CrowdSec Installation

Create the CrowdSec Shared Log Folder

sudo mkdir /var/log/crowdsec; sudo chown -R $USER:$USER /var/log/crowdsec

Create the CrowdSec appdata Folder

sudo mkdir /opt/appdata/crowdsec

docker-compose.yml template

sudo nano /opt/appdata/crowdsec/docker-compose.yml

version: "3.4"

services:
  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
    volumes:
      - /opt/appdata/crowdsec/data:/var/lib/crowdsec/data
      - /opt/appdata/crowdsec:/etc/crowdsec
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/crowdsec:/var/log/crowdsec:ro
    restart: unless-stopped

networks:
  default:
    external: true
    name: proxy

Start the Container

sudo docker-compose up -d

Please read our disclaimer https://docs.ibracorp.io/#disclaimer.

What is Crowdsec?

CrowdSec is a free, open-source, and collaborative IPS. Analyze behaviors, respond to attacks & share signals across the community.

Where did CrowdSec come from?

Thibault & Philippe, 2 of CrowdSec founders, used to work in high-security hosting, which was kind of a new field back in the 2010s. They designed a stack of protection that would also block IPs that made violations.

One day, one of their clients, a famous sports-oriented e-commerce shop, was under attack. It was not a real problem since it was protected by a robust stack, but the hacker used more than 3,000 IP addresses to try to aggress the website. At this exact moment came this idea that would be the genesis of CrowdSec.

“What if we share those IPs with our peers and colleagues in the industry? That would cripple this hacker’s operations even further, right?”

This was the starting point of a long journey, involving a lot of great minds in designing a lightweight product, Waze-like, that would not only block attacks but also share IPs with all its user community.

“Safer together” was born. The team started to gather around this idea that instead of being isolated sitting ducks, waiting to be picked one by one by the enemy, we could rather organize a sort of Internet neighborhood watch.

Source: https://crowdsec.net/

Feature List

• Easy to Set up and Use - CrowdSec is easy to install, deploy and use regardless of your knowledge. You don't need to be a security master to enjoy its full capabilities.

• Replayable - CrowdSec is able to process both live and old logs, which makes it false-positive resilient.

• Observable - CrowdSec is instrumented with Metabase & Prometheus to generate out-of-the-box dashboards and monitor activity across your assets.

• API-Driven - All components communicate via HTTP API, making it easy to cover complex setups.

• Participative - You can share malevolent IP data with your fellow users, have each other's backs and outnumber hackers.

• Open Source - CrowdSec is as open source and free as it can be through an MIT licence. No back doors. No shenanigans.

Detected Behaviours

• Applicative DDoS

• Drive-by download

• Resource abuse

• Credentials Brute-forcing

• PHP-based Armageddon

• Port scans

• Web scans

• Credentials stuffing

• Bot scraping

• Targeted attacks

Special Thanks

• Momas for their input and guidance.

• Our Discord community and our Community Leaders DiscDuck and Sycotix for their input and documentation.

Final Words

We hope you enjoyed this guide. It was conceptualized by Momas, written, and implemented by our Community Leader Hawks.

Support Us

Our work sometimes takes months to research and develop. If you want to help support us please consider:

• Liking and Subscribing to our Youtube channel

• Joining our Discord server

• Becoming a paid member on our IBRACORP website

• Donating via Paypal

Thank you for being part of our community!

You can avoid needing to identify as sudo when using Docker by performing the following:

Go to:

Register your CrowdSec app and copy the Unique ID that is presented

Back in your terminal, type the following command:

Then accept it in the dashboard:

Restart the container:

Create a subfolder in your main appdata folder, used to tell services, and crowdsec, to write log files in it. These log files will be centralized and analyzed by crowdsec. In this guide, this subfolder is named "shared/crowdsec" (appdata/shared/crowdsec).

Go to apps tab in unraid, and install the container crowdsec from Ibracorp.

• Port : The port Crowdsec is using.

• appdata : Your Crowdsec appdata folder (usually appdata/crowdsec).

• data : The data folder your Crowdsec container will be using (subfolder in your crowdsec appdata folder).

• syslog path : not relevant (I think), leave it as default.

• COLLECTIONS : The collections Crowdsec will use, for example crowdsecurity/traefik for Traefik, LePresidente/authelia for authelia. Do not use quote marks " as this will cause issues with newer versions. It works fine without them.

• var log : crowdsec's log folder, map this to a subfolder in your shared folder (appdata/shared/crowdsec).

• auth logs to be analyzed (optional it seems): map this to a subfolder in your crowdsec shared folder (appdata/shared/crowdsec/auth for example). This value doesn't seem to be used in this unraid docker scenario, and is more relevant to a SSH config.

• crowdsec logs to analyze : map it to your crowdsec shared folder (appdata/shared/crowdsec).

Enable Dashboard

Go to:

Register your CrowdSec app and copy the Unique ID that is presented

Open the docker terminal on Unraid, type the following command:

Then accept it in the dashboard:

Restart the container

Going over https://docs.crowdsec.net/docs/observability/dashboard/ and reading on the github issue https://github.com/crowdsecurity/crowdsec/issues/1567, I decided the best way to go about adding the dashboard would be to manually setup a container in docker.

In Unraid, click Docker, then at the bottom click Add Container. Click Advanced

Docker Hub URL: https://hub.docker.com/r/metabase/metabase

Icon URL: https://github.com/crowdsecurity/crowdsec-docs/blob/main/crowdsec-docs/static/img/crowdsec_logo.png?raw=true

WebUI: http://0.0.0.0:3000 ( Change this if you change port on Host Port 1 )

Name: crowdsec-dashboard

Overview: Crowdsec metabase dashboard

Repository: metabase/metabase

Network type: ( I used a custom docker network )

Fixed IP: (Empty)

Console Shell Command: Shell

Privileged: Off

Host Port 1: 3000 ( Change if needed )

DB Location(Rename if wanted): Use Variable

--- Name: DB Location

--- Key: MB_DB_FILE

--- Value: /metabase.db

Host Key 1 (Rename if wanted): Use Variable

--- Name: Host Key 1

--- Key: depends_on

--- Value: crowdsec

Host Path 1 (Rename if wanted): Use Path

--- Name: Host Path 1

--- Container Path: /metabase-data/

--- Host Path: (Location of crowdsec.db)​

Click apply and start the container. Click and open the web page, fill in the information and choose sqlite.

Go into your crowdsec appdata and change permissions. I used chmod 777 crowdsec.db, but there are better ways to do this. From there the location used will be /metabase-data/crowdsec.db

Now we have to tell Authelia to write its log file to the shared folder, so that crowdsec can parse it and respond accordingly.

First, edit your Authelia docker template, to map the Authelia log output folder to the shared folder :

Then edit the configuration.yml file in Authelia appdata folder (appdata/authelia), in order to enable logging. (The values maybe already there but edited out, so just search for them).

  log:
  ## Level of verbosity for logs: info, debug, trace.
  level: info

  ## Format the logs are written as: json, text.
  format: json

  ## File path where the logs will be written. If not set logs are written to stdout.
  file_path: /var/log/crowdsec/authelia.log

  ## Whether to also log to stdout when a log_file_path is defined.
  keep_stdout: true

And then, edit your docker crowdsec template to enable Authelia collection, by adding LePresidente/authelia to the COLLECTIONS variable :

And finally, edit your acquis.yml file in your crowdsec's appdata folder (appdata/crowdsec) to add these lines : (don't leave any empty spaces)

---
filenames:
  - /var/log/crowdsec/authelia.log
labels:
  type: authelia

Restart your containers, crowdsec and authelia.

Use the "Useful Commands" cscli collections list and cscli metrics to check your collections and metrics, that should be ok!

We will be adapting this method on official CrowdSec hub to enable Nextcloud collection.

Run a console command in your CrowdSec container (click on its icon and then console)

Install Nextcloud collection by pasting this command :

cscli collections install crowdsecurity/nextcloud

Create the following mapping in your Nextcloud docker template :

Restart Nextcloud container.

Edit your acquis.yml file in your CrowdSec's appdata folder (appdata/crowdsec) to add these lines : (don't leave any empty spaces)

---
filenames:
 - /var/log/crowdsec/nextcloud.log
labels:
  type: Nextcloud

Restart CrowdSec container.

Use the "Useful Commands" cscli collections list and cscli metrics to check your collections and metrics, that should be ok!

Now we have to tell Vaultwarden to write its log file to the shared folder, so that CrowdSec can parse it and respond accordingly.

First, edit your Vaultwarden docker template, to map the Vaultwarden log output folder to the shared folder :

Add these extra parameters to your Vaultwarden template, enable the "advanced view" when editing your container, by clicking the upper right "basic view" slider :

-e LOG_FILE=/log/vaultwarden.log -e LOG_LEVEL=warn -e EXTENDED_LOGGING=true

Like this :

Restart your Vaultwarden container.

Edit your docker CrowdSec template to enable Vaultwarden collection, by adding Dominic-Wagner/vaultwarden to the COLLECTIONS variable :

Finally, edit your acquis.yml file in your CrowdSec's appdata folder (appdata/crowdsec) to add these lines : (don't leave any empty spaces)

Restart CrowdSec container.

Add the Authelia Collection

sudo nano /opt/appdata/crowdsec/docker-compose.yml

version: "3.4"

services:
  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve LePresidente/authelia"
    volumes:
      - /opt/appdata/crowdsec/data:/var/lib/crowdsec/data
      - /opt/appdata/crowdsec:/etc/crowdsec
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/crowdsec:/var/log/crowdsec:ro
    restart: unless-stopped

  crowdsec-traefik-bouncer:
    image: fbonalair/traefik-crowdsec-bouncer
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: YourSuperSecureAPIKey
      CROWDSEC_AGENT_HOST: crowdsec:8080
      GIN_MODE: release
    depends_on:
      - crowdsec
    restart: unless-stopped

networks:
  default:
    external: true
    name: proxy

Add Authelia to the acquis.yml

sudo nano /opt/appdata/crowdsec/acquis.yaml

filenames:
  - /var/log/crowdsec/traefik.log
labels:
  type: traefik
---
filenames:
  - /var/log/auth.log
labels:
  type: syslog
---
filenames:
  - /var/log/crowdsec/authelia.log
labels:
  type: authelia

Enable Logging to file

sudo nano /opt/appdata/authelia/configuration.yml

log:
  level: info
  format: json
  file_path: "/var/log/crowdsec/authelia.log"
  keep_stdout: true

Add Log File Bind Mount

sudo nano /opt/appdata/authelia/docker-compose.yml

    volumes:
      - /opt/appdata/authelia:/config
      - /var/log/crowdsec:/var/log/crowdsec

Restart Containers

cd /opt/appdata/authelia; sudo docker-compose up -d
cd /opt/appdata/crowdsec; sudo docker-compose up -d

CrowdSec has the ability to be controlled and monitored, all via the command line. Whilst there is a wide range of commands you can run and try out for yourself, here are a few to get you started that we found useful. If you can think of any more that you use regularly, just let us know, and we will add them to the list!

Something to note, these commands can either be run via the host using the docker exec crowdsec cscli [command], or they can be run from within the container using the docker exec -it crowdsec /bin/bash command and then the normal cscli [command].

Update & Upgrade the CrowdSec Hub

docker exec crowdsec cscli hub update && docker exec crowdsec cscli hub upgrade

This command can actually be added to a cron job to be run regularly. This will keep the hub up to date at all times.

Metrics

This command will show metrics (parsed logs, buckets (leaky bucket mechanism link here), various statistics). If you would like to run this within the container, you could run:

docker exec -it crowdsec /bin/bash

cscli metrics

or if you would like to run it directly from the host, you can run:

docker exec crowdsec cscli metrics

Hub List

This command will let you see which parsers and scenarios are deployed. If you would like to run this within the container, you could run:

docker exec -it crowdsec /bin/bash

cscli hub list

or if you would like to run it directly from the host, you can run:

docker exec crowdsec cscli hub list

Decision List

This command allows you to see which IPs are banned, very useful to check if you are suddenly getting “Forbidden” pages when accessing your server. If you would like to run this within the container, you could run:

docker exec -it crowdsec /bin/bash

cscli decisions list

or if you would like to run it directly from the host, you can run:

docker exec crowdsec cscli decisions list

Alerts List

Alerts list will enable you to review and inspect CrowdSec alerts, i.e. detected attacks on your server. If you would like to run this within the container, you could run:

docker exec -it crowdsec /bin/bash

cscli alerts list

or if you would like to run it directly from the host, you can run:

docker exec crowdsec cscli alerts list

Block IP

Add an IP to the block list, you could add your IP to test if it's blocking requests. If you would like to run this within the container, you could run:

docker exec -it crowdsec /bin/bash

cscli decisions add --ip 1.2.3.4

or if you would like to run it directly from the host, you can run:

docker exec crowdsec cscli decisions add --ip 1.2.3.4

Allow IP

Remove an IP from the block list, in some cases this will be useful to unban yourself. If you would like to run this within the container, you could run:

docker exec -it crowdsec /bin/bash

cscli decisions delete -i 1.2.3.4

or if you would like to run it directly from the host, you can run:

docker exec crowdsec cscli decisions delete -i 1.2.3.4

The Official cscli Documentation

We would recommend you check out CrowdSec's outstanding official docs for the rest of the commands and have a play yourself.

The aim here is to implement a CrowdSec bouncer for the router Traefik to block malicious IP to access your services. For this, it leverages Traefik v2 ForwardAuth middleware and query CrowdSec with client IP. If the client IP is on ban list, it will get a http code 403 response. Otherwise, request will continue as usual.

Flow of information

What is a parser?

Parsers take log formats and breaks it into readable information for the CrowdSec app. We will be using the Traefik parser to take the Traefik access logs and pass that information over to the CrowdSec app to make decisions.

What is a bouncer?

Bouncers react to decision made by CrowdSec. In this case, the Traefik bouncer will take the decision made by CrowdSec and either allow or deny the traffic going through Traefik. CrowdSec on its own will just make the decisions to ban IP's. It will do this by connecting back to the mothership to get the information required to make the decisions locally.

Check out available bouncers on the hub

What is a Scenario?

A scenario is a behaviour, i.e. is it a brute force attack that is happening. You can choose which Scenarios you would like to check the traffic against. In this Traefik collection, we will be using the typical http behaviours.

Enable the Bouncer

docker exec crowdsec cscli bouncers add traefik-bouncer

Adding the API and Collection

Now we need to add the Traefik collection to the CrowdSec compose file and also the bouncer install along with the API key.

version: "3.4"

services:
  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve"
    volumes:
      - /opt/appdata/crowdsec/data:/var/lib/crowdsec/data
      - /opt/appdata/crowdsec:/etc/crowdsec
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/crowdsec:/var/log/crowdsec:ro
    restart: unless-stopped

  crowdsec-traefik-bouncer:
    image: fbonalair/traefik-crowdsec-bouncer
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: YourSuperSecureAPIKey
      CROWDSEC_AGENT_HOST: crowdsec:8080
      GIN_MODE: release
    depends_on:
      - crowdsec
    restart: unless-stopped

networks:
  default:
    external: true
    name: proxy

Mapping the Log Files

sudo nano /opt/appdata/crowdsec/acquis.yaml

filenames:
  - /var/log/crowdsec/traefik.log
labels:
  type: traefik
---
filenames:
  - /var/log/auth.log
labels:
  type: syslog

Traefik

Enable Logging

sudo nano /opt/appdata/traefik/traefik.yml

accessLog:
  filePath: "/var/log/crowdsec/traefik.log"
  bufferingSize: 50

Add the CrowdSec Middleware

sudo nano /opt/appdata/traefik/traefik.yml

      middlewares:
        - securityHeaders@file
        - crowdsec-bouncer@file

sudo nano /opt/appdata/traefik/fileConfig.yml

    crowdsec-bouncer:
      forwardauth:
        address: http://bouncer-traefik:8080/api/v1/forwardAuth
        trustForwardHeader: true

Add the Log file Volume Mapping

sudo nano /opt/appdata/traefik/docker-compose.yml

    volumes:
      - /opt/appdata/traefik/:/etc/traefik/
      - /var/log/crowdsec/:/var/log/crowdsec/

Restart CrowdSec and Traefik

cd /opt/appdata/traefik; sudo docker-compose up -d
cd /opt/appdata/crowdsec; sudo docker-compose up -d

If the client IP is on the ban list, it will get an HTTP code 403 response. Otherwise, the request will continue as usual.

Flow of information

What is a parser?

Parsers take log formats and break them down into readable information for the CrowdSec app. We will be using the Traefik parser to take the Traefik access logs and pass that information over to the CrowdSec app to make decisions.​​

What is a bouncer?

Bouncers react to decisions made by CrowdSec. In this case, the Traefik bouncer will take the decision made by CrowdSec and either allow or deny the traffic going through Traefik. CrowdSec on its own will just make the decisions to ban IPs. It will do this by connecting back to the mothership to get the information required to make the decisions locally. Check out available bouncers on the hub​

What is a Scenario?

A scenario is a behavior, i.e. is it a brute force attack that is happening. You can choose which Scenarios you would like to check the traffic against. In this Traefik collection, we will be using the typical http behaviors.

Enable the Bouncer

Go inside the CrowdSec Docker console and run

Go to the apps tab, and download the container crowdsec-traefik-bouncer.

1. Get the API Key that we generated above and past it on this option

2. leave it as it is

3. Put the CrowdSec Container IP with port

Traefik

Enable Logging

If your logs don't show the external IP of the users hitting the Traefik proxy and only show the IP of the docker gateway (eg.: 172.19.x.x in this case) then edit the traefik.yml file and your docker gateway IP under trusted IPs.

Create a path mapping in your traefik template, so that the log file is written in the shared folder previously created.

Add the CrowdSec Middleware

Once again, edit your traefik static configuration file (traefik.yml), then edit your dynamic configuration file (fileConfig.yml)

Restart CrowdSec and Traefik

Add the Vaultwarden Collection

sudo nano /opt/appdata/crowdsec/docker-compose.yml

version: "3.4"

services:
  crowdsec:
    image: crowdsecurity/crowdsec
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
      COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve Dominic-Wagner/vaultwarden"
    volumes:
      - /opt/appdata/crowdsec/data:/var/lib/crowdsec/data
      - /opt/appdata/crowdsec:/etc/crowdsec
      - /var/log/auth.log:/var/log/auth.log:ro
      - /var/log/crowdsec:/var/log/crowdsec:ro
    restart: unless-stopped

  crowdsec-traefik-bouncer:
    image: fbonalair/traefik-crowdsec-bouncer
    container_name: bouncer-traefik
    environment:
      CROWDSEC_BOUNCER_API_KEY: YourSuperSecureAPIKey
      CROWDSEC_AGENT_HOST: crowdsec:8080
      GIN_MODE: release
    depends_on:
      - crowdsec
    restart: unless-stopped

networks:
  default:
    external: true
    name: proxy

Add Vaultwarden to the acquis.yml

sudo nano /opt/appdata/crowdsec/acquis.yaml

filenames:
  - /var/log/crowdsec/traefik.log
labels:
  type: traefik
---
filenames:
  - /var/log/auth.log
labels:
  type: syslog
---
filenames:
  - /var/log/crowdsec/vaultwarden.log
labels:
  type: vaultwarden

Enable Logging to file

sudo nano /opt/appdata/vaultwarden/docker-compose.yml

    environment:
      LOG_FILE: "/var/log/vaultwarden/vaultwarden.log"
      LOG_LEVEL: "warn" 
      ROCKET_CLI_COLORS: "off" 
      EXTENDED_LOGGING: "true"
      IP_HEADER: "X-Forwarded-For"

    volumes:
      - /opt/appdata/vaultwarden/database:/database
      - /opt/appdata/vaultwarden/data:/data
      - /var/log/crowdsec:/var/log/crowdsec

Restart Containers

cd /opt/appdata/vaultwarden; sudo docker-compose up -d
cd /opt/appdata/crowdsec; sudo docker-compose up -d