Crowdsec - A Modern Replacement for Fail2Ban

AnthonySmithAnthonySmith AdministratorHosting Provider

Further reading/source article: https://danielmiessler.com/study/crowdsec

https://crowdsec.net

key features:

  • allows you to detect attacks and respond at all required levels (detect where your logs are, block at CDN or application level)
  • is easy to install and maintain with no technical requirement. The installer even comes with a wizard duh!
  • is designed to be integrated with other solutions and components (ie. use CrowdSec to read your mod_security logs and automatically block attackers at your CDN level)
  • is about sharing : meta-data about the attack/attacker you detect is sent to a central API, and malevolent IPs are shared with all users.
  • is a lightweight : it runs standalone, doesn’t require much ram or CPU
  • can work with cold logs: you can run it on “cold” logs and see what could have happened
  • comes with out of the box dashboards, because we know visualisation is key

Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
Please do not use the PM system here for Inception Hosting support issues.

«1

Comments

  • Thanked by (1)AnthonySmith
  • jarlandjarland Hosting ProviderOG

    Nice find. That has some time saving potential.

    Friends don’t let friends use MagicSpam, the pay-to-play email mafia.

  • Looks nice. Anyone tested it yet?
    I reckon some will have some views on the data sharing part, but for me frankly if it helps sharing lists of shitty IPs, count me in.

  • I like the concept. Bit wary about it in some ways though (e.g. falsify reports to negatively affect a competitor)

    @daffy said:
    Looks nice. Anyone tested it yet?

    I'll throw it on a clean VPS to test & post some screenshots later

    Thanked by (4)ehab daffy someTom webcraft
  • AnthonySmithAnthonySmith AdministratorHosting Provider

    @havoc said:
    I like the concept. Bit wary about it in some ways though (e.g. falsify reports to negatively affect a competitor)

    @daffy said:
    Looks nice. Anyone tested it yet?

    I'll throw it on a clean VPS to test & post some screenshots later

    Nice one, looking forward to seeing the results.

    Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
    Please do not use the PM system here for Inception Hosting support issues.

  • edited November 8

    @havoc said:
    I'll throw it on a clean VPS to test & > post some screenshots later

    I’ll do the same :)

    Thanked by (1)someTom
  • havochavoc OG
    edited November 8

    Pros:

    • I like the concept, and it's clearly more ambitious in scope than fail2ban
    • Nice idiot proof default configs like wordpress, ssh, nginx (in fairness fail2ban has similar)
    • Web interface is a nice touch
    • Clearly has potential
    • It's built on metabase for the web gui - powerful analytics/chart platform & that part feels polished (duh being a finished product)

    Cons

    • Definitely still beta testing grade, not even hobbyist ready tbh (e.g. bizarre oddities like "Signal Occur En Ces")...but not far off
    • Instructions have a lot of .sh mystery piped into bash. Also wasn't tested well (debian instructions assume sudo installed which isn't the case for clean installs)
    • Installer mentions it doesn't block anything (???) for that you need to install a separate blocker thing
    • Web interface isn't included. Separate too and then fails because you don't have docker installed
    • Getting a lot of ssh connection resets. Could just be a coincidence

    Hasn't caught anything yet but maybe just slow SSH day lol. Seems to have lots of areas in the web interface that will presumably have graphs later. I'll leave it running for a while - someone @ me in a couple days if I forget.

    The crowd sourced part:

    Thanked by (3)ehab mfs miegl
  • @havoc said:
    Cons

    • Definitely still beta testing grade, not even hobbyist ready tbh (e.g. bizarre oddities like "Signal Occur En Ces")...but not far off
    • Instructions have a lot of .sh mystery piped into bash. Also wasn't tested well (debian instructions assume sudo installed which isn't the case for clean installs)
    • Installer mentions it doesn't block anything (???) for that you need to install a separate blocker thing
    • Web interface isn't included. Separate too and then fails because you don't have docker installed
    • Getting a lot of ssh connection resets. Could just be a coincidence

    That's a lot of cons :-/

  • @aaronstuder said:
    That's a lot of cons :-/

    Yeah but aside from the ssh resets no real show stoppers...and even that as I said might be unrelated. The VPS I used was previously stable...but I know they made hardware changes since.

    Web interface & blocker being separate is explained on the github...I just didn't read it properly lol

  • Oh noes the clooouuuuud. It sounds like an attack vector in its own right?

  • @havoc said: .sh mystery

    Lmao! I'll try it out just for that comment =)

  • edited November 9

    @havoc said:
    Pros:

    • I like the concept, and it's clearly more ambitious in scope than fail2ban
    • Nice idiot proof default configs like wordpress, ssh, nginx (in fairness fail2ban has similar)
    • Web interface is a nice touch
    • Clearly has potential
    • It's built on metabase for the web gui - powerful analytics/chart platform & that part feels polished (duh being a finished product)

    Cons

    • Definitely still beta testing grade, not even hobbyist ready tbh (e.g. bizarre oddities like "Signal Occur En Ces")...but not far off
    • Instructions have a lot of .sh mystery piped into bash. Also wasn't tested well (debian instructions assume sudo installed which isn't the case for clean installs)
    • Installer mentions it doesn't block anything (???) for that you need to install a separate blocker thing
    • Web interface isn't included. Separate too and then fails because you don't have docker installed
    • Getting a lot of ssh connection resets. Could just be a coincidence

    Hasn't caught anything yet but maybe just slow SSH day lol. Seems to have lots of areas in the web interface that will presumably have graphs later. I'll leave it running for a while - someone @ me in a couple days if I forget.

    The crowd sourced part:

    Uh yeah I didn't know that I have to install docker first, front page on the github doesn't mention anything about it. "Installer mentions it doesn't block anything " also confused me. But yes I'm lazy to read docs..

  • @havoc said:

    • Installer mentions it doesn't block anything (???) for that you need to install a separate blocker thing
    • Web interface isn't included. Separate too and then fails because you don't have docker installed

    I don't see such as con's, makes sense to have the Panel and the as they call it Bouncers optional.
    So you can configure it based on your needs.

  • anyone knows how to reset the dashboard user/pass? my ssh connection dropped while installing the metabase dashboard, so I can't see the user/pass

  • SpeedBusSpeedBus Hosting ProviderOG

    I wonder how/if the same can be implemented with some fail2ban + git + some bash script to sync the log-files around.

  • Oh hey excitement. Got a ban - some naughty american hitting the SSH port 13 times.

    Overall liking their dashboard. It's not very detailed yet but feels a bit like an empty grafana dash...the gap between not good and a pretty awesome visualisation is pretty small. Give it half a year and a couple 1000 users and could be neat AF

  • I wonder if this can be installed on the company USG

  • Looks like it's got potential once those (mainly UI/UX) issues are ironed out.

    Resident numpty

  • havochavoc OG
    edited November 11

    @dahartigan said:
    Looks like it's got potential once those (mainly UI/UX) issues are ironed out.

    Wouldn't call it issues so much as they went for a full blown analytics front end & it just feels a little...sparse. Presumably they're working on the core rather than the shiny graphics.

    Still...bit more data and the main dashboard now looks pretty shiny already

    Thanked by (1)dahartigan
  • @havoc said:
    I like the concept. Bit wary about it in some ways though (e.g. falsify reports to negatively affect a competitor)

    Either this or once it's working they make it a paid service. As usual.. :/

  • Holy hell...see that "No.31,Jin-rong Street" in the logs at the bottom? Thought that looked familiar...

    https://www.bgpmon.net/chinese-isp-hijacked-10-of-the-internet/

  • @AnthonySmith said:
    Further reading/source article: https://danielmiessler.com/study/crowdsec

    https://crowdsec.net

    key features:

    • is about sharing : meta-data about the attack/attacker you detect is sent to a central API, and malevolent IPs are shared with all users.

    Can you disable the sharing? Also how would IPs eventually get cleaned? Are they on a time out period?

  • @SpeedBus said:
    I wonder how/if the same can be implemented with some fail2ban + git + some bash script to sync the log-files around.

    vallumd provides clustered cohesion.

    Thanked by (2)SpeedBus mfs
  • Will test it for NanoKVM, maybe a chance that it catches these port scans before they reach the SSH servers on the VM's.
    Worth a try, will let you know how it works out.

  • AnthonySmithAnthonySmith AdministratorHosting Provider

    @Neoon said:
    Will test it for NanoKVM, maybe a chance that it catches these port scans before they reach the SSH servers on the VM's.
    Worth a try, will let you know how it works out.

    Thats a good idea, will look into that myself.

    Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
    Please do not use the PM system here for Inception Hosting support issues.

  • https://wiki.x8e.net/doku.php?id=crowdsec_setup

    My setup for the big testings.
    Yea the webinterface is the same stuff you basically see on CLI, nothing fancy.

    I would not put that on any production since just bloat you don't need.

    Thanked by (3)james50a seriesn NanoG6
  • @Neoon said:
    https://wiki.x8e.net/doku.php?id=crowdsec_setup

    My setup for the big testings.
    Yea the webinterface is the same stuff you basically see on CLI, nothing fancy.

    I would not put that on any production since just bloat you don't need.

    Thanks, implemented and got immediate bans from frantech xD.

    Thanked by (1)aaronstuder
  • NeoonNeoon OG
    edited November 16

    @james50a said:

    @Neoon said:
    https://wiki.x8e.net/doku.php?id=crowdsec_setup

    My setup for the big testings.
    Yea the webinterface is the same stuff you basically see on CLI, nothing fancy.

    I would not put that on any production since just bloat you don't need.

    Thanks, implemented and got immediate bans from frantech xD.

    wow, scam.
    I did setup the same shit, did not got any bans yet despite I see failed SSH attempts.

    edit:
    https://hub.crowdsec.net/author/crowdsecurity/configurations/ban-report-ssh_bf_report

  • nice, hopefully it will stay open source

    3 - 2 - 1 - Backup!

  • spliticesplitice Hosting ProviderOG
    edited November 16

    @AnthonySmith said: is about sharing : meta-data about the attack/attacker you detect is sent to a central API, and malevolent IPs are shared with all users.

    Considering the number of badly coded scripts reporting to RBLDNS's and abuseipdb I have little faith in any community sourced database.

    An example of this we see alot is the reporting of attack targets because the reporters own IP services being used for reflection or amplification

    X4B - DDoS Protection: Affordable Anycast DDoS protection including Layer 7 mitigation with PoPs in the Europe, Asia, North and South America.
    Latest Offer: Brazil Launch 2020 Offer

Sign In or Register to comment.