fosrl/docs
1
0
Fork 0
mirror of https://github.com/fosrl/docs.git synced 2025-05-13 05:40:41 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update 02-crowdsec.md

Browse source
This commit is contained in:
Marvin 2025-04-06 19:26:43 +02:00 committed by GitHub
parent 593ceb3667
commit 19a5721846
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 40 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

69
packages/docusaurus/docs/07-Modules/02-crowdsec.md
View file

@ -1,20 +1,20 @@
# Crowdsec # Crowdsec
CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It is an open-source massively multiplayer firewall that analyzes visitor behavior and provides an adapted response to all kinds of attacks. CrowdSec is a modern, open-source, collaborative behavior detection engine, integrated with a global IP reputation network. It functions as a massively multiplayer firewall, analyzing visitor behavior and responding appropriately to various types of attacks.
## Installation ## Installation
Crowdsec can be installed with the Pangolin Installer. Crowdsec can be installed using the Pangolin Installer.
## Configuration ## Configuration
By default Crowdsec is installed with a very basic configuration including the [Crowdsec Bouncer Traefik plugin](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin). By default, Crowdsec is installed with a basic configuration, which includes the [Crowdsec Bouncer Traefik plugin](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin).
### Choose the right logs ### Choose the right logs
#### Syslog #### Syslog
For systems with Syslog these volumes has to be added in `docker-compose.yml`. For systems utilizing Syslog, the following volumes should be added to the `docker-compose.yml` file:
```yaml ```yaml
service: service:
crowdsec: crowdsec:
@ -23,7 +23,7 @@ service:
- /var/log/syslog:/var/log/syslog:ro - /var/log/syslog:/var/log/syslog:ro
``` ```
Add a `syslog.yaml` file to `/config/crowdsec/acquis.d` with the following content. Create a `syslog.yaml` file under `/config/crowdsec/acquis.d` with the following content:
```yaml ```yaml
filenames: filenames:
- /var/log/auth.log - /var/log/auth.log
@ -34,9 +34,12 @@ labels:
#### Journalctl #### Journalctl
Run `iptables -A INPUT -j LOG --log-prefix "iptables: "` on your host system to log iptables into jounralctl. To log iptables to journalctl, execute the following command on your host system:
```bash
iptables -A INPUT -j LOG --log-prefix "iptables: "
```
Adjusted `docker-compose.yml`. Update the `docker-compose.yml` file as follows:
```yaml ```yaml
service: service:
crowdsec: crowdsec:
@ -50,7 +53,7 @@ service:
- /var/log/journal:/var/log/host:ro - /var/log/journal:/var/log/host:ro
``` ```
Add a `journalctl.yaml` file to `/config/crowdsec/acquis.d` with the following content. Create a `journalctl.yaml` file under `/config/crowdsec/acquis.d` with the following content:
```yaml ```yaml
source: journalctl source: journalctl
journalctl_filter: journalctl_filter:
@ -59,37 +62,36 @@ labels:
type: syslog type: syslog
``` ```
### Secure host system (SSH) ### Securing the Host System (SSH)
By defautl only Traefik requests are secured through the crowdsec bouncer. If you also want to protect your host system eg. ssh you have to add a firewall bouncer to your host system. By default, only Traefik requests are secured through the Crowdsec bouncer. To extend protection to your host system (e.g., SSH), follow these steps to add a firewall bouncer:
1. Install the Crowdsec repositories. [Documentation](https://docs.crowdsec.net/docs/next/getting_started/install_crowdsec/#install-our-repositories) 1. Install the Crowdsec repositories. Refer to the [installation documentation](https://docs.crowdsec.net/docs/next/getting_started/install_crowdsec/#install-our-repositories):
```bash ```bash
curl -s https://install.crowdsec.net | sudo sh curl -s https://install.crowdsec.net | sudo sh
``` ```
2. Install the firewall bouncer. [Documentation](https://docs.crowdsec.net/u/bouncers/firewall/) 2. Install the firewall bouncer. For Debian/Ubuntu systems using IPTables, refer to the [documentation](https://docs.crowdsec.net/u/bouncers/firewall/):
Just for Debian/Ubuntu using IPTables, see documentation link for other options!
```bash ```bash
sudo apt install crowdsec-firewall-bouncer-iptables sudo apt install crowdsec-firewall-bouncer-iptables
``` ```
3. Create an API key for the firewall bouncer to be able to communicate with your crowdsec docker container. ("vps-firewall" can be changed, it is just the name for the key) 3. Create an API key for the firewall bouncer to communicate with your CrowdSec Docker container. ("vps-firewall" is a placeholder name for the key):
```bash ```bash
docker exec -it crowdsec cscli bouncers add vps-firewall docker exec -it crowdsec cscli bouncers add vps-firewall
``` ```
4. Copy the dispalyed API key and paste it into the bouncer config file. 4. Copy the dispalyed API key and insert it into the bouncer's configuration file:
```bash ```bash
nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
``` ```
5. Restart the firewall bouncer. 5. Restart the firewall bouncer:
```bash ```bash
systemctl restart crowdsec-firewall-bouncer systemctl restart crowdsec-firewall-bouncer
``` ```
6. Add the communication port `8080` to your crowdsec container in `docker-compose.yaml` and restart the crowdsec container. 6. Update the `docker-compose.yml` file to expose communication port `8080` for the CrowdSec container and restart the container:
```yaml ```yaml
service: service:
crowdsec: crowdsec:
@ -98,7 +100,12 @@ service:
- 8080:8080 - 8080:8080
``` ```
Use `docker exec crowdsec cscli metrics` to verify the working communication between firewall bouncer and crowdsec container, you should see something like this: 7. Verify communication between the firewall bouncer and the CrowdSec container by running:
```bash
docker exec crowdsec cscli metrics
```
The output should look like this:
```bash ```bash
+------------------------------------------------------------------+ +------------------------------------------------------------------+
| Local API Bouncers Metrics | | Local API Bouncers Metrics |
@ -111,16 +118,16 @@ Use `docker exec crowdsec cscli metrics` to verify the working communication bet
+---------------------------+----------------------+--------+------+ +---------------------------+----------------------+--------+------+
``` ```
### Custom ban.html ## Custom Ban Page
You can show your attackers a custom ban page. [Documentation](https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/tree/main/examples/custom-ban-page) To display a custom ban page to attackers, follow these steps:
1. Place a ban.html page in your `/config/traefik` folder. If you don't want to create your own page you can use this official example page. 1. Place a `ban.html` page in the `/config/traefik` directory. If you prefer not to create your own, you can download the official example:
```bash ```bash
wget https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/ban.html wget https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/ban.html
``` ```
2. Add the following line to you `/config/traefik/dynamic_config.yml` file. 2. Update the `/config/traefik/dynamic_config.yml` file to include the following:
```yaml ```yaml
http: http:
middlewares: middlewares:
@ -130,16 +137,16 @@ http:
banHTMLFilePath: /etc/traefik/ban.html banHTMLFilePath: /etc/traefik/ban.html
``` ```
### Custom captcha.html ## Custom Captcha Page
To use captcha you have to provide and configure a captcha.html. [Documentation](https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/tree/main/examples/captcha) To use a custom captcha page, follow these steps:
1. Place a captcha.html page in your `/config/traefik` folder. If you don't want to create your own page you can use this official example page. 1. Place a `captcha.html` page in the `/config/traefik` directory. If you don't want to create your own, you can download the official example:
```bash ```bash
wget https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/captcha.html wget https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/blob/main/captcha.html
``` ```
2. Add the following line to you `/config/traefik/dynamic_config.yml` file and replace <...> with your credentials. 2. Update the `/config/traefik/dynamic_config.yml` file with the following configuration, replacing `<SERVICE>` with your captcha provider (e.g. hCaptcha, reCaptcha, Turnstile), and `<KEY>` with the appropriate site and secret keys:
```yaml ```yaml
http: http:
middlewares: middlewares:
@ -148,17 +155,21 @@ http:
crowdsec: crowdsec:
captchaHTMLFilePath: /etc/traefik/captcha.html captchaHTMLFilePath: /etc/traefik/captcha.html
captchaGracePeriodSeconds: 300 captchaGracePeriodSeconds: 300
captchaProvider: <SERVICE> #your service hcaptcha, recaptcha or turnstile captchaProvider: <SERVICE>
captchaSiteKey: <KEY> captchaSiteKey: <KEY>
captchaSecretKey: <KEY> captchaSecretKey: <KEY>
``` ```
### Testing ## Testing
You can test your configuration with the following commands. You will get banned for just 1 minute. You can test your configuration by adding a temporary ban or captcha for your IP. The ban will last for one minute.
To add a ban:
```bash ```bash
docker exec crowdsec cscli decisions add --ip <YOUR IP> -d 1m --type ban docker exec crowdsec cscli decisions add --ip <YOUR IP> -d 1m --type ban
``` ```
To trigger a captcha challenge:
```bash ```bash
docker exec crowdsec cscli decisions add --ip <YOUR IP> -d 1m --type captcha docker exec crowdsec cscli decisions add --ip <YOUR IP> -d 1m --type captcha
``` ```