• crowdsec_configuration
• scenarios
• Decisions management

“Average Malevolent Duration (In Days) of Most Reported AS” page 11 sur CrowdSec Majority Report

• https://docs.crowdsec.net/docs/getting_started/install_crowdsec

# Ajouter le dépôt
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash 
sudo apt install crowdsec

Pour relancer la configuration :

/usr/share/crowdsec/wizard.sh -c

pour la configuration utiliser le fichier /etc/crowdsec/config.yaml.local. Par exemple désactiver l'agent Prometheus.

#
# doc:
# https://docs.crowdsec.net/docs/configuration/crowdsec_configuration
#
common:
  log_level: info
prometheus:
  enabled: false
db_config:
  use_wal: true

CrowdSec alone will not block any IP address. If you want to block them, you must use a bouncer. You can find them on https://hub.crowdsec.net/browse/#bouncers

sudo apt install crowdsec-firewall-bouncer-iptables

Appliquer les changements

sudo systemctl restart crowdsec

Tester le blocage

Exécuter plusieurs fois cette requête, depuis une machine qui peut être bloquée :

curl -I https://www.site.fr -H "User-Agent: OpenVAS"

Puis vérifier sur la machine www.site.fr que l'IP est bien bannie

sudo cscli decisions list

Aukfood vous guide pour automatiser l'installation de Crowdsec avec Ansible.

Pour voir les IP bannies (ou autres décisions):

sudo cscli decisions list

Débloquer une IP

sudo cscli decisions delete --ip x.x.x.x
 
# supprimer toutes les décisions
sudo cscli decisions delete --all

Voir dans le Firewall les IP bannies

$ sudo iptables -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target  prot opt in out source     destination         
13800  933K DROP    all  --  *  *   0.0.0.0/0  0.0.0.0/0   match-set crowdsec-blacklists src
 
$ sudo ipset list crowdsec-blacklists
68.178.149.158 timeout 598324
114.242.150.197 timeout 598322
 
$ sudo ipset list crowdsec6-blacklists
2001:470:1:c84::15 timeout 490300
2a01:7e01::f03c:92ff:fe7a:e887 timeout 281500

Lister les collections

sudo cscli collections list

Mise à jour des scénarios

sudo cscli hub update
sudo cscli hub upgrade

Scenario format:

• capacity: the number of events in the bucket before it overflows.
• leakspeed: A duration that represent how often an event will be leaking from the bucket.
• blackhole: A duration for which a bucket will be “silenced” after overflowing. This is intended to limit / avoid spam of buckets that might be very rapidly triggered. The blackhole only applies to the individual bucket.

• https://www.it-connect.fr/comment-proteger-son-site-wordpress-avec-crowdsec/
• https://docs.crowdsec.net/docs/bouncers/wordpress

3 scenarios Wordpress sont fournis avec Crowdsec:

# cat /etc/crowdsec/scenarios/http-bf-wordpress_bf.yaml
type: leaky
name: crowdsecurity/http-bf-wordpress_bf
description: "detect wordpress bruteforce"
debug: false
# failed auth on wp-login.php returns 200
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'wp-login.php' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '200'"
groupby: evt.Meta.source_ip
capacity: 5
leakspeed: 10s
blackhole: 5m
labels:
 service: http
 type: bruteforce
 remediation: true

# cat /etc/crowdsec/scenarios/http-wordpress_user-enum.yaml
type: leaky
name: crowdsecurity/http-wordpress_user-enum
description: "detect wordpress probing : authors enumeration"
debug: false
filter: "evt.Meta.log_type == 'http_access-log' && Upper(evt.Parsed.http_args) contains 'AUTHOR='"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.http_args
capacity: 5
leakspeed: "10s"
blackhole: 5m
labels:
 service: http
 type: bruteforce
 remediation: true

# cat /etc/crowdsec/scenarios/http-wordpress_wpconfig.yaml
type: leaky
name: crowdsecurity/http-wordpress_wpconfig
description: "detect wordpress probing : variations around wp-config.php by wpscan"
debug: false
filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name contains 'wp-config.php'"
groupby: evt.Meta.source_ip
distinct: evt.Parsed.file_name
capacity: 5
leakspeed: "10s"
blackhole: 5m
labels:
 service: http
 type: bruteforce
 remediation: true

Sur un serveur sans wordpress

/etc/crowdsec/scenarios/cyrille37-http-no-wordpress-here.yml

type: leaky
format: 2.0
name: cyrille37/http-no-wordpress-here
description: "Detect attempt to access Wordpress files on machine without Wordpress running"
filter: 'evt.Meta.log_type in ["http_access-log", "http_error-log"] and (evt.Meta.http_path contains "wp-login" or evt.Meta.http_path contains "wp-content")'
groupby: "evt.Meta.source_ip"
capacity: 2
leakspeed: 5s
blackhole: 5m
labels:
  service: http
  type: discovery
  remediation: true

Ajouter une decision via l'API n'est pas si simple

Documentation:

• https://crowdsecurity.github.io/api_doc/lapi/#/watchers/pushAlerts
• Introduction to the local API
• implémentation partielle https://github.com/crowdsecurity/php-lapi-client

Questions:

• https://discourse.crowdsec.net/t/php-lapi-client-missing-api-verbs/1846
• https://discourse.crowdsec.net/t/ban-ips-via-api/1679/5