CrowdSec is a new security project designed to protect virtual servers(VPS, CLOUD), dedicated servers, exposed on the Internet. CrowdSec installs an agent on the server that analyzes the logs of various applications looking for intrusion attempts. Depending on the configuration these IPs are blocked by the bounce on the server and sent to the Crowdsec network that analyzes and redistributes these IPs creating an increasingly secure and updated network. Crowdsec was inspired by Fail2Ban and aims to be a collaborative and modernized version of this intrusion prevention framework.
In Hub we found
Collections: they are packages of analyzers, scenarios, post-overflows that form a coherent set.
Configurations: are the settings that will detect the types of threats.
Bouncers: are plugins that block ips according to crowdsec “decisions” (BAN, CAPTCHA…) There are several types of integration such as iptables (default), cloudflare firewall, wordpress plugin, magento, windows server firewall and many others.
install the agent
Debian / Ubuntu
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash apt-get install crowdsec systemctl enable crowdsec systemctl start crowdsec
RHEL / Almalinux / Amazon Linux
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash yum install crowdsec systemctl enable crowdsec systemctl start crowdsec
Install Firewall (bouncer)
crowdsec-firewall-bouncer will fetch new and old decisions from a CrowdSec API and add them to a blocklist used by supported firewalls.
You need to choose a package according to your firewall system:
To find out whether your system is using iptables or nftables, you can run the following command:
iptables -V . If you see ‘nt_tables’ mentioned in the output, you are using nftables.Remember to choose iptables below only if nt_tables does not appear for you.
Debian/Ubuntu with Iptables
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash apt install crowdsec-firewall-bouncer-iptables systemctl enable crowdsec-firewall-bouncer systemctl start crowdsec-firewall-bouncer
RHEL/Almalinux/Amazon Linux with Iptables
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash yum install crowdsec-firewall-bouncer-iptables systemctl enable crowdsec-firewall-bouncer systemctl start crowdsec-firewall-bouncer
Debian/Ubuntu with NFTables
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash apt install crowdsec-firewall-bouncer-nftables systemctl enable crowdsec-firewall-bouncer systemctl start crowdsec-firewall-bouncer
RHEL/Almalinux/Amazon Linux with NFTables
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash yum install crowdsec-firewall-bouncer-nftables systemctl enable crowdsec-firewall-bouncer systemctl start crowdsec-firewall-bouncer
When installing crowdsec, “collections” of some systems that you have on your server are already pre-configured.
Run the following command and see which collections have been installed
cscli collections list
You will see something similar:
You will be able to install new collections, configurations or bouncers according to your needs through the website Hub do Crowdsec
This is one of the tools we use on our customers’ servers. Server management.