Host-based | Rules + Rootkit | Limited | ปานกลาง | Server HIDS |
Installation
=== CrowdSec Installation ===
Debian/Ubuntu
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec
sudo apt install crowdsec-firewall-bouncer-iptables
CentOS/RHEL
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash
sudo yum install crowdsec
sudo yum install crowdsec-firewall-bouncer-iptables
Docker
docker run -d --name crowdsec \
-v /var/log:/var/log:ro \
-v /etc/crowdsec:/etc/crowdsec \
-v crowdsec-db:/var/lib/crowdsec/data \
-e COLLECTIONS="crowdsecurity/linux crowdsecurity/nginx crowdsecurity/sshd" \
crowdsecurity/crowdsec
Install Collections (Scenarios + Parsers)
sudo cscli collections install crowdsecurity/linux
sudo cscli collections install crowdsecurity/nginx
sudo cscli collections install crowdsecurity/sshd
sudo cscli collections install crowdsecurity/http-cve
sudo cscli collections install crowdsecurity/wordpress
Register with Console
sudo cscli console enroll YOUR_ENROLLMENT_KEY
Check Status
sudo cscli metrics
sudo cscli decisions list
sudo cscli alerts list
Whitelist Trusted IPs
/etc/crowdsec/parsers/s02-enrich/whitelist.yaml
name: my-whitelist
description: Whitelist trusted IPs
whitelist:
reason: "Trusted office IP"
ip:
- "203.0.113.10"
- "10.0.0.0/8"
from dataclasses import dataclass
@dataclass
class CrowdSecCollection:
collection: str
scenarios: int
parsers: int
protects: str
popularity: str
collections = [
CrowdSecCollection("crowdsecurity/linux", 5, 8, "SSH Brute Force Su Abuse", "Very High"),
CrowdSecCollection("crowdsecurity/nginx", 8, 4, "HTTP Attacks Scans CVE", "Very High"),
CrowdSecCollection("crowdsecurity/sshd", 3, 2, "SSH Login Failures", "Very High"),
CrowdSecCollection("crowdsecurity/http-cve", 15, 2, "Known CVE Exploits", "High"),
CrowdSecCollection("crowdsecurity/wordpress", 6, 3, "WP Login Xmlrpc Enum", "High"),
CrowdSecCollection("crowdsecurity/postfix", 4, 3, "SMTP Abuse Spam", "Medium"),
]
print("=== CrowdSec Collections ===")
for c in collections:
print(f" [{c.collection}] Scenarios: {c.scenarios} | Parsers: {c.parsers}")
print(f" Protects: {c.protects} | Popularity: {c.popularity}")
Scenarios and Bouncers
=== Custom Scenario ===
/etc/crowdsec/scenarios/my-api-bruteforce.yaml
type: leaky
name: my-api-bruteforce
description: "API brute force detection"
filter: "evt.Meta.log_type == 'nginx_access' && evt.Meta.http_path startsWith '/api/login' && evt.Meta.http_status == '401'"
groupby: evt.Meta.source_ip
capacity: 5
leakspeed: 30s
blackhole: 5m
labels:
type: api_abuse
remediation: true
Bouncer Configuration
/etc/crowdsec/bouncers/cs-firewall-bouncer.yaml
mode: iptables
piddir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://localhost:8080/
api_key: YOUR_BOUNCER_API_KEY
disable_ipv6: false
deny_action: DROP
deny_log: true
deny_log_prefix: "crowdsec: "
Nginx Bouncer
sudo apt install crowdsec-nginx-bouncer
# Adds lua module to nginx
# Automatically checks decisions before serving
Manual Decision Management
sudo cscli decisions add --ip 1.2.3.4 --duration 24h --reason "manual ban"
sudo cscli decisions delete --ip 1.2.3.4
sudo cscli decisions list --ip 1.2.3.4
@dataclass
class BouncerType:
bouncer: str
blocks_at: str
install: str
latency: str
use_case: str
bouncers = [
BouncerType("cs-firewall-bouncer", "iptables/nftables", "apt install", "0ms (kernel)", "All traffic"),
BouncerType("cs-nginx-bouncer", "Nginx Lua", "apt install", "1-2ms", "Web traffic"),
BouncerType("cs-cloudflare-bouncer", "Cloudflare WAF", "Docker/Binary", "0ms (edge)", "CDN protected"),
BouncerType("cs-traefik-bouncer", "Traefik middleware", "Docker", "1-2ms", "Traefik proxy"),
BouncerType("cs-haproxy-bouncer", "HAProxy", "apt install", "1ms", "Load balancer"),
]
print("\n=== Bouncers ===")
for b in bouncers:
print(f" [{b.bouncer}] Blocks at: {b.blocks_at}")
print(f" Install: {b.install} | Latency: {b.latency}")
print(f" Use Case: {b.use_case}")
Production Hardening
# === Server Hardening Checklist ===
@dataclass
class HardeningItem:
category: str
item: str
command: str
status: str
priority: str
checklist = [
HardeningItem("CrowdSec", "Install Agent + Collections", "cscli collections install ...", "Done", "Critical"),
HardeningItem("CrowdSec", "Install Firewall Bouncer", "apt install cs-firewall-bouncer", "Done", "Critical"),
HardeningItem("CrowdSec", "Subscribe Community Blocklist", "cscli console enroll", "Done", "High"),
HardeningItem("CrowdSec", "Whitelist Trusted IPs", "Edit whitelist.yaml", "Done", "High"),
HardeningItem("CrowdSec", "Alert Notification", "cscli notifications add slack", "Done", "Medium"),
HardeningItem("SSH", "Disable Root Login", "PermitRootLogin no", "Done", "Critical"),
HardeningItem("SSH", "Key-only Authentication", "PasswordAuthentication no", "Done", "Critical"),
HardeningItem("SSH", "Change Default Port", "Port 2222", "Done", "Medium"),
HardeningItem("Firewall", "Default Deny Inbound", "iptables -P INPUT DROP", "Done", "Critical"),
HardeningItem("Firewall", "Allow Only Required Ports", "iptables -A INPUT -p tcp --dport 443", "Done", "Critical"),
HardeningItem("Updates", "Auto Security Updates", "unattended-upgrades", "Done", "High"),
HardeningItem("Nginx", "Hide Server Version", "server_tokens off", "Done", "Medium"),
HardeningItem("Nginx", "Security Headers", "X-Frame-Options HSTS CSP", "Done", "High"),
]
print("Server Hardening Checklist:")
done = sum(1 for c in checklist if c.status == "Done")
for c in checklist:
print(f" [{c.status}] [{c.priority}] [{c.category}] {c.item}")
metrics = {
"IPs Blocked (24h)": "1,247",
"Community Blocklist Size": "150,000+ IPs",
"Alerts (24h)": "3,421",
"Top Attack": "SSH Brute Force (68%)",
"Bouncer Blocks (24h)": "8,932",
"False Positive Rate": "0.01%",
}
print(f"\n\nCrowdSec Metrics:")
for k, v in metrics.items():
print(f" {k}: {v}")เคล็ดลับ
- Collections: ติดตั้ง Collections ตาม Service ที่ใช้
- Whitelist: Whitelist Office IP และ Monitoring IP เสมอ
- Community: Subscribe Community Blocklist บล็อก Known Bad IP
- Alert: ตั้ง Notification ไป Slack ดู Attack Real-time
- Review: Review Decisions ทุกสัปดาห์ ตรวจ False Positive
CrowdSec คืออะไร
Open Source IPS Crowd-sourced Log Analysis Scenario Bouncer Blocklist Community Brute Force DDoS SQL Injection Firewall Nginx ฟรี