Table des matières
Crowdsec
Documentation
“Average Malevolent Duration (In Days) of Most Reported AS” page 11 sur CrowdSec Majority Report
Installer crowdsec
# Ajouter le dépôt curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash sudo apt install crowdsec
Pour relancer la configuration :
/usr/share/crowdsec/wizard.sh -c
pour la configuration utiliser le fichier /etc/crowdsec/config.yaml.local. Par exemple désactiver l'agent Prometheus.
# # doc: # https://docs.crowdsec.net/docs/configuration/crowdsec_configuration # common: log_level: info prometheus: enabled: false db_config: use_wal: true
CrowdSec alone will not block any IP address. If you want to block them, you must use a bouncer. You can find them on https://hub.crowdsec.net/browse/#bouncers
sudo apt install crowdsec-firewall-bouncer-iptables
Appliquer les changements
sudo systemctl restart crowdsec
Tester le blocage
Exécuter plusieurs fois cette requête, depuis une machine qui peut être bloquée :
curl -I https://www.site.fr -H "User-Agent: OpenVAS"
Puis vérifier sur la machine www.site.fr que l'IP est bien bannie
sudo cscli decisions list
Alternatives
Aukfood vous guide pour automatiser l'installation de Crowdsec avec Ansible.
Quelques commandes
Pour voir les IP bannies (ou autres décisions):
sudo cscli decisions list
Débloquer une IP
sudo cscli decisions delete --ip x.x.x.x # supprimer toutes les décisions sudo cscli decisions delete --all
Voir dans le Firewall les IP bannies
$ sudo iptables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 13800 933K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set crowdsec-blacklists src $ sudo ipset list crowdsec-blacklists 68.178.149.158 timeout 598324 114.242.150.197 timeout 598322 $ sudo ipset list crowdsec6-blacklists 2001:470:1:c84::15 timeout 490300 2a01:7e01::f03c:92ff:fe7a:e887 timeout 281500
Lister les collections
sudo cscli collections list
Mise à jour des scénarios
sudo cscli hub update sudo cscli hub upgrade
Tips & tricks
Vocabulaire
- capacity: the number of events in the bucket before it overflows.
- leakspeed: A duration that represent how often an event will be leaking from the bucket.
- blackhole: A duration for which a bucket will be “silenced” after overflowing. This is intended to limit / avoid spam of buckets that might be very rapidly triggered. The blackhole only applies to the individual bucket.
Wordpress
3 scenarios Wordpress sont fournis avec Crowdsec:
# cat /etc/crowdsec/scenarios/http-bf-wordpress_bf.yaml type: leaky name: crowdsecurity/http-bf-wordpress_bf description: "detect wordpress bruteforce" debug: false # failed auth on wp-login.php returns 200 filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'wp-login.php' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '200'" groupby: evt.Meta.source_ip capacity: 5 leakspeed: 10s blackhole: 5m labels: service: http type: bruteforce remediation: true
# cat /etc/crowdsec/scenarios/http-wordpress_user-enum.yaml type: leaky name: crowdsecurity/http-wordpress_user-enum description: "detect wordpress probing : authors enumeration" debug: false filter: "evt.Meta.log_type == 'http_access-log' && Upper(evt.Parsed.http_args) contains 'AUTHOR='" groupby: evt.Meta.source_ip distinct: evt.Parsed.http_args capacity: 5 leakspeed: "10s" blackhole: 5m labels: service: http type: bruteforce remediation: true
# cat /etc/crowdsec/scenarios/http-wordpress_wpconfig.yaml type: leaky name: crowdsecurity/http-wordpress_wpconfig description: "detect wordpress probing : variations around wp-config.php by wpscan" debug: false filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name contains 'wp-config.php'" groupby: evt.Meta.source_ip distinct: evt.Parsed.file_name capacity: 5 leakspeed: "10s" blackhole: 5m labels: service: http type: bruteforce remediation: true