It's basically a self-hosted crowd-based firewall. Setup is a bit cumbersome but (probably) well worth it :-)
- There are 2 parts of the solution: analyser & bouncer
- Crowdsec container (below) just basically analyses your server logs
- Bouncer container (below) uses the analysis to bounce off the potential attacks
This describes how to setup crowdsec with traefik bouncer. There are other bouncers you can use (if you don't use traefik).
- Create 2 files with the following content (
acquis.ymlanddocker-compose.yml). Remember to update the paths to your logs indocker-compose.yml! - Start the containers (
docker compose up -d) - Wait a minute or so (until it finishes installing collections), you can follow the logs to see what's going on (
docker compose logs -f) - Add bouncer to the crowdsec instance:
docker exec crowdsec cscli bouncers add traefik-bouncer - Copy the API key printed in the command output and paste it back in the
docker-compose.ymlin the bouncer config (CROWDSEC_BOUNCER_API_KEY) - Restart the containers
- That's it.
Unless you want to have an online console, than do this as well:
- Register at https://app.crowdsec.net/
- Enroll your instance, with the API key from there, e.g.:
docker exec crowdsec cscli console enroll cl8m56qpu00060vlcwgj898z0
- Add traefik middleweare in the dynamic config, e.g.
[http.middlewares.crowdsec.forwardauth] address = "http://<server ip>:3300/api/v1/forwardAuth"
- Use this middleware in your services, e.g.
[http.routers.authelia] rule ="Host(`login.domain.com`)" service = "authelia" tls = { } middlewares = [ "crowdsec" ]
---
filenames:
- /logs/auth.log
- /logs/syslog
- /logs/kern.log
labels:
type: syslog
---
filenames:
- /logs/apache2/*.log
- /logs/*httpd*.log
- /logs/httpd/*log
labels:
type: apache2
---
filenames:
- /logs/nginx/*.log
labels:
type: nginx
---
filenames:
- /logs/authelia.log
labels:
type: authelia
---
filenames:
- /logs/traefik/*.log
labels:
type: traefik---
services:
crowdsec:
image: crowdsecurity/crowdsec
container_name: crowdsec
restart: unless-stopped
environment:
- GID="${GID-1000}"
- COLLECTIONS=crowdsecurity/linux crowdsecurity/iptables crowdsecurity/apache2 crowdsecurity/sshd crowdsecurity/traefik LePresidente/authelia crowdsecurity/nginx crowdsecurity/base-http-scenarios
volumes:
- /var/log/auth.log:/logs/auth.log:ro
- /var/log/syslog.log:/logs/syslog.log:ro
- /var/log/kern.log:/logs/kern.log:ro
- /var/log/apache:/logs/apache:ro
- /var/log/httpd:/logs/httpd:ro
- /var/log/authelia.log:/logs/authelia.log:ro
- /var/log/traefik/logs:/logs/traefik:ro
- ./acquis.yml:/etc/crowdsec/acquis.yaml
- ./data:/var/lib/crowdsec/data/
- ./config:/etc/crowdsec/
bouncer:
image: fbonalair/traefik-crowdsec-bouncer
container_name: crowdsec-bouncer
restart: unless-stopped
environment:
- PORT=8090
- CROWDSEC_BOUNCER_API_KEY=changeme
- CROWDSEC_AGENT_HOST=crowdsec:8080
ports:
- 3300:8090- List installed items
docker exec crowdsec cscli scenarios list
docker exec crowdsec cscli collections list
docker exec crowdsec cscli parsers list- Block/unblock an ip
docker exec crowdsec cscli decisions add --ip 192.168.1.1
docker exec crowdsec cscli decisions remove --ip 192.168.1.1
docker exec crowdsec cscli decisions list
docker exec crowdsec cscli decisions help # display help on decisions command
docker exec crowdsec cscli decisions add --help # display help on add command