最後更新: 2024-10-23

目錄

• 系統要求
• Network
• 安裝
• Enroll your CrowdSec Security Engine to Console
• Whitelists
• CLI
• Firewall-bouncer
• Profiles
• Acquisitions
• Hub
• Metrics

介紹

crowdsec written in Golang.

An open-source, lightweight agent to detect and respond to bad behaviours.
community-wide IP reputation database.

Homepage

• https://doc.crowdsec.net/
• https://github.com/crowdsecurity/crowdsec

Community edition

• 3 blocklists # refresh every 2 hours
• Detection & remediation on unlimited machine
• Local data visualization
• Data retention: 500 alerts or 7 days
• On-demand IP intelligence: 50/day
• 1 CTI API key (low traffic)

Various bouncers(Remediation Components)

 Remediation Component are applying decisions.

• firewall block,
• nginx http 403, Captchas

 

---

系統要求

 

Security Engine

• 1 CPU core
• 100mb of free RAM
• 1GB of free disk space

 

---

Network

 

Security Engine

• 8080/tcp for the API
• 6060/tcp for the Prometheus metrics / Debugging

 

---

安裝

 

Security Engine

curl -fsSL https://packagecloud.io/crowdsec/crowdsec/gpgkey |
 gpg --dearmor > /etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg

/etc/apt/sources.list.d/crowdsec_crowdsec.list

deb [signed-by=/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg] https://packagecloud.io/crowdsec/crowdsec/any any main

apt update

apt install crowdsec    # 1.6.3 [47.4 MB]

Check Version

cscli version

version: v1.6.3-debian-pragmatic-amd64-4851945a
...

 

 

---

Enroll your CrowdSec Security Engine to Console

 

Console: app.crowdsec.net

Enroll 後才可以使用 blocklists 及安裝 hub 的功能

cscli console enroll -e context xxxx

 

---

Whitelists

 

By default CrowdSec will whitelist private LAN IP addresses
(cscli parsers install crowdsecurity/whitelists)
(/etc/crowdsec/parsers/s02-enrich/whitelists.yaml)

Whitelisting an IP address or event will prevent the events from triggering new decisions.

remove existing decisions

cscli decisions delete --ip 192.168.1.1

Whitelist Types

• Parser (At enrich stage)
• Postoverflow

Parser(Static IP/URL Pattern)

applied whilst the event is being Enriched(applied to every event (log line))

/etc/crowdsec/parsers/s02-enrich/

e.g.

01-my-whitelist.yaml

name: my/whitelist                            ## Must be unqiue
description: "Whitelist events from my IPs"
whitelist:
  reason: "My IPs"
  ip:
    - "192.168.1.1"
  cidr:
    - "192.168.1.0/24"

systemctl restart crowdsec

Postoverflow(rDNS)

After a scenario has been triggered

/etc/crowdsec/postoverflows/s01-whitelist/

Testing your whitelist

grep 192.168.1.1 /var/log/nginx/access.log |
  tail -n 1 | cscli explain -f- --type nginx

 

---

Profiles

 

a list of rules that drives what actions will be taken by CrowdSec upon a detection.

/etc/crowdsec/profiles.yaml

* restart the CrowdSec service to apply the changes

crowdsec -t && systemctl restart crowdsec

 

---

CLI

 

cscli bouncers list

cscli metrics

cscli decisions list

# Manually add an IP to the ban list

cscli decisions add -i 1.2.3.4 --duration 1h        # block
cscli decisions delete -i 1.2.3.4                         # un-block

 

cscli alerts list

cscli alerts inspect N

cscli config show

# backup

cscli config backup /srv/crowdsec/backup/202202071120

# To see the active blocklists within an engine

cscli metrics show decisions

 

HUB CLI

# the hub components available

cscli hub update

INFO hub index is up to date

# local used components

cscli hub list

INFO Loaded: 129 parsers, 9 postoverflows, 223 scenarios, 6 contexts, 4 appsec-configs, 76 appsec-rules, 123 collections
INFO Unmanaged items: 1 local, 0 tainted

PARSERS
...
SCENARIOS
...
CONTEXTS
...
COLLECTIONS
...

# available components

cscli hub list -a

 

---

Firewall-bouncer

 

# main package requires a lot of space => install crowdsec on Raspberry Pi

# firewall-bouncer install @ Openwrt

To install the firewall bouncer on the OpenWrt device (V21)

opkg update

# 要求 iptables+ipset or nftables

opkg install crowdsec-firewall-bouncer    # 5 M

opkg install ipset    # 會安裝 kmod-nfnetlink,kmod-ipt-ipset, libmnl0, libipset13

獲得 /usr/bin/cs-firewall-bouncer # 8M

Config(V21)

/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

api_url (required)

The url of the Crowdsec local API for the bouncer to connect to.

api_key (required)

The api key for the bouncer as generated when the bouncer is registered to the Crowdsec local API.

filter_input

Enables the filtering of the input chain. Usefull in case of services running on the OpenWrt device itself.

filter_forward

Enables the filtering of the forward chain. Usefull in case of services running on devices in your network.

interface (required)

The interface name of the wan interface.

Checking

cs-firewall-bouncer -t -c /tmp/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

tail -f /var/log/crowdsec-firewall-bouncer.log

nft list table crowdsec    # nftables 版

 

 

---

Acquisitions

 

The sources of logs that CrowdSec can analyze.

acquis.yaml

 

---

Hub

 

 

---

Metrics

 

Crowdsec is instrumented using prometheus to provide detailed metrics and tracability about what is going on.

Prometheus config

  - job_name: 'crowdsec'
    static_configs:
    - targets: ['crowdsec:6060']

 

---

API

 

 

Service API
CTI API

Service API
Blocklist creation & management
Manage endpoints for your Remediation Components

CTI API presents two primary datasets:
    fire    the content of the community blocklist with more context.
    smoke   most of the IPs reported by Crowdsec users