Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Create a subfolder in your main appdata folder, used to tell services, and crowdsec, to write log files in it. These log files will be centralized and analyzed by crowdsec. In this guide, this subfolder is named "shared/crowdsec" (appdata/shared/crowdsec).
Go to apps tab in unraid, and install the container crowdsec from Ibracorp.
Port : The port Crowdsec is using.
appdata : Your Crowdsec appdata folder (usually appdata/crowdsec).
data : The data folder your Crowdsec container will be using (subfolder in your crowdsec appdata folder).
syslog path : not relevant (I think), leave it as default.
COLLECTIONS : The collections Crowdsec will use, for example crowdsecurity/traefik for Traefik, LePresidente/authelia for authelia. Do not use quote marks " as this will cause issues with newer versions. It works fine without them.
var log : crowdsec's log folder, map this to a subfolder in your shared folder (appdata/shared/crowdsec).
auth logs to be analyzed (optional it seems): map this to a subfolder in your crowdsec shared folder (appdata/shared/crowdsec/auth for example). This value doesn't seem to be used in this unraid docker scenario, and is more relevant to a SSH config.
crowdsec logs to analyze : map it to your crowdsec shared folder (appdata/shared/crowdsec).
Main Collections: crowdsecurity/traefik crowdsecurity/http-cve
Adding the dashboard using a custom container setup on Unraid.
The following page has been submitted by a community member and has not been extensively tested. Please submit any edits you think need to be made.
Going over https://docs.crowdsec.net/docs/observability/dashboard/ and reading on the github issue https://github.com/crowdsecurity/crowdsec/issues/1567, I decided the best way to go about adding the dashboard would be to manually setup a container in docker.
In Unraid, click Docker, then at the bottom click Add Container. Click Advanced
Docker Hub URL: https://hub.docker.com/r/metabase/metabase
Icon URL: https://github.com/crowdsecurity/crowdsec-docs/blob/main/crowdsec-docs/static/img/crowdsec_logo.png?raw=true
WebUI: http://0.0.0.0:3000 ( Change this if you change port on Host Port 1 )
Name: crowdsec-dashboard
Overview: Crowdsec metabase dashboard
Repository: metabase/metabase
Network type: ( I used a custom docker network )
Fixed IP: (Empty)
Console Shell Command: Shell
Privileged: Off
Host Port 1: 3000 ( Change if needed )
DB Location(Rename if wanted): Use Variable
--- Name: DB Location
--- Key: MB_DB_FILE
--- Value: /metabase.db
Host Key 1 (Rename if wanted): Use Variable
--- Name: Host Key 1
--- Key: depends_on
--- Value: crowdsec
Host Path 1 (Rename if wanted): Use Path
--- Name: Host Path 1
--- Container Path: /metabase-data/
--- Host Path: (Location of crowdsec.db)
Click apply and start the container. Click and open the web page, fill in the information and choose sqlite.
Go into your crowdsec appdata and change permissions. I used chmod 777 crowdsec.db, but there are better ways to do this. From there the location used will be /metabase-data/crowdsec.db
The aim here is to implement a CrowdSec bouncer for the router Traefik to block malicious IPs to access your services. For this, it leverages Traefik v2 ForwardAuth middleware and queries CrowdSec with client IP.
If the client IP is on the ban list, it will get an HTTP code 403 response. Otherwise, the request will continue as usual.
Parsers take log formats and break them down into readable information for the CrowdSec app. We will be using the Traefik parser to take the Traefik access logs and pass that information over to the CrowdSec app to make decisions.
Bouncers react to decisions made by CrowdSec. In this case, the Traefik bouncer will take the decision made by CrowdSec and either allow or deny the traffic going through Traefik. CrowdSec on its own will just make the decisions to ban IPs. It will do this by connecting back to the mothership to get the information required to make the decisions locally. Check out available bouncers on the hub
Check out available bouncers on the hub
A scenario is a behavior, i.e. is it a brute force attack that is happening. You can choose which Scenarios you would like to check the traffic against. In this Traefik collection, we will be using the typical http behaviors.
Go inside the CrowdSec Docker console and run
PLEASE NOTE
This is the only time the API will be shown, make sure to note down this API key somewhere safe.
Go to the apps tab, and download the container crowdsec-traefik-bouncer.
Get the API Key that we generated above and past it on this option
leave it as it is
Put the CrowdSec Container IP with port
Edit your traefik static configuration file (traefik.yml) in your traefik appdata folder. (use nano command or code server, very useful, tutorial here https://www.youtube.com/watch?v=7FMCBjUVaYQ&t=1s )
If your logs don't show the external IP of the users hitting the Traefik proxy and only show the IP of the docker gateway (eg.: 172.19.x.x in this case) then edit the traefik.yml file and your docker gateway IP under trusted IPs.
Create a path mapping in your traefik template, so that the log file is written in the shared folder previously created.
Once again, edit your traefik static configuration file (traefik.yml), then edit your dynamic configuration file (fileConfig.yml)
The address is for the bouncer-traefik container and the port is always 8080
obs the container has no exposed port with the host
CrowdSec has a dashboard that allow you to connect your CrowdSec instances and allows you to view statistics and performance.
You can avoid needing to identify as sudo when using Docker by performing the following:
Go to:
Register your CrowdSec app and copy the Unique ID that is presented
Back in your terminal, type the following command:
Then accept it in the dashboard:
Restart the container:
Now we have to tell Authelia to write its log file to the shared folder, so that crowdsec can parse it and respond accordingly.
First, edit your Authelia docker template, to map the Authelia log output folder to the shared folder :
Then edit the configuration.yml
file in Authelia appdata folder (appdata/authelia), in order to enable logging. (The values maybe already there but edited out, so just search for them).
And then, edit your docker crowdsec template to enable Authelia collection, by adding LePresidente/authelia
to the COLLECTIONS variable :
And finally, edit your acquis.yml
file in your crowdsec's appdata folder (appdata/crowdsec) to add these lines : (don't leave any empty spaces)
Restart your containers, crowdsec and authelia.
Use the "Useful Commands" cscli collections list
and cscli metrics
to check your collections and metrics, that should be ok!
This method has not been verified yet, but seems to work
We will be adapting this method on official CrowdSec hub to enable Nextcloud collection.
Run a console command in your CrowdSec container (click on its icon and then console
)
Install Nextcloud collection by pasting this command :
cscli collections install crowdsecurity/nextcloud
Create the following mapping in your Nextcloud docker template :
Restart Nextcloud container.
Edit your acquis.yml
file in your CrowdSec's appdata folder (appdata/crowdsec) to add these lines : (don't leave any empty spaces)
Restart CrowdSec container.
Use the "Useful Commands" cscli collections list
and cscli metrics
to check your collections and metrics, that should be ok!
The aim here is to implement a CrowdSec bouncer for the router Traefik to block malicious IP to access your services. For this, it leverages Traefik v2 ForwardAuth middleware and query CrowdSec with client IP. If the client IP is on ban list, it will get a http code 403 response. Otherwise, request will continue as usual.
Parsers take log formats and breaks it into readable information for the CrowdSec app. We will be using the Traefik parser to take the Traefik access logs and pass that information over to the CrowdSec app to make decisions.
Bouncers react to decision made by CrowdSec. In this case, the Traefik bouncer will take the decision made by CrowdSec and either allow or deny the traffic going through Traefik. CrowdSec on its own will just make the decisions to ban IP's. It will do this by connecting back to the mothership to get the information required to make the decisions locally.
Check out available bouncers on the hub
A scenario is a behaviour, i.e. is it a brute force attack that is happening. You can choose which Scenarios you would like to check the traffic against. In this Traefik collection, we will be using the typical http behaviours.
PLEASE NOTE
This is the only time the api will be shown, make sure to note down this API key somewhere safe.
Now we need to add the Traefik collection to the CrowdSec compose file and also the bouncer install along with the API key.
Now we have to tell Vaultwarden to write its log file to the shared folder, so that CrowdSec can parse it and respond accordingly.
First, edit your Vaultwarden docker template, to map the Vaultwarden log output folder to the shared folder :
Add these extra parameters to your Vaultwarden template, enable the "advanced view" when editing your container, by clicking the upper right "basic view" slider :
-e LOG_FILE=/log/vaultwarden.log -e LOG_LEVEL=warn -e EXTENDED_LOGGING=true
Like this :
Restart your Vaultwarden container.
Edit your docker CrowdSec template to enable Vaultwarden collection, by adding Dominic-Wagner/vaultwarden
to the COLLECTIONS variable :
Finally, edit your acquis.yml
file in your CrowdSec's appdata folder (appdata/crowdsec) to add these lines : (don't leave any empty spaces)
Restart CrowdSec container.
CrowdSec is a free, open-source and collaborative IPS. Analyze behaviors, respond to attacks & share signals across the community.
CrowdSec is a free, open-source, and collaborative IPS. Analyze behaviors, respond to attacks & share signals across the community.
Thibault & Philippe, 2 of CrowdSec founders, used to work in high-security hosting, which was kind of a new field back in the 2010s. They designed a stack of protection that would also block IPs that made violations.
One day, one of their clients, a famous sports-oriented e-commerce shop, was under attack. It was not a real problem since it was protected by a robust stack, but the hacker used more than 3,000 IP addresses to try to aggress the website. At this exact moment came this idea that would be the genesis of CrowdSec.
This was the starting point of a long journey, involving a lot of great minds in designing a lightweight product, Waze-like, that would not only block attacks but also share IPs with all its user community.
“Safer together” was born. The team started to gather around this idea that instead of being isolated sitting ducks, waiting to be picked one by one by the enemy, we could rather organize a sort of Internet neighborhood watch.
Easy to Set up and Use - CrowdSec is easy to install, deploy and use regardless of your knowledge. You don't need to be a security master to enjoy its full capabilities.
Replayable - CrowdSec is able to process both live and old logs, which makes it false-positive resilient.
Observable - CrowdSec is instrumented with Metabase & Prometheus to generate out-of-the-box dashboards and monitor activity across your assets.
API-Driven - All components communicate via HTTP API, making it easy to cover complex setups.
Participative - You can share malevolent IP data with your fellow users, have each other's backs and outnumber hackers.
Open Source - CrowdSec is as open source and free as it can be through an MIT licence. No back doors. No shenanigans.
Applicative DDoS
Drive-by download
Resource abuse
Credentials Brute-forcing
PHP-based Armageddon
Port scans
Web scans
Credentials stuffing
Bot scraping
Targeted attacks
Momas for their input and guidance.
Our Discord community and our Community Leaders DiscDuck and Sycotix for their input and documentation.
We hope you enjoyed this guide. It was conceptualized by Momas, written, and implemented by our Community Leader Hawks.
Our work sometimes takes months to research and develop. If you want to help support us please consider:
CrowdSec has the ability to be controlled and monitored, all via the command line. Whilst there is a wide range of commands you can run and try out for yourself, here are a few to get you started that we found useful. If you can think of any more that you use regularly, just let us know, and we will add them to the list!
Something to note, these commands can either be run via the host using the docker exec crowdsec cscli [command]
, or they can be run from within the container using the docker exec -it crowdsec /bin/bash
command and then the normal cscli [command]
.
This command can actually be added to a cron job to be run regularly. This will keep the hub up to date at all times.
This command will show metrics (parsed logs, buckets (leaky bucket mechanism link here), various statistics). If you would like to run this within the container, you could run:
or if you would like to run it directly from the host, you can run:
This command will let you see which parsers and scenarios are deployed. If you would like to run this within the container, you could run:
or if you would like to run it directly from the host, you can run:
This command allows you to see which IPs are banned, very useful to check if you are suddenly getting “Forbidden” pages when accessing your server. If you would like to run this within the container, you could run:
or if you would like to run it directly from the host, you can run:
Alerts list will enable you to review and inspect CrowdSec alerts, i.e. detected attacks on your server. If you would like to run this within the container, you could run:
or if you would like to run it directly from the host, you can run:
Add an IP to the block list, you could add your IP to test if it's blocking requests. If you would like to run this within the container, you could run:
or if you would like to run it directly from the host, you can run:
Remove an IP from the block list, in some cases this will be useful to unban yourself. If you would like to run this within the container, you could run:
or if you would like to run it directly from the host, you can run:
We would recommend you check out CrowdSec's outstanding official docs for the rest of the commands and have a play yourself.
Use the "" cscli collections list
and cscli metrics
to check your collections and metrics, that should be ok!
Thank you for choosing to collaborate with
Please read our disclaimer .
Source:
Please support the developers and creators involved in this work to help show them some love.
Liking and Subscribing to our
Joining our
Becoming a paid member on our
Donating via
To pass through the correct IP, you will need to enable the plugin for traefik.
Writer / Producer | Hawks |
Contributor | Momas |
Testing / Proofreading | Sycotix |
Testing / Proofreading | DiscDuck |
Testing / Proofreading | Momas |
Unraid Component Writer | Voz De Ouro |