Author: Jeff PitneyLast Updated: Mon, Jun 13, 2022
CrowdSec is an open-source security platform designed to prevent cyberattacks by crowd-sourcing IP addresses used by hackers and bots. Inspired by Fail2Ban, and written in Golang, this Intrusion Prevention System (IPS) is divided into two parts:
Agent - The agent is used to detect, catalog, report, and make decisions about potential threats. This service can be loaded in a stand-alone environment or used by multiple servers to reduce the workload of your internet-facing applications. By design, the CrowdSec agent shares a minimal amount of aggregate data from your server (or servers) with CrowdSec to be distributed to all CrowdSec installations. CrowdSec is GDPR Compliant, and has committed to remain free as long you contribute data from your agent to the community.
Bouncer - The bouncer is designed to act on decisions made by the agent, and block threats from accessing your servers. Bouncers are purpose-driven for specific threats based on an application or an entire system firewall. Bouncers can be customized to fit virtually any use case, and a growing number are being developed regularly, available from the CrowdSec hub.
Installation of the agent and bouncer is independent of each other, but without a bouncer, there is no active prevention of threats. This guide will use the firewall bouncer, an official bouncer developed by the CrowdSec team to block threats using supported Linux firewall and filters.
A stand-alone instance of CrowdSec is useful for lower volume servers or where the added complexity of a central CrowdSec server is not needed. In this guide, the server is deployed without creating a Vultr firewall. This is done to demonstrate CrowdSec alerts and decisions, which will likely occur given the number of attack bots that operate continuously. In a production setting, a Vultr firewall should also be configured to provide increased protection against cyber attacks.
Log in to the server using SSH with a non-root user that has sudo privileges.
ssh example_user@<ip address of your cloud server>
Download a script that adds the packagecloud.io repository to your sources list and a packagecloud.io GPG key to verify downloads. This is the repository used by CrowdSec to distribute its packaged software.
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec
To confirm that the install was complete, run the following command.
sudo systemctl status crowdsec
The result should be similar to the following output:
crowdsec.service - Crowdsec agent Loaded: loaded (/lib/systemd/system/crowdsec.service; enabled; vendor pres> Active: active (running) since ... Process: 14621 ExecStartPre=/usr/bin/crowdsec -c /etc/crowdsec/config.yaml > Main PID: 14626 (crowdsec) Tasks: 9 (limit: 1132) Memory: 60.6M CPU: 5.084s CGroup: /system.slice/crowdsec.service └─14626 /usr/bin/crowdsec -c /etc/crowdsec/config.yaml ...
You can confirm that your server is active using the CrowdSec CLI. The CrowdSec CLI is used to manage CrowdSec and most commands follow a similar format of
cscli <FocusArea> <Command>. To see a list of machines, enter:
sudo cscli machines list
This will output a table of results, including your cloud server and a checkmark indicating the status is active.
|NAME||IP ADDRESS||LAST UPDATE||STATUS||VERSION|
Install the firewall bouncer to use data from the CrowdSec agent to prevent intrusions into your system. Without installing a bouncer, your system is not protected. This command uses the iptables firewall (which will be installed if not already on your server).
sudo apt install crowdsec-firewall-bouncer-iptables -y
Confirm the bouncer installed. This will result in similar active (running) results as with the agent.
sudo systemctl status crowdsec-firewall-bouncer.service
Although not assured, it is likely that within 15 or 20 minutes of CrowdSec running on a cloud server without a Vultr firewall, it will have banned one or more IP addresses. Enter these commands to explore CrowdSec and to view these alerts and decisions.
sudo cscli alerts list sudo cscli decisions list cscli metrics
The CrowdSec installation is complete. The agent will parse logs, report potential intrusion attempts, and collect IP addresses from within the Crowdsec ecosystem. The bouncer makes the internal firewall self-updating, adding dangerous IP addresses to the block list as reported and confirmed by Crowdsec.
CrowdSec is just one element of any security infrastructure. It should not be relied upon as the only protection from outside threats. At a minimum, a Vultr firewall should also be configured, along with other best practices such as regular backups, SSH keys for access, and robust monitoring.