informatique:securite:crowdsec
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
informatique:securite:crowdsec [29/04/2023 11:56] – [Quelques commandes] cyrille | informatique:securite:crowdsec [06/10/2023 21:56] (Version actuelle) – [Alternatives] cyrille | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
====== Crowdsec ====== | ====== Crowdsec ====== | ||
+ | |||
+ | ===== Documentation ===== | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | " | ||
===== Installer crowdsec ===== | ===== Installer crowdsec ===== | ||
+ | |||
+ | * https:// | ||
<code bash> | <code bash> | ||
Ligne 9: | Ligne 19: | ||
</ | </ | ||
- | pour la configuration utiliser le fichier ''/ | + | Pour relancer la configuration : < |
+ | |||
+ | pour la configuration utiliser le fichier ''/ | ||
<code yaml> | <code yaml> | ||
# | # | ||
Ligne 31: | Ligne 43: | ||
Appliquer les changements | Appliquer les changements | ||
<code bash> | <code bash> | ||
- | sudo systemctl | + | sudo systemctl |
</ | </ | ||
Ligne 44: | Ligne 56: | ||
sudo cscli decisions list | sudo cscli decisions list | ||
</ | </ | ||
+ | |||
+ | ==== Alternatives ==== | ||
+ | |||
+ | Aukfood vous guide pour [[https:// | ||
===== Quelques commandes ===== | ===== Quelques commandes ===== | ||
Ligne 55: | Ligne 71: | ||
<code bash> | <code bash> | ||
sudo cscli decisions delete --ip x.x.x.x | sudo cscli decisions delete --ip x.x.x.x | ||
+ | |||
+ | # supprimer toutes les décisions | ||
+ | sudo cscli decisions delete --all | ||
+ | </ | ||
+ | |||
+ | Voir dans le Firewall les IP bannies | ||
+ | |||
+ | <code bash> | ||
+ | $ sudo iptables -L -n -v | ||
+ | Chain INPUT (policy DROP 0 packets, 0 bytes) | ||
+ | pkts bytes target | ||
+ | 13800 933K DROP all -- * * | ||
+ | |||
+ | $ sudo ipset list crowdsec-blacklists | ||
+ | 68.178.149.158 timeout 598324 | ||
+ | 114.242.150.197 timeout 598322 | ||
+ | |||
+ | $ sudo ipset list crowdsec6-blacklists | ||
+ | 2001: | ||
+ | 2a01: | ||
</ | </ | ||
Ligne 67: | Ligne 103: | ||
sudo cscli hub upgrade | sudo cscli hub upgrade | ||
</ | </ | ||
+ | |||
===== Tips & tricks ===== | ===== Tips & tricks ===== | ||
+ | |||
+ | ==== Vocabulaire ==== | ||
+ | |||
+ | [[https:// | ||
+ | * **capacity**: | ||
+ | * **leakspeed**: | ||
+ | * **blackhole**: | ||
+ | |||
==== Wordpress ==== | ==== Wordpress ==== | ||
Ligne 74: | Ligne 119: | ||
* https:// | * https:// | ||
* https:// | * https:// | ||
+ | |||
+ | 3 scenarios Wordpress sont fournis avec Crowdsec: | ||
+ | < | ||
+ | # cat / | ||
+ | type: leaky | ||
+ | name: crowdsecurity/ | ||
+ | description: | ||
+ | debug: false | ||
+ | # failed auth on wp-login.php returns 200 | ||
+ | filter: " | ||
+ | groupby: evt.Meta.source_ip | ||
+ | capacity: 5 | ||
+ | leakspeed: 10s | ||
+ | blackhole: 5m | ||
+ | labels: | ||
+ | | ||
+ | type: bruteforce | ||
+ | | ||
+ | </ | ||
+ | < | ||
+ | # cat / | ||
+ | type: leaky | ||
+ | name: crowdsecurity/ | ||
+ | description: | ||
+ | debug: false | ||
+ | filter: " | ||
+ | groupby: evt.Meta.source_ip | ||
+ | distinct: evt.Parsed.http_args | ||
+ | capacity: 5 | ||
+ | leakspeed: " | ||
+ | blackhole: 5m | ||
+ | labels: | ||
+ | | ||
+ | type: bruteforce | ||
+ | | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | # cat / | ||
+ | type: leaky | ||
+ | name: crowdsecurity/ | ||
+ | description: | ||
+ | debug: false | ||
+ | filter: " | ||
+ | groupby: evt.Meta.source_ip | ||
+ | distinct: evt.Parsed.file_name | ||
+ | capacity: 5 | ||
+ | leakspeed: " | ||
+ | blackhole: 5m | ||
+ | labels: | ||
+ | | ||
+ | type: bruteforce | ||
+ | | ||
+ | </ | ||
informatique/securite/crowdsec.1682762195.txt.gz · Dernière modification : 29/04/2023 11:56 de cyrille