CrowdSec - An Open-Source Massively Multiplayer Firewall Able To Analyze Visitor Behavior And Provide An Adapted Response To All Kinds Of Attacks

#341
Topic created · 1 Posts · 1 Views

  • CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read bellow for more.
    2 mins install
    Installing it through the Package system of your OS is the easiest way to proceed. Otherwise, you can install it from source.
    From package (Debian)

    curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash  
    sudo apt-get update  
    sudo apt-get install crowdsec
    

    From package (rhel/centos/amazon linux)

    curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash  
    yum install crowdsec
    

    From package (FreeBSD)

    sudo pkg update  
    sudo pkg install crowdsec  
    

    From source

    wget https://github.com/crowdsecurity/crowdsec/releases/latest/download/crowdsec-release.tgz  
    tar xzvf crowdsec-release.tgz  
    cd crowdsec-v* && sudo ./wizard.sh -i
    

    About the CrowdSec project Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain.
    Processing is done in 4 steps:


    Once an unwanted behavior is detected, deal with it through a bouncer. The aggressive IP, scenario triggered and timestamp are sent for curation, to avoid poisoning & false positives. (This can be disabled). If verified, this IP is then redistributed to all CrowdSec users running the same scenario.
    Outnumbering hackers all together
    By sharing the threat they faced, all users are protecting each-others (hence the name Crowd-Security). Crowdsec is designed for modern infrastructures, with its "Detect Here, Remedy There" approach, letting you analyse logs coming from several sources in one place and block threats at various levels (applicative, system, infrastructural) of your stack.
    CrowdSec ships by default with scenarios (brute force, port scan, web scan, etc.) adapted for most context, but you can easily extend it by picking more of them from the HUB. It is also easy to adapt an existing one or create one yourself.
    What it is not CrowdSec is not a SIEM, storing your logs (neither locally nor remotely). Your data are analyzed locally and forgotten.
    Signals sent to the curation platform are limited to the very strict minimum: IP, Scenario, Timestamp. They are only used to allow the system to spot new rogue IPs, rule out false positives or poisoning attempts.
    Install it ! Crowdsec is available for various platforms :

Log in to reply