CrowdSec integration

AdamM

For admin and clients

Hi
Enhance currently there is no protection against attacks, e.g. against attacks on ssh ports, ftp, mail, etc.
There is a free solution that is very good, the reference is to CrowdSec - https://www.crowdsec.net/
I have been using CrowdSec with Plesk for many months and it protects my servers very well. Fends off hundreds of attacks a day.

What is CrowdSec?

CrowdSec is an open-source and lightweight software that allows you to detect peers with malevolent behaviors and block them from accessing your systems at various levels (infrastructural, system, applicative).
To achieve this, CrowdSec reads logs from different sources (files, streams ...) to parse, normalize and enrich them before matching them to threats patterns called scenarios.
CrowdSec is a modular and plug-able framework. It ships a large variety of well-known popular scenarios; users can choose what scenarios they want to be protected from as well as easily add new custom ones to better fit their environment.
Detected malevolent peers can then be prevented from accessing your resources by deploying bouncers at various levels (applicative, system, infrastructural) of your stack.
One of the advantages of CrowdSec when compared to other solutions is its crowd-sourced aspect: Meta information about detected attacks (Source IP address, time, and triggered scenario) is sent to a central API and then shared amongst all users.
Thanks to this, besides detecting and stopping attacks in real-time based on your logs, it allows you to preemptively block known bad actors from accessing your information system.

More info here: https://doc.crowdsec.net/docs/intro

Its also possible integrate CrowdSec with docker, so it's a perfect solution for Enhance, which uses the docker in its main mind: https://hub.docker.com/r/crowdsecurity/crowdsec

What do you guys think about this integration?
@Adam and @Aliysa_Enhance Is it possible to integrate from a technical point of view?

Kindly regards

Adam

From an initial look, Crowdsec seems to need access to log files and the ability to inject firewall rules.

You can probably make it work without any "official" support from Enhance.

Official support (Enhance configures, starts and monitors Crowdsec for you) we can consider as a feature request. As always, please like the original post if this is something which is of interest.

necrom

I need to get my head around the IP sharing aspects from a GDPR/DPA perspective (as the visitors giving their IP are not my customers and not viewing my privacy policy) but it otherwise seems like it'd be the same implementation method as fail2ban and useful.

kyzoeadmin

I can only Support Crowdsec, as it is great as a replacement for fail2ban, we have used it on all our server until now. It does a great job and for the GDPR concerns @necrom It is a European Company (from france) and they do comply to the GDPR laws. find more her: https://www.crowdsec.net/faq

We constantly enforce three principles:
Collect the minimum possible data, only one in this case: the aggressive IP. (Time & scenario are not private data per se)
We only keep them only for the necessary period of time
Anyone will be able to remove its IP from our database (but it can be reintroduced automatically if the IP was not cleaned, and the cooldown between request is getting exponentially longer)
Lawyers are also contracted to review our policies and validate that our processes are GDPR compliant. We will, very soon, release more details and legal work around those points, as well as update our website’s footer & cookies to be fully compliant with international regulations. More information about our compliance to GDPR can be found in this dedicated section.

necrom

kyzoeadmin Thanks for the details. Yes I'm sure they'll have themselves covered, I just need to double check I am covered and making clear to my customers than they should make clear to their customers/visitors that this third party data sharing is going on (my problem not enhance, crowdsecs or yours). Looks good.

mendozal

Has anyone had any luck making crowdsec work with ufw?

kyzoeadmin

I am looking to create a tutorial to make this work, but have so little time. we run crowdsec on all our server except enhance.

Rob-PressWizards

@AdamM I have a handful of Plesk servers, can you share details of how you have it added to Plesk? Do you deactivate fail2ban and then install it like normal, or ? I have found zero info on Plesk and Crowdsec in my searches.

mike

Rob-PressWizards crowdsec and fail2ban scan logs to make a decision. i believe you can install them both on the system. just go to the crowdsec docs and install it via ssh. you need to know what you are doing 🙂. try it on a test server with a couple of sites.

MD6

On their pricing page, it says that the On-demand IP intelligence is 50/day (web only). What is On-demand IP intelligence?

mike

MD6 On-demand IP intelligence .. you can check the reputation of the IP marked by other crowdsec systems. on the free plan there is a limit of 50/day.

MediaServe

My initial foray into CrowdSec installation on Enhance (disclaimer: I'm new to each) seems to require one or more "bouncers" to take action on IP addresses. The simplest way to block bad actors is the firewall bouncer (https://doc.crowdsec.net/docs/bouncers/firewall) which works with iptables/nftables/ipset/pf but not ufw.

I'm also new to Ubuntu and have no experience with ufw yet.

If the firewall bounce can be made to work, the only thing it will do is block IPs known by CrowdSec to be problematic.

Parsers and Collections such as Apache2 (https://hub.crowdsec.net/author/crowdsecurity/collections/base-http-scenarios) can be installed to handle malicious actors as long as the log format is compatible or able to be added or modified, and I'm not that far long in terms of the learning curve of Enhance, but the first things to come to mind are:

Will the Apache logs within each website container be compatible or simple to in the Apache config?
Will it be necessary to install the Apache2 collection on each website container (seems that would be required) and is that possible? Can it coordinate with the default installed CrowdSec agent installed by root among various containers?

AdamM

Ok so.. I use only iptables firewall in CrowdSec.
the only problem is that all services not start automatically after a server restart.
in order to rectify this it is necessary:

In /etc/systemd/system/multi-user.target.wants/crowdsec-firewall-bouncer.service commented out the
"Before=netfilter-persistent.service"
line.

Now all services start on reboot.
I am not responsible for damage to the server. please test it on the development server.

And this my accquis.yaml file to protect ssh, postfix and dovecot

#Generated acquisition file - wizard.sh (service: apache2) / files : 
journalctl_filter:
 - _SYSTEMD_UNIT=apache2.service
labels:
  type: apache2
---
#Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/auth.log
filenames:
  - /var/log/auth.log
labels:
  type: syslog
---
#Generated acquisition file - wizard.sh (service: mysql) / files : 
journalctl_filter:
 - _SYSTEMD_UNIT=mysql.service
labels:
  type: mysql
---
#Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/kern.log
filenames:
  - /var/log/syslog
  - /var/log/kern.log
labels:
  type: syslog
---
#Postfix - Enhance - logs
filenames:
  - /var/local/enhance/email/data/logs/postfix/postfix.log
labels:
  type: syslog
---
#Dovecot - Enhance - logs
filenames:
  - /var/local/enhance/email/data/logs/dovecot/dovecot.log
labels:
  type: syslog
---
# LiteSpeed - Enhance - logs
#filenames:
#  - /var/local/enhance/webserver_logs/*.log
#labels:
#  type: litespeed
#---

MediaServe

AdamM Thanks! My initial Enhance server is running a single site of not particular importance, so no problem there!

The iptables bouncer seems to work fine.

The apache2 service is not available to systemd, so I doubt the installed parser will do anything. It also seems that Enhance stats clear the apache access logs whenever they run (not sure how frequently), and apache runs individually within each website container. It would have hook into the Enhance website provisioning somehow.

CrowdSec is blocking some things, but I'm not sure whether it can yet approach anything as robust as cPanel with either cPGuard or Imunity360.

Adrien

AdamM Thank you very much Adam for taking the time to do this tuto and share your accquis.yaml file.
After reading, I don't think it is wise for me to touch this right now considering my level ;-) I'll pass on this one.
I hope we will have something official/integrated into Enhance sooner or later.

manu

+1 for this. It would be great if we can get a quick documentation on how to install and test similar to Redis discussion we had sometime back.

AdamM

Adrien I would also like the integration with crowdsec to be done correctly by Enhance. This would increase the security of our servers.
I have hundreds of attacks a day that Crowdsec block.

MediaServe

Adrien It's rather simple to install CrowdSec and add the iptables bouncer. At least that will stop some abuse from CrowdSec's known bad IPs. That's worth something, and the free option is affordable. When Enhance adds mod_security to Apache that should further improve security somewhat.

Plus the email logs are centralized on Enhance and CrowdSec seem to have support for Dovecot/Postfix (not sure yet about rspamd) so perhaps brute email brute force attacks, malformed requests and perhaps even some spam can be mitigated. It would just be more difficult without Enhance support to implement the Apache parser, it seems.

Data sources for email log files need to be defined, and so far the documented procedures (documentation is abundant but a bit obscure) is not working correctly, but once I figure that out I'll be happy to provide details.

Missing in CrowdSec is a good WAF (similar to cPGuard/Imunify360) and malware scanning/protection.

AdamM

MediaServe Dovecot/Postfix -It seems to me to be working well and I have dozens of attacks a day blocked by unauthorised access

MediaServe

Nice!

I installed https://hub.crowdsec.net/author/crowdsecurity/configurations/dovecot-logs and then consulted https://docs.crowdsec.net/docs/data_sources/file for information to build the DSN but it doesn't seem to work? Any info on how you did it?