CrowdSec Instalación: Collaborative Security

CrowdSec is a modern, collaborative intrusion detection and prevention system designed specifically for web servers and online servicios. Unlike traditional IDS solutions, CrowdSec leverages crowdsourced threat intelligence, allowing users to share and receive threat information from a global community. Esta guía walks you through installing CrowdSec on your Linux server, configuring security scenarios, deploying bouncers for Nginx and iptables, accessing the console, and integrating community blocklists for enhanced protection.

System Requirements

CrowdSec requires minimal resources and runs efficiently on VPS and baremetal servers. Ensure your system meets these prerequisites:

Linux kernel 4.15 or newer
At least 512 MB RAM (1 GB recommended)
100 MB disk space for application and logs
systemd for servicio management
Internet connectivity for threat intelligence sharing

Supported distributions include Ubuntu 18.04+, Debian 10+, CentOS 7+, and other modern Linux distributions. Verifica your system version:

lsb_release -a
uname -r
free -h
df -h /

Instalación

Begin by installing CrowdSec from the official package repositories. The installation process is streamlined for most distributions.

For Ubuntu and Debian:

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt-get update
sudo apt-get install -y crowdsec

For CentOS and RHEL:

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash
sudo yum install -y crowdsec

For Fedora:

sudo dnf install -y crowdsec

After installation, enable and start the CrowdSec servicio:

sudo systemctl enable crowdsec
sudo systemctl start crowdsec
sudo systemctl status crowdsec

Verifica the installation by checking the version:

sudo crowdsec -version

The installation creates several key directories. Examine the configuration structure:

ls -la /etc/crowdsec/
ls -la /var/lib/crowdsec/
ls -la /var/log/crowdsec/

Configuración Basics

CrowdSec's primary configuration file is located at /etc/crowdsec/config.yaml. This file controls logging, database settings, API configuration, and plugin behavior. Let's examine and modify the default configuration:

sudo cat /etc/crowdsec/config.yaml

The default configuration typically includes support for Linux log monitoring. Ensure your config specifies the correct log sources. Edit the configuration file to add custom data sources if needed:

sudo nano /etc/crowdsec/config.yaml

Key configuration sections include:

common: Shared settings like log level and configuration path
crowdsec: Core engine settings for processing speed and capacity
cscli: Command-line client configuration
db: Database backend selection (SQLite by default)
api: API server settings for bouncer communication

Prueba your configuration for syntax errors:

sudo crowdsec -dry-run

View real-time logs to monitor CrowdSec activity:

sudo tail -f /var/log/crowdsec/crowdsec.log

Security Scenarios

Scenarios are rule files that detect malicious behavior patterns. CrowdSec comes with default scenarios covering common attacks like SSH brute force, HTTP probing, and SQL injection attempts. List installed scenarios:

sudo cscli scenarios list

Instala additional scenarios from the hub. Common recommended scenarios include:

sudo cscli scenarios install crowdsecurity/http-cve-2021-41773
sudo cscli scenarios install crowdsecurity/ssh-bf
sudo cscli scenarios install crowdsecurity/http-generic-log4shell

Habilita a scenario after installation:

sudo cscli scenarios enable crowdsecurity/ssh-bf

Check the status of scenarios:

sudo cscli scenarios status

View detailed information about a specific scenario:

sudo cscli scenarios describe crowdsecurity/ssh-bf

Reinicia CrowdSec to apply scenario changes:

sudo systemctl restart crowdsec

Crea a custom scenario for your specific needs. Scenarios are written in YAML and use pattern matching against logs. Crea a new scenario file:

sudo nano /etc/crowdsec/scenarios/custom-attack.yaml

Example custom scenario content:

name: crowdsecurity/custom-api-attack
description: "Detect excessive API requests from single source"
type: leaky
filter: "evt.Parsed.method == 'POST' && evt.Parsed.uri startsWith '/api'"
groupby: "evt.Meta.source_ip"
capacity: 5
duration: 10m

Installing and Configuring Bouncers

Bouncers are enforcement tools that block malicious IPs detected by CrowdSec. They sit between CrowdSec and the actual enforcement mechanism (firewall, reverse proxy, etc.). Instala the bouncer packages:

For Ubuntu/Debian:

sudo apt-get install -y crowdsec-firewall-bouncer
sudo apt-get install -y crowdsec-nginx-bouncer

For CentOS/RHEL:

sudo yum install -y crowdsec-firewall-bouncer
sudo yum install -y crowdsec-nginx-bouncer

List available bouncers:

sudo cscli bouncers list

Each bouncer requires registration with CrowdSec before operation. Generate an API token for each bouncer:

sudo cscli bouncers add crowdsec-firewall-bouncer

This creates a unique token that the bouncer uses to communicate with CrowdSec. Store this token securely as it's needed for bouncer configuration.

Nginx Bouncer

The Nginx bouncer integrates directly with Nginx to block malicious requests before they reach your application. First, asegúrate de que Nginx is installed:

sudo apt-get install -y nginx

Configura the Nginx bouncer by editing its configuration file:

sudo nano /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf

Add your bouncer token and set the CrowdSec API endpoint:

API_URL=http://127.0.0.1:8080
API_KEY=your_bouncer_api_key_here
ORIGIN_DOMAIN=localhost
ORIGIN_PORT=80

The Nginx bouncer works by intercepting requests and checking them against CrowdSec decisions. Configura Nginx to use the module. Edit your Nginx configuration:

sudo nano /etc/nginx/nginx.conf

Add the crowdsec module to the main Nginx configuration:

load_module /usr/lib/nginx/modules/ngx_crowdsec_module.so;

In your server block, add the bouncer directive:

server {
    listen 80;
    server_name example.com;
    
    crowdsec on;
    crowdsec_socket "/tmp/crowdsec.sock";
    
    location / {
        proxy_pass http://backend;
    }
}

Prueba the Nginx configuration:

sudo nginx -t

Reload Nginx to apply changes:

sudo systemctl reload nginx

Habilita and start the bouncer servicio:

sudo systemctl enable crowdsec-nginx-bouncer
sudo systemctl start crowdsec-nginx-bouncer

Monitorea bouncer activity:

sudo tail -f /var/log/crowdsec/nginx-bouncer.log

iptables Bouncer

The firewall bouncer proporciona kernel-level protection by managing iptables rules to block malicious IP addresses. Instala if not already present:

sudo apt-get install -y crowdsec-firewall-bouncer

Configura the firewall bouncer:

sudo nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

Key configuration options:

crowdsec_config: /etc/crowdsec/config.yaml
crowdsec_url: http://127.0.0.1:8080
api_key: your_firewall_bouncer_token
update_frequency: 10s
monitor_interfaces:
  - eth0
  - eth1
chains:
  INPUT: DROP
  FORWARD: DROP
blacklists:
  whitelist_ips:
    - 127.0.0.1
    - 192.168.1.0/24

Habilita and start the firewall bouncer:

sudo systemctl enable crowdsec-firewall-bouncer
sudo systemctl start crowdsec-firewall-bouncer

The bouncer dynamically adds iptables rules to block detected attackers. View active iptables rules:

sudo iptables -L -n
sudo iptables -L CROWDSEC -n

Save iptables rules for persistence across reboots:

sudo iptables-save > /etc/iptables/rules.v4

Monitorea firewall bouncer logs:

sudo tail -f /var/log/crowdsec/firewall-bouncer.log

Prueba the bouncer by triggering a false detection. Generate a test alert:

sudo cscli decisions add --ip 192.0.2.1 --duration 5m --type ban

Verifica the IP appears in iptables rules:

sudo iptables -L CROWDSEC -n | grep 192.0.2.1

Remueve the test decision:

sudo cscli decisions delete --ip 192.0.2.1

CrowdSec Console

The CrowdSec Console proporciona a centralized dashboard for managing alerts, viewing statistics, and configuring advanced threat intelligence sharing. Register for a free console account at https://app.crowdsec.net.

After registration, link your server to the console by generating an enrollment token:

sudo cscli console enroll

This command displays an enrollment URL. Open it in a browser to authorize your server. The console connection is now established.

View decisions and alerts through the console:

sudo cscli decisions list

The console displays real-time alerts from your server, historical statistics, and community threat intelligence. Configura which alerts are shared with the community:

sudo cscli console status

Review console settings in the configuration:

sudo nano /etc/crowdsec/console/

Community Blocklists

CrowdSec maintains community blocklists of known malicious IPs. Subscribe to these lists to benefit from collective threat intelligence. List available blocklists:

sudo cscli lists list

Add a community blocklist:

sudo cscli lists add crowdsecurity/http-crawler-user-agents
sudo cscli lists add crowdsecurity/ips

Actualiza blocklists manually:

sudo cscli hub update
sudo cscli lists update

Configura automatic blocklist updates in the config:

sudo nano /etc/crowdsec/config.yaml

Ensure the update frequency is set appropriately:

db:
  type: sqlite
  db_path: /var/lib/crowdsec/crowdsec.db
  update_frequency: 24h

View statistics on blocklist matches:

sudo cscli metrics

Gestionando Decisions

Decisions are CrowdSec's mechanism for marking IPs or ranges as blocked, validated, or allowed. View all active decisions:

sudo cscli decisions list

Manually add a decision to block an IP:

sudo cscli decisions add --ip 203.0.113.45 --duration 48h --type ban --reason "Manual block for malicious activity"

Bloquea an entire subnet:

sudo cscli decisions add --ip 203.0.113.0/24 --duration 7d --type ban --reason "Subnet block"

Add an IP to the whitelist to prevent blocking:

sudo cscli decisions add --ip 198.51.100.5 --duration infinite --type allow

Elimina a specific decision:

sudo cscli decisions delete --ip 203.0.113.45

Export decisions to JSON format:

sudo cscli decisions list -o json > decisions.json

Import decisions from external sources:

sudo cscli decisions import decisions.json

Avanzado Features

CrowdSec supports various advanced configurations for enterprise deployments. Habilita remote logging to send alerts to external SIEM systems:

sudo nano /etc/crowdsec/config.yaml

Configura webhook notifications for critical alerts:

api:
  server:
    listen_uri: 127.0.0.1:8080

Set up mutual TLS authentication between bouncers and CrowdSec:

sudo cscli bouncers add --tls my-bouncer

Implement custom output plugins to integrate with third-party systems:

sudo cscli plugins list

Configura horizontal scaling by deploying multiple CrowdSec instances in a cluster. Use a centralized database:

sudo nano /etc/crowdsec/config.yaml

Change database backend to remote MySQL/PostgreSQL for shared state across instances.

Conclusión

CrowdSec proporciona a powerful, community-driven approach to intrusion detection and prevention. By following this guide, you've learned to install CrowdSec, configure security scenarios, deploy bouncers at the Nginx and firewall levels, leverage the community console, and implement blocklists for collaborative threat protection. The modular architecture allows you to scale protections as needed, from simple HTTP protection with Nginx bouncers to comprehensive red-level blocking with firewall bouncers. Regular maintenance includes updating scenarios, monitoring alert volúmenes, and reviewing false positives in the console. As threats evolve, CrowdSec's community-driven approach ensures your defenses remain current with minimal manual intervention.

Instalación de Crowdsec seguridad colaborativa