• crowdsec_configuration
• scenarios
• Decisions management

• https://docs.crowdsec.net/docs/getting_started/install_crowdsec

# Ajouter le dépôt
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash 
sudo apt install crowdsec

Pour relancer la configuration :

/usr/share/crowdsec/wizard.sh -c

pour la configuration utiliser le fichier /etc/crowdsec/config.yaml.local. Par exemple désactiver l'agent Prometheus.

#
# doc:
# https://docs.crowdsec.net/docs/configuration/crowdsec_configuration
#
common:
  log_level: info
prometheus:
  enabled: false
db_config:
  use_wal: true

CrowdSec alone will not block any IP address. If you want to block them, you must use a bouncer. You can find them on https://hub.crowdsec.net/browse/#bouncers

sudo apt install crowdsec-firewall-bouncer-iptables

Appliquer les changements

sudo systemctl restart crowdsec

Tester le blocage

Exécuter plusieurs fois cette requête, depuis une machine qui peut être bloquée :

curl -I https://www.site.fr -H "User-Agent: OpenVAS"

Puis vérifier sur la machine www.site.fr que l'IP est bien bannie

sudo cscli decisions list

Pour voir les IP bannies (ou autres décisions):

sudo cscli decisions list

Débloquer une IP

sudo cscli decisions delete --ip x.x.x.x
 
# supprimer toutes les décisions
sudo cscli decisions delete --all

Voir dans le Firewall les IP bannies

$ sudo iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target  prot opt in out source     destination         
13800  933K DROP    all  --  *  *   0.0.0.0/0  0.0.0.0/0   match-set crowdsec-blacklists src
 
$ sudo ipset list crowdsec-blacklists
68.178.149.158 timeout 598324
114.242.150.197 timeout 598322
 
$ sudo ipset list crowdsec6-blacklists
2001:470:1:c84::15 timeout 490300
2a01:7e01::f03c:92ff:fe7a:e887 timeout 281500

Lister les collections

sudo cscli collections list

Mise à jour des scénarios

sudo cscli hub update
sudo cscli hub upgrade

Scenario format:

• capacity: the number of events in the bucket before it overflows.
• leakspeed: A duration that represent how often an event will be leaking from the bucket.
• blackhole: A duration for which a bucket will be “silenced” after overflowing. This is intended to limit / avoid spam of buckets that might be very rapidly triggered. The blackhole only applies to the individual bucket.

• https://www.it-connect.fr/comment-proteger-son-site-wordpress-avec-crowdsec/
• https://docs.crowdsec.net/docs/bouncers/wordpress

3 scenarios Wordpress sont fournis avec Crowdsec:

# cat /etc/crowdsec/scenarios/http-bf-wordpress_bf.yaml
type: leaky
name: crowdsecurity/http-bf-wordpress_bf
description: "detect wordpress bruteforce"
debug: false
# failed auth on wp-login.php returns 200
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'wp-login.php' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '200'"
groupby: evt.Meta.source_ip
capacity: 5
leakspeed: 10s
blackhole: 5m
labels:
 service: http
 type: bruteforce
 remediation: true

# cat /etc/crowdsec/scenarios/http-wordpress_user-enum.yaml
type: leaky
name: crowdsecurity/http-wordpress_user-enum
description: "detect wordpress probing : authors enumeration"
debug: false
filter: "evt.Meta.log_type == 'http_access-log' && Upper(evt.Parsed.http_args) contains 'AUTHOR='"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.http_args
capacity: 5
leakspeed: "10s"
blackhole: 5m
labels:
 service: http
 type: bruteforce
 remediation: true

# cat /etc/crowdsec/scenarios/http-wordpress_wpconfig.yaml
type: leaky
name: crowdsecurity/http-wordpress_wpconfig
description: "detect wordpress probing : variations around wp-config.php by wpscan"
debug: false
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name contains 'wp-config.php'"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.file_name
capacity: 5
leakspeed: "10s"
blackhole: 5m
labels:
 service: http
 type: bruteforce
 remediation: true