¶ CrowdSec
¶ What is CrowdSec?
CrowdSec is an open-source and free Intrusion Detection and Prevention System (IDS/IPS) that leverages community power to detect and neutralize cyber threats. It is a highly viable alternative to the "good old Fail2Ban".
CrowdSec works by installing an agent on each device to be monitored. The agent then sends network data to the CrowdSec server, which analyzes it for anomalies. If a threat is detected, the CrowdSec server can generate an alert or take action to block the threat.
CrowdSec offers a range of features that make it a powerful security tool. These features include:
- Intrusion Detection: CrowdSec can detect a variety of threats, including malware, intrusions, vulnerabilities, and anomalies.
- Active Response: CrowdSec can take automated actions to respond to threats, such as blocking malicious IP addresses or executing customized scripts.
- Artificial Intelligence: CrowdSec uses artificial intelligence to learn from collected data and improve its detection capabilities.
- Collaboration: CrowdSec uses a network of sensors distributed worldwide to share information and enhance detection capability.
¶ Technical Analysis
CrowdSec can analyze network data for anomalies using machine learning. It can take automated actions to respond to threats, including:
- Blocking Malicious IP Addresses: CrowdSec can block malicious IP addresses to prevent attackers from accessing networks.
- Executing Customized Scripts: CrowdSec can execute customized scripts to respond to threats in a specific manner.
¶ Collaboration
CrowdSec uses a network of distributed sensors worldwide to share information and improve detection capability. Each sensor collects network data and sends it to the CrowdSec server. The CrowdSec server analyzes data collected by all sensors to identify threats that a single sensor might not detect.
¶ Why Do We Need This?
CrowdSec is a crowd-based threat prevention system that uses predefined rules and scenarios to detect and mitigate malicious activities in IT infrastructures. It can be a simple and effective solution for businesses needing to improve the security of their existing infrastructure.
¶ Contents
- General Overview of CrowdSec
- Installing CrowdSec on Win Server 2022
- Tips: Adding a Custom List
- Conclusion
- Resources and External Links
In the following pages, the step-by-step procedure for configuring the functions described above will be explained with accompanying explanations.
In this tutorial, we will use a test system based on Hyper-V:
- One machine will act as a hypervisor (Hyper-V) (Always thanks to M. K.ROTH)
- Another machine will act as a "SERVER" → Windows Server 2022
- Another machine will act as a "VM client" → Windows 10
¶ Shortcut Explanation
- Bouncer: A module that acts as a filter. It is a component that makes decisions about incoming connection requests based on predefined security criteria.
- NGINX: Web server, reverse proxy, load balancer, and more.
- IP: Internet protocol
- Win srv: Windows server
¶ General Overview of CrowdSec
The objective of CrowdSec is to be deployed on a server to detect attacks and block them by creating firewall rules on the local machine or directly blocking malicious IP addresses on a WordPress site or an NGINX web server.
CrowdSec stands out for its inherently collaborative nature. When a server is targeted by an attack, the system collects the IP addresses responsible. This information is then sent to a centralized database via an API. This database allows CrowdSec to build and manage a directory of malicious IP addresses, which is then distributed to all CrowdSec instances. This approach helps create a shared community database among all CrowdSec users.
¶ Installing CrowdSec
¶ Warning
Before proceeding, remember that to install CrowdSec, you must create an account on the CrowdSec website. You will then receive code lines for installing the agent and managing it from the cloud.
To install CrowdSec on Linux, simply run the installation via the shell. On the main web interface, click on: Add Security Engine. For Linux operating systems, simply copy-paste the code line presented on your web interface.
On Windows, you will need to install two different packages:
It is recommended to install the package bundle “cs_windows_firewall_installer_bundle.exe” because it includes the NET. Runtime setup, available for download here.
Indeed, installing CrowdSec on Windows requires two separate components:
- Crowdsec
- Cs-windows-firewall-bouncer
This is due to CrowdSec's modular nature and the need to separate core functionality from the additional Windows firewall-specific component.
¶ Detailed Explanation
- CrowdSec: The core of the CrowdSec system, responsible for log analysis, rule enforcement, and threat detection. Installing the "crowdsec" package allows you to run the main CrowdSec engine, which collects and analyzes security data from various sources. This component is essential for identifying malicious behaviors and applying appropriate mitigation actions.
- Cs-windows-firewall-bouncer: An additional Windows-specific component that acts as a "bouncer" in the CrowdSec system. A "bouncer" is responsible for applying mitigation measures when malicious activities are detected. The "cs-windows-firewall-bouncer" updates the Windows firewall to block connections from suspicious or malicious IP addresses identified by CrowdSec. By installing "cs-windows-firewall-bouncer," you enable CrowdSec to interact with the Windows firewall and directly block harmful traffic.
The division into two separate components is a design choice aimed at keeping the system modular and flexible. Installing "crowdsec" provides the core detection and analysis functionality, while "cs-windows-firewall-bouncer" extends this functionality to include direct Windows firewall management. This approach allows users to tailor CrowdSec to their needs and select specific components based on platforms and desired features.
For more information about the engine, visit the CrowdSec Security Engine Introduction.
After installation, restart the CrowdSec service. To access the services window, run:
services.msc
Then, via PowerShell, you can start writing "cscli" to check that the installation was successful.
You will now need to link the target machine to the CrowdSec cloud platform for remote control with the command:
cscli console enroll XXXXX[unique code]XXXXX
Once the command is successfully executed, CrowdSec will request authorization. After activation, your device will appear online.
Ensure the bouncer is correctly installed with the command:
cscli bouncer list
From the web interface, it will be possible to choose the IPs we want to block.
In the free version, only three lists are possible (as of August 2023).
How to Add a Custom List
Unfortunately (at least in the free version), it is not possible to add a custom list. After discussing with an Open Source community manager on LinkedIn, I confirmed that this option is not available in the free version. Therefore, I found a way to add a custom list manually via a PowerShell script.
For this, you can refer to Laurent Minne's famous list (duggytuxy/malicious_ip_addresses) available on GitHub:
Duggy Tuxy Malicious IP Addresses
You can modify the text file on GitHub by inserting a series of commands via Notepad++ or a simple script that adds all the IP addresses, such as:
From the web interface, it will be possible to choose the IPs we want to block. In the free version, only three lists are possible (as of August 2023).
How to Add a Custom List
Unfortunately (at least in the free version), it is not possible to add a custom list. After discussing with an Open Source community manager on LinkedIn, I confirmed that this option is not available in the free version. Therefore, I found a way to add a custom list manually via a PowerShell script.
For this, you can refer to Laurent Minne's famous list (duggytuxy/malicious_ip_addresses) available on GitHub:
Duggy Tuxy Malicious IP Addresses
You can modify the text file on GitHub by inserting a series of commands via Notepad++ or a simple script that adds all the IP addresses, such as:
cscli decision add --ip xxx.xxx.xxx.xxx --duration 9999h --reason “Duggy Tuxy list”
Using the command:
cscli decision list -t ban
you can verify the newly added lists.
¶ Conclusion
As partially explained in the introduction, CrowdSec represents an innovative open-source solution for threat prevention and mitigation. With its collaborative approach based on information sharing and malicious behavior detection, CrowdSec offers advanced defense against brute force attacks, unauthorized access attempts, and other harmful behaviors. The system's modularity allows users to tailor CrowdSec to their infrastructures and specific needs, while the multi-node deployment helps create a community that supports each other in the fight against digital threats.
The true strength of CrowdSec lies in its ability
¶ Resources and External Links
There are many useful links and information about CrowdSec, including numerous videos and web pages that can be helpful. Here are all the resources to be complete:
- CrowdSec Official Troubleshooting Guide
- CrowdSec Official FAQ
- CrowdSec Official Tutorials
- IT CONNECT's Complete Playlist on YouTube: How to Protect Your Server from Attacks with CrowdSec
- Waked XY on YouTube: 2 min to Protect Yourself from HACKERS [CrowdSec]
- Waked XY on YouTube: Detect and Block Hackers [CrowdSec 1.5]