[NFR] Add CrowdSec as a "Modern" alternative to Fail2ban

Question

[NFR] Add CrowdSec as a "Modern" alternative to Fail2ban

joglomedia opened this issue 3 years ago · comments

Edi Septriyanto commented 3 years ago

Describe the Issue / Bug
Add CrowdSec as replacement alternative to Fail2ban for intrusion detection system

https://crowdsec.net/

Installing CrowdSec

https://doc.crowdsec.net/docs/getting_started/install_crowdsec

Edi Septriyanto · Answer 1 · Sun Mar 20 2022 16:08:14 GMT+0800 (China Standard Time)

Sample installation:

https://opensource.com/article/21/1/crowdsec-rest-api

Edi Septriyanto · Answer 2 · Mon Dec 04 2023 18:39:59 GMT+0800 (China Standard Time)

Enable SQLite WAL

insert the following line in /etc/crowdsec/config.yaml, section db_config:

use_wal: true

Then restart Crowdsec using systemctl restart crowdsec.

https://discourse.crowdsec.net/t/warning-sqlite-without-wal-and-cannot-update-community-blocklist/1042/2

Edi Septriyanto · Answer 3 · Mon Dec 04 2023 18:41:37 GMT+0800 (China Standard Time)

Exclude / whitelist known ISP (ex Indihome)

sudo cscli collections install crowdsecurity/whitelist-good-actors
sudo cscli parsers install crowdsecurity/geoip-enrich
sudo cscli postoverflows install crowdsecurity/rdns

Create new config file

sudo nano /etc/crowdsec/postoverflows/s01-whitelist/isp_indihome_whitelists.yaml

Add below

name: lemper/isp_indihome_whitelists
description: "Whitelist events from known ISP ipv4 addresses"
whitelist:
  reason: "Known ISP ipv4 ranges AS7713 (PT Telekomunikasi Indonesia)"
  expression:
   - evt.Enriched.ASNNumber == "7713"
   - evt.Enriched.ASNNumber == "AS7713"

evt.Enriched.ASNNumber
evt.Enriched.ASNOrg