Ubuntu

Total Time Required

10 minutes

Difficulty

Easy

Required Knowledge

Crowdsec, Docker Compose

Prerequisites

Crowdsec account
You have subscribed to atleast 1 block list
Your Crowdsec enrollment key

This stack monitors...

SSH logs
Sudo logs
Crowdsec blocklists
Crowdsec whitelists

... And changes

Host firewall

Docker Compose

# --- CrowdSec Engine Settings ---
CROWDSEC_ENROLL_KEY=
BOUNCER_KEY=
CROWDSEC_NAME=
CROWDSEC_PORT=8080

https://github.com/trentnbauer/HomelabPublic/blob/main/docker-compose/crowdsec-firewall.yml

services:
  engine:
    image: crowdsecurity/crowdsec:v1.7.6@sha256:63b595fef92de1778573b375897a45dd226637ee9a3d3db9f57ac7355c369493
    labels:
      - AH.CS.Firewall=true
    deploy:
      restart_policy:
        condition: on-failure
        delay: 60s
        max_attempts: 6
        window: 60s
    restart: unless-stopped
    ports:
      - ${CROWDSEC_PORT:-8080}:8080
    depends_on:
      init:
        condition: service_completed_successfully
    environment:
      - COLLECTIONS=crowdsecurity/linux crowdsecurity/sshd crowdsecurity/http-cve crowdsecurity/linux-lpe crowdsecurity/iptables
      - ENROLL_INSTANCE_NAME=${CROWDSEC_NAME}
      - BOUNCER_KEY_FIREWALL=${BOUNCER_KEY}
      - DISABLE_LOCAL_API=false
      - DISABLE_ONLINE_API=false
      - ENROLL_KEY=${CROWDSEC_ENROLL_KEY}
    volumes:
      - data:/var/lib/crowdsec/data
      - config:/etc/crowdsec
      - bouncer:/etc/bouncer-shared
      - /var/log:/var/log:ro
    healthcheck:  
      test: ["CMD", "cscli", "version"]
      interval: 15s
      timeout: 10s
      retries: 5
    networks:
      crowdsec:
        aliases:
          - crowdsec

  bouncer:
    image: ghcr.io/shgew/cs-firewall-bouncer-docker:v0.0.34@sha256:ff1b5b0972ea0cfe39a4f10728effc38f6185a88b742fc4ad5a53d5dca80aca1
    labels:
      - AH.CS.Firewall=true
    deploy:
      restart_policy:
        condition: on-failure
        delay: 60s
        max_attempts: 6
        window: 60s
    restart: unless-stopped
    network_mode: host
    depends_on:
      engine:
        condition: service_healthy
    cap_add:
      - NET_ADMIN
      - NET_RAW
    security_opt:
      - no-new-privileges:true
    environment:
      - API_URL=http://localhost:${CROWDSEC_PORT:-8080}/
      - API_KEY=${BOUNCER_KEY}
    volumes:
      - bouncer:/config:rw
      - /etc/localtime:/etc/localtime:ro

  init:
    image: alpine:3.23.3
    volumes:
      - config:/etc/crowdsec
      - bouncer:/etc/crowdsec/bouncers
    command: >
      sh -c "apk add --no-cache wget ca-certificates &&
             mkdir -p /etc/crowdsec/acquisitions.d /etc/crowdsec/bouncers &&
             wget -qO /etc/crowdsec/acquisitions.d/ubuntu.yaml https://raw.githubusercontent.com/trentnbauer/HomelabPublic/main/crowdsec/ubuntu.yaml &&
             wget -qO /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml https://raw.githubusercontent.com/trentnbauer/HomelabPublic/main/crowdsec/crowdsec-firewall-bouncer.yaml"

  autoheal:
    deploy:
      replicas: 1
      restart_policy:
        condition: on-failure
        delay: 30s
        max_attempts: 5
        window: 120s
    environment:
      AUTOHEAL_CONTAINER_LABEL: AH.CS.Firewall
      AUTOHEAL_INTERVAL: 60
      AUTOHEAL_START_PERIOD: 240
      AUTOHEAL_DEFAULT_STOP_TIMEOUT: 60
      WEBHOOK_URL: ${AUTOHEAL_WEBHOOK:-}
    image: willfarrell/autoheal@sha256:fce548c91cca681686ac8faace4d0fb035b09afc30b2a8cb3eac416f56fe23d9
    restart: always
    network_mode: none
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock

networks:
  crowdsec:

volumes:
  config:
  data:
  bouncer:

PreviousUniFi NextProxmox

Last updated 9 days ago

hashtagPrerequisites

hashtagThis stack monitors...

hashtag... And changes

hashtagDocker Compose

Prerequisites

This stack monitors...

... And changes

Docker Compose