CrowdSec

From ArchWiki

CrowdSec is an open-source and lightweight software that allows you to detect peers with malevolent behaviors and block them from accessing your systems at various levels (infrastructural, system, applicative). CrowdSec bouncers are standalone software pieces in charge of acting upon a decision taken by crowdsec : block an IP, present a captcha, enforce MFA on a given user, etc.

Installation

Install the crowdsecAUR packages, and CrowdSec firewall bouncer cs-firewall-bouncerAUR.

Enable/start crowdsec.service

Usage

Enroll your CrowdSec instance to Crowdsec console:

# cscli  console enroll your_enroll_key

You can get your key from upstream.

Hub management

Lists installed parsers, scenarios and collections:

# cscli hub list

Parsers parse string from logs or previous parsers. To install crowdsecurity/sshd-logs parser:

# cscli parsers install crowdsecurity/sshd-logs

Scenarios receive events and can detect attacks and produce alerts. Install crowdsecurity/ssh-slow-bf scenario:

# cscli scenarios install crowdsecurity/ssh-slow-bf

Collections are bundle of parsers, scenarios, postoverflows. Install crowdsecurity/whitelist-good-actors collection:

# cscli collections install crowdsecurity/whitelist-good-actors

Update installed parsers, scenarios and collections:

# cscli hub update
# cscli hub upgrade

Decisions management

List active decisions:

# cscli decisions list

Manually add a decision (ban):

# cscli decisions add --ip 1.2.3.4 --duration 24h --reason "web bruteforce"

Remove a decision:

# cscli decisions delete --ip 1.2.3.4

List past alerts:

# cscli alerts list --since 1h

Alerts will include expired or deleted decisions.

See also