CrowdSec Installation
What is Crowdsec?
CrowdSec offers a crowd-based cybersecurity suite to protect your online services, visualize & act upon threats, and a TIP (Threat Intel Platform) to block malicious IPs.
What does Crowdsec do?
Observability. Dashboards are great steering tools. CrowdSec is instrumented with Metabase & Prometheus to help you with visualization. With the CrowdSec console, you can manage fleets of servers, visualize attacks and alerts in real-time and remediate intrusion attempts.
Fail2Ban alternative on steroids.
In essence they both work somewhat the same way: both tools read log and detect attacks and subsequently blocks/mitigate those attacks. There are major differences though:
- By default CrowdSec shares information about the logs it sees with the community. It does so in an anonymous way (it literally only collects the ip of the offender, a timestamp and which type of attack it detected). This means that other CrowdSec users in a similar environment by default will block those ips that attacks you (and vice versa).
- CrowdSec is able to detect way more advanced attacks such as slow brute-force, distributed brute force attacks and various layer 7 attacks such as xss, sqli, various resource abuse attacks, bot scraping and much more.
- CrowdSec is able to block traffic at multiple layers (think OSI). It is able to block at layer 3 using host firewall or at layer 7 directly within various applications such as nginx, wordpress, any python flask application, in traefik and many, many more.
Video Walkthrough
Server Installation
All steps are from official installation guide. This installation method only applies to Debian/Ubuntu based systems! Visit their official site for other distributions.
Install Repositories & CrowdSec
- Execute
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
- Install CrowdSec
sudo apt install crowdsec -y
- Install Firewall Bouncer
sudo apt install crowdsec-firewall-bouncer-iptables -y
Installing CrowdSec Collections
Collections are bundle of parsers, scenarios, postoverflows that form a coherent package.
Check all collections official CrowdSec site.
Usually I install following collections on all servers, but it may vary on your. Check collections for services, that you are running on server.
- Endlessh
sudo cscli collections install crowdsecurity/endlessh
- HTTP-CVE
sudo cscli collections install crowdsecurity/http-cve
- Linux-LPE
sudo cscli collections install crowdsecurity/linux-lpe
- MariaDB
sudo cscli collections install crowdsecurity/mariadb
- WordPress
sudo cscli collections install crowdsecurity/wordpress
Set up CrowdSec Console
View your stats in realtime.
- Register account at official CrowdSec site.
- Add your instance and paste code in terminal.
- Restart Crowdsec service
sudo systemctl restart crowdsec
Do not forget to restart your CrowdSec service!
WordPress integration
Visit detailed guide here: