Sign in Subscribe
security

Installing CrowdSec on Ubuntu

John Switzerland

3 min read
Installing CrowdSec on Ubuntu
Photo by Henry Hustava on Unsplash

"CrowdSec offers a crowd-based cyber security suite to protect your online services, visualize & act upon threats, and a TIP (Threat Intel Platform) to block malicious IPs."

Why CrowdSec

From your perspective, CrowdSec helps protect your public-facing server(s) from malicious scanners trying to abuse open ports, brute force passwords, scan webservers for vulnerabilities - and generally keeps your logfiles free of most junk. It is both proactive and reactive.

You also get a great free dashboard which lets you see CrowdSec in action across all your servers.

From a community perspective, it uses collected info from all users to improve everyone's protection dynamically (far better than an isolated reactive-only tool like Fail2Ban) - and also as a bonus hurts dodgy actors by forcing them to change IP addresses.

Installing CrowdSec on Ubuntu Server

Follow the install instructions at https://docs.crowdsec.net/docs/getting_started/install_crowdsec

# Step 1 - add crowdsec repos for easy updates/removal
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash

# step 2 - install crowdsec detection (monitor attempts by parsing logfiles) 
apt install crowdsec

# step 3 - install a bouncer so crowdsec can take actions to block etc
apt install crowdsec-firewall-bouncer-iptables

That will instal the most common firewall bouncer (using iptables to block offending IP addresses dynamically). There are also tons of blockers for use in your applications themselves (e.g. wordpress, PHP) or to help with blocking for specific providers like CloudFlare or AWS.

Whitelist your own IPs

Whitelisting your own addresses is suggested - handy to know you won't be locked out of your own webserver when you do a mass vulnerability scan for example :-)

Create / edit /etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml and add something like:

name: crowdsecurity/whitelists
description: "Whitelist events from my fixed ip addresses"
whitelist:
  reason: "thine own ip ranges"
  ip:
    - "100.xxx.xxx.xxx"
    - "100.xxx.xxx.xxx"
    - "100.xxx.xxx.xxx"
    - "100.xxx.xxx.xxx"

and then restart the crowdsec service

sudo service crowdsec restart

Whitelist Google and other Search Engine IPs

You probably also want to ensure that search engines are whitelisted to avoid any chance of accidentally blocking good spiders / indexing services.

Install the "SEO Bots Whitelist" postoverflow (which does have a slight performance impact):

cscli postoverflows install crowdsecurity/seo-bots-whitelist
sudo service crowdsec restart

Testing Crowdsec

If you've got everything running and want to test your setup is working, one easy way is to temporarily block your own IP address, and then confirm access is blocked (e.g. website won't load for you):

cscli decisions add --ip 1.2.3.4 --duration 5m --reason "Bouncer ban test"

Handy CLI cheat sheet 

# pretty-list all installed collections
sudo cscli hub list

# list active decisions (append --ip to be specific)
sudo cscli decisions list

# list alerts (stay around after decisions expire)
sudo cscli alerts list

# list ipset IPs currently in place for blocking (by bouncer).
# pipe to "head" to see summary as list can be looooong
sudo ipset list crowdsec-blacklists | less

# to see the ipset list DROP rule
sudo iptables -S | grep crowdsec

# check list of bouncers
sudo cscli bouncers list

# update hub index
sudo cscli hub update
# and then upgrade collections/parsers/scenarios/overflows
sudo cscli hub upgrade

# rerun the setup wizard at any time (attempt to autodetect collections etc)
/usr/share/crowdsec/wizard.sh -c

# Test a logfile entry against the current setup to see what happens
sudo cscli explain --log "Jan 16 00:08:39 oracle sshd[49646]: Disconnected from authenticating user root 36.89.217.30 port 55820 [preauth]" --type syslog

Troubleshooting

  1. check both the crowdsec and crowdsec-firewall-bouncer services (and any other bouncers you may have installed) are running
  2. Check the logs - /var/log/crowdsec*
  3. Use the CLI's explain functionality to see why something is or isn't being flagged (example above in the cheat-sheet)
  4. The CrowdSec discord server is full of helpful people willing to assist, and also a great resource to search for any issues you may be having (from basic through to advanced custom scenarios)