Crowdsec

CrowdSec is an open-source, community-driven Intrusion Prevention System (IPS) that analyzes server logs to detect and block malicious IP addresses in real time. It acts like a modern, collaborative Fail2Ban, sharing threat intelligence among users to create a collective, constantly updated, and curated blocklist.

Before following these guides

All of my Crowdsec guides expect the following:

• Docker installed

• Ubuntu or similar OS

• An existing Crowdsec account

• You have an enrollment key ready to go Generate your Enrollmemt key and

• You have read this page in its entirety

Generate your Enrollmemt key

All of my compose stacks have variables set to enrol your engine into Crowdsec.

1. Navigate to https://app.crowdsec.net/

2. Click on 'Enroll' and copy the enrolment key to clipboard

   This key can be saved to your password vault as it rarely changes

Compose stacks

All of my Crowdsec stacks will include an 'init' (initialization) container, which is used to download the configuration files required. The configuration file URLs are readable in the compose file and publicly available on my Github. These are my production configs and may change over time. As such, I would recommend hosting your own.

Restarting the stack may re-run the init container. If you have made changes to the config file, these may be overwritten.

Here is an example 'init' container,

Using Crowdsec

Where should I deploy my Crowdsec Engine/s

Prioritize protecting anything that is

• A bridge between your local network and the internet (e.g. your firewall)

• Port forwarded

• High impact if brought offline

Add Blocklists

Crowdsource lists are public lists of malicious IP addresses. You can subscribe to a list to automatigically add those to the Cloudflare Security rules generated by Crowdsec

1. Navigate to https://app.crowdsec.net/blocklists/ and review the lists. Most are paid

2. Open a list that sounds good

3. Click on subscribe

4. Select either organization, or engine (and select your Pelican engine)

5. For remediation, select Captcha

6. Click on OK / Save / Subscribe

I personally use the below lists

Firehol greensnow.co list | BlocklistCrowd_Security

OTX Web Scanners List | BlocklistCrowd_Security

Firehol cybercrime tracker list | BlocklistCrowd_Security

Decisions

Once enrolled, you will be able to see your engines decisions (blocked IPs) at https://app.crowdsec.net/decisions alongside some other useful information.

Here is an example from my instance;

Unblock an IP

If you need to delete a false positive or unblock an IP,

1. Navigate to https://app.crowdsec.net/decisions

2. Click on the bin icon next to the IP address

3. Wait a few minutes for things to sync

or

1. Exec into the relevant engine

2. Run the command cscli decisions delete --ip IPADDRESS

3. Wait a minute or 2 for Crowdsec to talk to the bouncer, to talk to the service

Crowdsec is best deployed using a central engine, per this documentation.

My guides aren't written this way. I'm using multiple engines to make it easier to spin up and down stacks. There are some benefits / negatives;

• Easier to deploy My stacks are written to be spin-up-and-go. You will only need to accept the enroll request in the Crowdsec UI

• Risk of being rate limited Due to having multiple engines, you run the risk of being rate limited by Crowdsec. Each engine increases your API calls.

• Syncing across engines Using a central engine will instantly block a malicious IP across all your bouncers. This may not occur using multiple engines.

If you want to use a single engine, you're best to look at other guides.