cloudkid.fr

Tag: Wordpress

  • Crowdsec – Collaborative Security

    Crowdsec – Collaborative Security

    Crowdsec is a relatively new tool in the security world, it’s an Intrusion Prevention Systems (IPS), it allow the detection of threats and the adding of necessary firewall rules if needed.

    Crowdsec differs from other IPS because of the collaboration aspect. It also offer an on-premise or cloud dashboard.

    You may have heard, or used Fail2ban, it basically do the same things, but with more functionalities.

    Pros

    • Open-Source
    • Collaborative security
    • Decoupled detection and action software
    • Ease of use
    • IPv6 Ready
    • GDPR Compliant
    • Easy to install & setup
    • Large support for many services

    Cons

    • Not easily understandable
    • Can be hard to setup depending on your setup

    Type of recognized threats

    Threats recognized by Crowdsec

    How does it works ?

    First it gather the logs and parse them from any source, it also applies scenarios to identify cyber-threats, then rules are set depending of the desired behavior.

    Crowdsec has two main components, the scenarios and the bouncers. The scenarios detect the type of threat and the bouncers make an action to ban/correct it. You can also choose to only use one of the two parts.

    Base installation

    curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
    Add the Crowdsec repository
    curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
    Add the Crowdsec repository
    sudo apt-get install crowdsec
    Install Crowdsec

    Understanding bouncers

    Bouncers are used to “apply” decisions, from threats detected by the Crowdsec software.

    Before installing the basic bouncer that will act on your firewall rules, you need to check if your system is using iptable or nftable to determine where your system should act to prevent the attacks.

    Then, you can use the basic firewall bouncer. It will check for the most common cases of attacks on your server (Brute-force, Slow brute-force, …).

    apt install crowdsec-firewall-bouncer-iptables
    Install the Linux firewall bouncer

    Then, depending of the service(s) you are running on your server, you can use one more other bouncers.

    • WordPress bouncer
    • Caddy bouncer
    • HAproxy bouncer
    • Traefik bouncer
    • Nginx bouncer
    • And more …
    🔎
    You can check the full bouncer list on the Crowdsec website
    💡
    Keep in mind that some bouncers are experimental !

    See it in action

    You can then use some commands to see Crowdsec in action after a few hours/days.

    sudo cscli decisions list
    Check if IP bans are been applied
    sudo cscli decisions delete --ip 1.2.3.4
    Delete the ban of the IP 1.2.3.4