“Average Malevolent Duration (In Days) of Most Reported AS” page 11 sur CrowdSec Majority Report
# Ajouter le dépôt curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash sudo apt install crowdsec
Pour relancer la configuration :
/usr/share/crowdsec/wizard.sh -c
pour la configuration utiliser le fichier /etc/crowdsec/config.yaml.local. Par exemple désactiver l'agent Prometheus.
# # doc: # https://docs.crowdsec.net/docs/configuration/crowdsec_configuration # common: log_level: info prometheus: enabled: false db_config: use_wal: true
CrowdSec alone will not block any IP address. If you want to block them, you must use a bouncer. You can find them on https://hub.crowdsec.net/browse/#bouncers
sudo apt install crowdsec-firewall-bouncer-iptables
Appliquer les changements
sudo systemctl restart crowdsec
Tester le blocage
Exécuter plusieurs fois cette requête, depuis une machine qui peut être bloquée :
curl -I https://www.site.fr -H "User-Agent: OpenVAS"
Puis vérifier sur la machine www.site.fr que l'IP est bien bannie
sudo cscli decisions list
Aukfood vous guide pour automatiser l'installation de Crowdsec avec Ansible.
Pour voir les IP bannies (ou autres décisions):
sudo cscli decisions list
Débloquer une IP
sudo cscli decisions delete --ip x.x.x.x # supprimer toutes les décisions sudo cscli decisions delete --all
Voir dans le Firewall les IP bannies
$ sudo iptables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 13800 933K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set crowdsec-blacklists src $ sudo ipset list crowdsec-blacklists 68.178.149.158 timeout 598324 114.242.150.197 timeout 598322 $ sudo ipset list crowdsec6-blacklists 2001:470:1:c84::15 timeout 490300 2a01:7e01::f03c:92ff:fe7a:e887 timeout 281500
Lister les collections
sudo cscli collections list
Mise à jour des scénarios
sudo cscli hub update sudo cscli hub upgrade
3 scenarios Wordpress sont fournis avec Crowdsec:
# cat /etc/crowdsec/scenarios/http-bf-wordpress_bf.yaml type: leaky name: crowdsecurity/http-bf-wordpress_bf description: "detect wordpress bruteforce" debug: false # failed auth on wp-login.php returns 200 filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'wp-login.php' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '200'" groupby: evt.Meta.source_ip capacity: 5 leakspeed: 10s blackhole: 5m labels: service: http type: bruteforce remediation: true
# cat /etc/crowdsec/scenarios/http-wordpress_user-enum.yaml type: leaky name: crowdsecurity/http-wordpress_user-enum description: "detect wordpress probing : authors enumeration" debug: false filter: "evt.Meta.log_type == 'http_access-log' && Upper(evt.Parsed.http_args) contains 'AUTHOR='" groupby: evt.Meta.source_ip distinct: evt.Parsed.http_args capacity: 5 leakspeed: "10s" blackhole: 5m labels: service: http type: bruteforce remediation: true
# cat /etc/crowdsec/scenarios/http-wordpress_wpconfig.yaml type: leaky name: crowdsecurity/http-wordpress_wpconfig description: "detect wordpress probing : variations around wp-config.php by wpscan" debug: false filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name contains 'wp-config.php'" groupby: evt.Meta.source_ip distinct: evt.Parsed.file_name capacity: 5 leakspeed: "10s" blackhole: 5m labels: service: http type: bruteforce remediation: true
Sur un serveur sans wordpress
/etc/crowdsec/scenarios/cyrille37-http-no-wordpress-here.yml
type: leaky format: 2.0 name: cyrille37/http-no-wordpress-here description: "Detect attempt to access Wordpress files on machine without Wordpress running" filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and (evt.Meta.http_path contains "wp-login" or evt.Meta.http_path contains "wp-content")' groupby: "evt.Meta.source_ip" capacity: 2 leakspeed: 5s blackhole: 5m labels: service: http type: discovery remediation: true
Ajouter une decision via l'API n'est pas si simple
Documentation:
Questions: