====== Crowdsec ======

===== Documentation =====

  * [[https://docs.crowdsec.net/docs/configuration/crowdsec_configuration|crowdsec_configuration]]
  * [[https://docs.crowdsec.net/docs/scenarios|scenarios]]
  * [[https://docs.crowdsec.net/docs/user_guides/decisions_mgmt/|Decisions management]]

"Average Malevolent Duration (In Days) of Most Reported AS" page 11 sur [[https://majorityreport.crowdsec.net/hubfs/CrowdSec_Majority_Report.pdf|CrowdSec Majority Report]]

===== Installer crowdsec =====

  * https://docs.crowdsec.net/docs/getting_started/install_crowdsec

<code bash>
# Ajouter le dépôt
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash 
sudo apt install crowdsec
</code>

Pour relancer la configuration : <code>/usr/share/crowdsec/wizard.sh -c</code>

pour la configuration utiliser le fichier ''/etc/crowdsec/config.yaml.local''. Par exemple désactiver l'agent [[/informatique/system_admin/Prometheus|Prometheus]].
<code yaml>
#
# doc:
# https://docs.crowdsec.net/docs/configuration/crowdsec_configuration
#
common:
  log_level: info
prometheus:
  enabled: false
db_config:
  use_wal: true
</code>

CrowdSec alone will not block any IP address. If you want to block them, you must use a bouncer. You can find them on https://hub.crowdsec.net/browse/#bouncers

<code bash>
sudo apt install crowdsec-firewall-bouncer-iptables
</code>

Appliquer les changements
<code bash>
sudo systemctl restart crowdsec
</code>

Tester le blocage

Exécuter plusieurs fois cette requête, **depuis une machine qui peut être bloquée** :
<code bash>
curl -I https://www.site.fr -H "User-Agent: OpenVAS"
</code>
Puis vérifier sur la machine www.site.fr que l'IP est bien bannie
<code bash>
sudo cscli decisions list
</code>

==== Alternatives ====

Aukfood vous guide pour [[https://www.aukfood.fr/automatiser-linstallation-et-la-configuration-de-crowdsec-avec-ansible/|automatiser l'installation de Crowdsec]] avec [[/informatique/ansible|Ansible]].

===== Quelques commandes =====

Pour voir les IP bannies (ou autres décisions):
<code bash>
sudo cscli decisions list
</code>

Débloquer une IP
<code bash>
sudo cscli decisions delete --ip x.x.x.x

# supprimer toutes les décisions
sudo cscli decisions delete --all
</code>

Voir dans le Firewall les IP bannies 

<code bash>
$ sudo iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target  prot opt in out source     destination         
13800  933K DROP    all  --  *  *   0.0.0.0/0  0.0.0.0/0   match-set crowdsec-blacklists src

$ sudo ipset list crowdsec-blacklists
68.178.149.158 timeout 598324
114.242.150.197 timeout 598322

$ sudo ipset list crowdsec6-blacklists
2001:470:1:c84::15 timeout 490300
2a01:7e01::f03c:92ff:fe7a:e887 timeout 281500
</code>

Lister les collections
<code bash>
sudo cscli collections list
</code>

Mise à jour des scénarios
<code bash>
sudo cscli hub update
sudo cscli hub upgrade
</code>


===== Tips & tricks =====

==== Vocabulaire ====

[[https://docs.crowdsec.net/docs/scenarios/format/|Scenario format]]:
  * **capacity**: the number of events in the bucket before it overflows.
  * **leakspeed**: A duration that represent how often an event will be leaking from the bucket.
  * **blackhole**: A duration for which a bucket will be "silenced" after overflowing. This is intended to limit / avoid spam of buckets that might be very rapidly triggered. The blackhole only applies to the individual bucket.


==== Wordpress ====

  * https://www.it-connect.fr/comment-proteger-son-site-wordpress-avec-crowdsec/
  * https://docs.crowdsec.net/docs/bouncers/wordpress

3 scenarios Wordpress sont fournis avec Crowdsec:
<code>
# cat /etc/crowdsec/scenarios/http-bf-wordpress_bf.yaml
type: leaky
name: crowdsecurity/http-bf-wordpress_bf
description: "detect wordpress bruteforce"
debug: false
# failed auth on wp-login.php returns 200
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'wp-login.php' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '200'"
groupby: evt.Meta.source_ip
capacity: 5
leakspeed: 10s
blackhole: 5m
labels:
 service: http
 type: bruteforce
 remediation: true
</code>
<code>
# cat /etc/crowdsec/scenarios/http-wordpress_user-enum.yaml
type: leaky
name: crowdsecurity/http-wordpress_user-enum
description: "detect wordpress probing : authors enumeration"
debug: false
filter: "evt.Meta.log_type == 'http_access-log' && Upper(evt.Parsed.http_args) contains 'AUTHOR='"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.http_args
capacity: 5
leakspeed: "10s"
blackhole: 5m
labels:
 service: http
 type: bruteforce
 remediation: true
</code>

<code>
# cat /etc/crowdsec/scenarios/http-wordpress_wpconfig.yaml
type: leaky
name: crowdsecurity/http-wordpress_wpconfig
description: "detect wordpress probing : variations around wp-config.php by wpscan"
debug: false
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name contains 'wp-config.php'"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.file_name
capacity: 5
leakspeed: "10s"
blackhole: 5m
labels:
 service: http
 type: bruteforce
 remediation: true
</code>