Why you need CrowdSec
What is CrowdSec
This is going to be a multiple part series as I want to be able to give it the detail it deserves, so be sure to check back regular.
With everything going on in the world Cyber Security is a big concern for massive corporations and organizations. As someone who self-host a lot, and I do mean a lot, of services that I have exposed to the Big Scary World. So, I started researching into options to secure my services without investing money at this time. This led me to CrowdSec, a self-hostable IPS (Intrusion Prevention System). It can be setup to ingest the logs from many of my services to notice such things as HTTP-Probing, HTTP Bad User Agent, HTTP backdoors, to even CVE exploits. I am looking at you Log4j. Here is a snippet of what my instance has blocked since I stood it up about a week ago.
Please take the time to go read the CrowdSec website and dive even deeper.
Installing CrowdSec:
For all my services I use docker and docker-compose. Side note - I plan to cover that setup at a later date. To do this I copied the basic docker-compose config from CrowdSec GitHub repo and tweaked it to my need's.
crowdsec:
image: docker.io/crowdsecurity/crowdsec:latest
container_name: crowdsec
restart: unless-stopped
environment:
- GID=${PGID}
- COLLECTIONS=crowdsecurity/nginx crowdsecurity/http-cve crowdsecurity/whitelist-good-actors LePresidente/authelia
volumes:
- ${USERDIR}/docker/crowdsec/config:/etc/crowdsec:rw
- ${USERDIR}/docker/crowdsec/data:/var/lib/crowdsec/data:rw
- ${USERDIR}/docker/authelia:/var/log/authelia:ro
- ${USERDIR}/docker/letsencrypt/log/nginx:/var/log/swag:ro
- /var/log:/var/log/host:ro
security_opt:
- no-new-privileges=true
Let's break that out to make it easier to understand.
Config Options:
image - is the image we want to use. As you can see, I am pulling their latest image.
container_name - is whatever you want to call it. I perfer to call my containers what they are.
restart - will determine how the container comes back up if there is an issue. I set all my containers to do unless-stopped. Which means they auto restart.
Environment Variables:
GID: I set this to match the host Docker Group ID. I have this saved on the host as in an environment file that I can reference for all my containers.
Collections: this is the heart of CrowdSec. Here is where we define everything, we want it to watch for. As you can see I had it pull down the need information to be able to watch my SWAG container (NGINX), Authelia, HTTP-CVEs, and Good Actor's.
Volume Mappings:
${USERDIR}/docker/crowdsec/config:/etc/crowdsec:rw -
This one I am saying the CrowdSec can read and write to it's config folder on the host. Also us to remove and restart the container without having to redefine everything every time.
- ${USERDIR}/docker/crowdsec/data:/var/lib/crowdsec/data:rw
Similiar thing as before. We are allowing the container to be able to write the CrowdSec data to the host. (This will become even more important in another post)
- ${USERDIR}/docker/authelia:/var/log/authelia:ro
We are along CrowdSec access to Authelia logs for it to scan for Brute Force and other type attacks.
- ${USERDIR}/docker/letsencrypt/log/nginx:/var/log/swag:ro
We are along CrowdSec access to the NGINX logs for it to scan for Brute Force and other type attacks.
- /var/log:/var/log/host:ro
We are along CrowdSec access to the host logs for it to scan for Brute Force and other type attacks.
Security_Opt:
no-new-privileges=true:
this is a newer thing I have started using on my container's. This prevents someone or the application from being able to change the user permissions in the container to that of something granting them root access to the host.
My understanding and if I am wrong, please create an account and let me know in a constructive way in the comments.
Well, that is it for this post. By making the needed changes to your docker environment, modifying everything on the left, you should be able to get CrowdSec up and running.
Before you do that though I would wait until I am done with the series as I will be making changes to this config to allow the nice chart you saw above and showing you some other tweaks to make your life easier.