Hello everyone! Before the New Year, we released a large update of our product - CrowdSec v.1.0.X, which contains significant changes compared to the previous version. Most importantly, the local REST API was put into operation and the corresponding architectural changes were made. As a result, the process of creating bouncers has been greatly simplified and their stability has been increased, while the time for system maintenance has decreased.
In this article, you will find basic materials on how CrowdSec was redesigned and, in general, can be considered as a User Guide for those who are going to try our product on their systems.
CrowdSec ( , cscli ) REST API, . , SQLite, PostgreSQL MySQL.
, CrowdSec Linux Server. :
CrowdSec
-
CrowdSec Debian 10 buster t2.medium EC2. nginx:
Debian 10 buster t2.medium EC2.
, nginx:
$ sudo apt-get update
$ sudo apt-get install nginx
, ssh (tcp / 22) http (tcp / 80) . .
CrowdSec
CrowdSec ( GitHub):
$ curl -s https://api.github.com/repos/crowdsecurity/crowdsec/releases/latest | grep browserdownloadurl| cut -d '"' -f 4 | wget -i β
$ tar xvzf crowdsec-release.tgz
$ cd crowdsec-v1.0.0/
$ sudo ./wizard.sh -i
, ,
. nginx, sshd Linux-.
- :
, CrowdSec . , .
β , . , Crowdsecurity/sshd sshd ssh .
, ( , CrowdSec ), .
, ( , ).
β , IP-. , , CrowdSec. .
CrowdSec .
CrowdSec
, CrowdSec , , «».
- wapiti
- nginx wapiti IP-.
ATTACKER$ wapiti -u http://34.248.33.108/ [*] Saving scan state, please wait⦠Note ======== This scan has been saved in the file /home/admin/.wapiti/scans/34.248.33.108folderb753f4f6.db ⦠|
«»:
, IP :
- Crowdsecurity / http-path-traversal-probing: URI GET
- Crowdsecurity / http-sqli-probbing-detection: SQL- URI GET
, , , nginx-, . , , -.
, - nginx, , , -.
cscli
CrowdSec cscli. β :
cscli decisions list, , , cscli alerts list ( - ).
- , cscli alerts inspect -d <ID> (ID , . ).
scli , . , :
β . Β«tail the logfileΒ» β metabase dashboard prometheus.
cscli dashboard setup metabase , . :
: Prometheus
, -, , Prometheus metabase.
, cscli metrics:
, cscli metrics Prometheus. , , (!) Prometheus CrowdSec. , Prometheus :
- Buckets: , / ;
- Acquisition: / , / ;
- Parser: / ;
- Local API: . .
cscli, . Prometheus Grafana. :
:
, CrowdSec . , . : CrowdSec , .
cs-firewall-bouncer. IP iptables nftables. , sudo cscli solutions delete -i X.X.X.X ( X.X.X.X β IP-).
- GitHub:
$ tar xvzf cs-firewall-bouncer.tgz $ cd cs-firewall-bouncer-v0.0.5/ |
:
, REST API, , :
sudo cscli bouncers list , .
, , IP . , . .
, , - .
:
ATTACKER$ curl --connect-timeout 1 http://34.248.33.108/
curl: (28) Connection timed out after 1001 milliseconds
, :
, cs-firewall-bouncer nftables, iptables. nftables ( debian 10 ) Crowdsec Crowdsec6 ( ipv4 ipv6 ).
$ sudo nft list ruleset
β¦
table ip crowdsec {
set crowdsec_blocklist {
type ipv4_addr
elements = { 3.22.63.25, 3.214.184.223,
3.235.62.151, 3.236.112.98,
13.66.209.11, 17.58.98.156, β¦
}
}
chain crowdsec_chain {
type filter hook input priority 0; policy accept;
ip saddr @crowdsec_blocklist drop
}
}
table ip6 crowdsec6 {
set crowdsec6_blocklist {
type ipv6_addr
}
chain crowdsec6_chain {
type filter hook input priority 0; policy accept;
ip6 saddr @crowdsec6_blocklist drop
}
}
iptables mftables, , /etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml/ , iptables ipset.
, , /etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml, , nftables iptables ( iptables ipset).
, . , CrowdSec. :