SelfHostCorner

MediaCowboy
MediaCowboy

Posted on • Originally published at mediacowboy.tech on

Why you need CrowdSec

What is CrowdSec

Why you need CrowdSec

This is going to be a multiple part series as I want to be able to give it the detail it deserves, so be sure to check back regular.

With everything going on in the world Cyber Security is a big concern for massive corporations and organizations. As someone who self-host a lot, and I do mean a lot, of services that I have exposed to the Big Scary World. So, I started researching into options to secure my services without investing money at this time. This led me to CrowdSec, a self-hostable IPS (Intrusion Prevention System). It can be setup to ingest the logs from many of my services to notice such things as HTTP-Probing, HTTP Bad User Agent, HTTP backdoors, to even CVE exploits. I am looking at you Log4j. Here is a snippet of what my instance has blocked since I stood it up about a week ago.

Why you need CrowdSec
Yikes

Please take the time to go read the CrowdSecwebsite and dive even deeper.


Installing CrowdSec:

For all my services I use docker and docker-compose. Side note - I plan to cover that setup at a later date. To do this I copied the basic docker-compose config from CrowdSec GitHub repo and tweaked it to my need's.

  crowdsec:
    image: docker.io/crowdsecurity/crowdsec:latest
    container_name: crowdsec
    restart: unless-stopped
    environment:
      - GID=${PGID}
      - COLLECTIONS=crowdsecurity/nginx crowdsecurity/http-cve crowdsecurity/whitelist-good-actors LePresidente/authelia
    volumes:
      - ${USERDIR}/docker/crowdsec/config:/etc/crowdsec:rw
      - ${USERDIR}/docker/crowdsec/data:/var/lib/crowdsec/data:rw
      - ${USERDIR}/docker/authelia:/var/log/authelia:ro
      - ${USERDIR}/docker/letsencrypt/log/nginx:/var/log/swag:ro
      - /var/log:/var/log/host:ro      
    security_opt:
      - no-new-privileges=true
Enter fullscreen mode Exit fullscreen mode

Let's break that out to make it easier to understand.

Config Options:

image - is the image we want to use. As you can see, I am pulling their latest image.

container_name - is whatever you want to call it. I perfer to call my containers what they are.

restart - will determine how the container comes back up if there is an issue. I set all my containers to do unless-stopped. Which means they auto restart.

Environment Variables:

GID : I set this to match the host Docker Group ID. I have this saved on the host as in an environment file that I can reference for all my containers.

Collections : this is the heart of CrowdSec. Here is where we define everything, we want it to watch for. As you can see I had it pull down the need information to be able to watch my SWAG container (NGINX), Authelia, HTTP-CVEs, and Good Actor's.

Volume Mappings:

${USERDIR}/docker/crowdsec/config:/etc/crowdsec:rw -

This one I am saying the CrowdSec can read and write to it's config folder on the host. Also us to remove and restart the container without having to redefine everything every time.

- ${USERDIR}/docker/crowdsec/data:/var/lib/crowdsec/data:rw

Similiar thing as before. We are allowing the container to be able to write the CrowdSec data to the host. (This will become even more important in another post)

- ${USERDIR}/docker/authelia:/var/log/authelia:ro

We are along CrowdSec access to Authelia logs for it to scan for Brute Force and other type attacks.

- ${USERDIR}/docker/letsencrypt/log/nginx:/var/log/swag:ro

We are along CrowdSec access to the NGINX logs for it to scan for Brute Force and other type attacks.

- /var/log:/var/log/host:ro

We are along CrowdSec access to the host logs for it to scan for Brute Force and other type attacks.

Security_Opt:

no-new-privileges=true:

this is a newer thing I have started using on my container's. This prevents someone or the application from being able to change the user permissions in the container to that of something granting them root access to the host.

My understanding and if I am wrong, please create an account and let me know in a constructive way in the comments.


Well, that is it for this post. By making the needed changes to your docker environment, modifying everything on the left, you should be able to get CrowdSec up and running.

Before you do that though I would wait until I am done with the series as I will be making changes to this config to allow the nice chart you saw above and showing you some other tweaks to make your life easier.

Top comments (3)

Collapse
 
alex profile image
Alex • Edited on

Finally, this is the series i've been waiting for! 👏 @justsky @perronedotdev

Collapse
 
justsky profile image
JustSKY

Image description

Collapse
 
perronedotdev profile image
perronedotdev

I dig it! Thanks for sharing.