Ceci est une ancienne révision du document !
Table des matières
Crowdsec
Documentation
“Average Malevolent Duration (In Days) of Most Reported AS” page 11 sur CrowdSec Majority Report
Installer crowdsec
# Ajouter le dépôt curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash sudo apt install crowdsec
Pour relancer la configuration :
/usr/share/crowdsec/wizard.sh -c
pour la configuration utiliser le fichier /etc/crowdsec/config.yaml.local. Par exemple désactiver l'agent Prometheus.
# # doc: # https://docs.crowdsec.net/docs/configuration/crowdsec_configuration # common: log_level: info prometheus: enabled: false db_config: use_wal: true
CrowdSec alone will not block any IP address. If you want to block them, you must use a bouncer. You can find them on https://hub.crowdsec.net/browse/#bouncers
sudo apt install crowdsec-firewall-bouncer-iptables
Appliquer les changements
sudo systemctl restart crowdsec
Tester le blocage
Exécuter plusieurs fois cette requête, depuis une machine qui peut être bloquée :
curl -I https://www.site.fr -H "User-Agent: OpenVAS"
Puis vérifier sur la machine www.site.fr que l'IP est bien bannie
sudo cscli decisions list
Quelques commandes
Pour voir les IP bannies (ou autres décisions):
sudo cscli decisions list
Débloquer une IP
sudo cscli decisions delete --ip x.x.x.x # supprimer toutes les décisions sudo cscli decisions delete --all
Voir dans le Firewall les IP bannies
$ sudo iptables -L -n -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 13800 933K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set crowdsec-blacklists src $ sudo ipset list crowdsec-blacklists 68.178.149.158 timeout 598324 114.242.150.197 timeout 598322 $ sudo ipset list crowdsec6-blacklists 2001:470:1:c84::15 timeout 490300 2a01:7e01::f03c:92ff:fe7a:e887 timeout 281500
Lister les collections
sudo cscli collections list
Mise à jour des scénarios
sudo cscli hub update sudo cscli hub upgrade
Alternatives
Aukfood vous guide pour automatiser l'installation avec Ansible.
Tips & tricks
Vocabulaire
- capacity: the number of events in the bucket before it overflows.
- leakspeed: A duration that represent how often an event will be leaking from the bucket.
- blackhole: A duration for which a bucket will be “silenced” after overflowing. This is intended to limit / avoid spam of buckets that might be very rapidly triggered. The blackhole only applies to the individual bucket.
Wordpress
3 scenarios Wordpress sont fournis avec Crowdsec:
# cat /etc/crowdsec/scenarios/http-bf-wordpress_bf.yaml type: leaky name: crowdsecurity/http-bf-wordpress_bf description: "detect wordpress bruteforce" debug: false # failed auth on wp-login.php returns 200 filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name == 'wp-login.php' && evt.Parsed.verb == 'POST' && evt.Meta.http_status == '200'" groupby: evt.Meta.source_ip capacity: 5 leakspeed: 10s blackhole: 5m labels: service: http type: bruteforce remediation: true
# cat /etc/crowdsec/scenarios/http-wordpress_user-enum.yaml type: leaky name: crowdsecurity/http-wordpress_user-enum description: "detect wordpress probing : authors enumeration" debug: false filter: "evt.Meta.log_type == 'http_access-log' && Upper(evt.Parsed.http_args) contains 'AUTHOR='" groupby: evt.Meta.source_ip distinct: evt.Parsed.http_args capacity: 5 leakspeed: "10s" blackhole: 5m labels: service: http type: bruteforce remediation: true
# cat /etc/crowdsec/scenarios/http-wordpress_wpconfig.yaml type: leaky name: crowdsecurity/http-wordpress_wpconfig description: "detect wordpress probing : variations around wp-config.php by wpscan" debug: false filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.file_name contains 'wp-config.php'" groupby: evt.Meta.source_ip distinct: evt.Parsed.file_name capacity: 5 leakspeed: "10s" blackhole: 5m labels: service: http type: bruteforce remediation: true