====== Crowdsec ======
===== Documentation =====
* [[https://docs.crowdsec.net/docs/configuration/crowdsec_configuration|crowdsec_configuration]]
* [[https://docs.crowdsec.net/docs/scenarios|scenarios]]
* [[https://docs.crowdsec.net/docs/user_guides/decisions_mgmt/|Decisions management]]
"Average Malevolent Duration (In Days) of Most Reported AS" page 11 sur [[https://majorityreport.crowdsec.net/hubfs/CrowdSec_Majority_Report.pdf|CrowdSec Majority Report]]
===== Installer crowdsec =====
* https://docs.crowdsec.net/docs/getting_started/install_crowdsec
# Ajouter le dépôt
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt install crowdsec
Pour relancer la configuration : /usr/share/crowdsec/wizard.sh -c
pour la configuration utiliser le fichier ''/etc/crowdsec/config.yaml.local''. Par exemple désactiver l'agent [[/informatique/system_admin/Prometheus|Prometheus]].
#
# doc:
# https://docs.crowdsec.net/docs/configuration/crowdsec_configuration
#
common:
log_level: info
prometheus:
enabled: false
db_config:
use_wal: true
CrowdSec alone will not block any IP address. If you want to block them, you must use a bouncer. You can find them on https://hub.crowdsec.net/browse/#bouncers
sudo apt install crowdsec-firewall-bouncer-iptables
Appliquer les changements
sudo systemctl restart crowdsec
Tester le blocage
Exécuter plusieurs fois cette requête, **depuis une machine qui peut être bloquée** :
curl -I https://www.site.fr -H "User-Agent: OpenVAS"
Puis vérifier sur la machine www.site.fr que l'IP est bien bannie
sudo cscli decisions list
==== Alternatives ====
Aukfood vous guide pour [[https://www.aukfood.fr/automatiser-linstallation-et-la-configuration-de-crowdsec-avec-ansible/|automatiser l'installation de Crowdsec]] avec [[/informatique/ansible|Ansible]].
===== Quelques commandes =====
Pour voir les IP bannies (ou autres décisions):
sudo cscli decisions list
Débloquer une IP
sudo cscli decisions delete --ip x.x.x.x
# supprimer toutes les décisions
sudo cscli decisions delete --all
Voir dans le Firewall les IP bannies
$ sudo iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
13800 933K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set crowdsec-blacklists src
$ sudo ipset list crowdsec-blacklists
68.178.149.158 timeout 598324
114.242.150.197 timeout 598322
$ sudo ipset list crowdsec6-blacklists
2001:470:1:c84::15 timeout 490300
2a01:7e01::f03c:92ff:fe7a:e887 timeout 281500
Lister les collections
sudo cscli collections list
Mise à jour des scénarios
sudo cscli hub update
sudo cscli hub upgrade
===== Scenario =====
[[https://docs.crowdsec.net/docs/scenarios/format/|Scenario format]]:
* **capacity**: the number of events in the bucket before it overflows.
* **leakspeed**: A duration that represent how often an event will be leaking from the bucket.
* **blackhole**: A duration for which a bucket will be "silenced" after overflowing. This is intended to limit / avoid spam of buckets that might be very rapidly triggered. The blackhole only applies to the individual bucket.
==== Wordpress ====
* https://www.it-connect.fr/comment-proteger-son-site-wordpress-avec-crowdsec/
* https://docs.crowdsec.net/docs/bouncers/wordpress
3 scenarios Wordpress sont fournis avec Crowdsec:
# cat /etc/crowdsec/scenarios/http-bf-wordpress_bf.yaml
type: leaky
name: crowdsecurity/http-bf-wordpress_bf
description: "detect wordpress bruteforce"
debug: false
# failed auth on wp-login.php returns 200
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'wp-login.php' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '200'"
groupby: evt.Meta.source_ip
capacity: 5
leakspeed: 10s
blackhole: 5m
labels:
service: http
type: bruteforce
remediation: true
# cat /etc/crowdsec/scenarios/http-wordpress_user-enum.yaml
type: leaky
name: crowdsecurity/http-wordpress_user-enum
description: "detect wordpress probing : authors enumeration"
debug: false
filter: "evt.Meta.log_type == 'http_access-log' && Upper(evt.Parsed.http_args) contains 'AUTHOR='"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.http_args
capacity: 5
leakspeed: "10s"
blackhole: 5m
labels:
service: http
type: bruteforce
remediation: true
# cat /etc/crowdsec/scenarios/http-wordpress_wpconfig.yaml
type: leaky
name: crowdsecurity/http-wordpress_wpconfig
description: "detect wordpress probing : variations around wp-config.php by wpscan"
debug: false
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name contains 'wp-config.php'"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.file_name
capacity: 5
leakspeed: "10s"
blackhole: 5m
labels:
service: http
type: bruteforce
remediation: true
==== No Wordpress Here ====
Sur un serveur sans wordpress
''/etc/crowdsec/scenarios/cyrille37-http-no-wordpress-here.yml''
type: leaky
format: 2.0
name: cyrille37/http-no-wordpress-here
description: "Detect attempt to access Wordpress files on machine without Wordpress running"
filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and (evt.Meta.http_path contains "wp-login" or evt.Meta.http_path contains "wp-content")'
groupby: "evt.Meta.source_ip"
capacity: 2
leakspeed: 5s
blackhole: 5m
labels:
service: http
type: discovery
remediation: true
===== Technique =====
==== Local API ====
Ajouter une ''decision'' via l'API n'est pas si simple
Documentation:
* https://crowdsecurity.github.io/api_doc/lapi/#/watchers/pushAlerts
* [[https://www.crowdsec.net/blog/introduction-to-the-local-api|Introduction to the local API]]
* implémentation partielle https://github.com/crowdsecurity/php-lapi-client
Questions:
* https://discourse.crowdsec.net/t/php-lapi-client-missing-api-verbs/1846
* https://discourse.crowdsec.net/t/ban-ips-via-api/1679/5