hwcltjn What I did:
Install crowdsec security engine (not the ip bouncer yet)
You can install more collection scenarios, for example apache, nginx, etc. from the crowdsec hub.
Each scenario will come with instructions on how to configure the acquisition file to tell it where the logs are.
You can edit this file: /etc/crowdsec/acquis.yaml, to add those configurations (I'll share my configuration file below)
Once you have all the scenarios you need, you can check if the logs are being parsed correctly doing:
sudo cscli metrics
Once you're satisfied you can install the iptables bouncer.
Once the bouncer is installed and before starting the service, you need to edit the configuration file:
- In the section "iptables_chains", you need to uncomment - DOCKER-USER, so the rules work for docker too.
- An additional thing I needed to do was to set: disable_ipv6: true, if you have it enabled, the bouncer won't start. I couldn't determine why yet.
Once those changes are made you can start the iptables bouncer.
And that's it.
Example: My crowdsec config file: acquis.yml
I'm just testing crowdsec in an email server, only email related and ssh rules are installed.
#Generated acquisition file - wizard.sh (service: ssh) / files : /var/log/auth.log
#Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/kern.log