mirror of
https://github.com/tborychowski/self-hosted-cookbook.git
synced 2025-05-12 10:26:20 +00:00
add crowdsec setup
This commit is contained in:
Dziad Borowy
parent
ba6bf53c90
commit
47e12b3e66
@ -286,6 +286,7 @@ The aims is to provide a ready-to-run recipes that you can just copy, paste and
|
||||
- [change-detection](apps/other/change-detection.md)
|
||||
- [Cockpit](apps/other/cockpit.md)
|
||||
- [Code server](apps/other/code.md)
|
||||
- [Crowdsec](apps/other/crowdsec.md)
|
||||
- [Firefox](apps/other/firefox.md)
|
||||
- [Firefox sync server](apps/other/firefox-sync.md)
|
||||
- [LanguageTool server](apps/other/language-tool.md)
|
||||
|
||||
150
apps/other/crowdsec.md
Normal file
150
apps/other/crowdsec.md
Normal file
@ -0,0 +1,150 @@
|
||||
# Crowdsec
|
||||
|
||||
It's basically a self-hosted crowd-based firewall.
|
||||
Setup is a bit cumbersome but (probably) well worth it :-)
|
||||
|
||||
<br>
|
||||
|
||||
- [Homepage](https://www.crowdsec.net)
|
||||
- [Github repo](https://github.com/crowdsecurity/crowdsec)
|
||||
- [Docker Hub](https://hub.docker.com/r/crowdsecurity/crowdsec)
|
||||
- [Crowdsec Hub](https://hub.crowdsec.net)
|
||||
- [Traefik bouncer](https://github.com/fbonalair/traefik-crowdsec-bouncer)
|
||||
- [Collections](https://hub.crowdsec.net/browse/#collections)
|
||||
|
||||
|
||||
|
||||
## How does that work
|
||||
- There are 2 parts of the solution: analyser & bouncer
|
||||
- Crowdsec container (below) just basically analyses your server logs
|
||||
- Bouncer container (below) uses the analysis to bounce off the potential attacks
|
||||
|
||||
## Local Setup
|
||||
This describes how to setup crowdsec with traefik bouncer. There are other bouncers you can use (if you don't use traefik).
|
||||
|
||||
1. Create 2 files with the following content (`acquis.yml` and `docker-compose.yml`). Remember to update the paths to your logs in `docker-compose.yml`!
|
||||
2. Start the containers (`docker compose up -d`)
|
||||
3. Wait a minute or so (until it finishes installing collections), you can follow the logs to see what's going on (`docker compose logs -f`)
|
||||
4. Add bouncer to the crowdsec instance:
|
||||
```sh
|
||||
docker exec crowdsec cscli bouncers add traefik-bouncer
|
||||
```
|
||||
5. Copy the API key printed in the command output and paste it back in the `docker-compose.yml` in the bouncer config (`CROWDSEC_BOUNCER_API_KEY`)
|
||||
6. Restart the containers
|
||||
7. That's it.
|
||||
|
||||
## Online console
|
||||
Unless you want to have an online console, than do this as well:
|
||||
1. Register at https://app.crowdsec.net/
|
||||
2. Enroll your instance, with the API key from there, e.g.:
|
||||
```sh
|
||||
docker exec crowdsec cscli console enroll cl8m56qpu00060vlcwgj898z0
|
||||
```
|
||||
|
||||
## Traefik middleware
|
||||
1. Add traefik middleweare in the dynamic config, e.g.
|
||||
```toml
|
||||
[http.middlewares.crowdsec.forwardauth]
|
||||
address = "http://<server ip>:3300/api/v1/forwardAuth"
|
||||
```
|
||||
2. Use this middleware in your services, e.g.
|
||||
```toml
|
||||
[http.routers.authelia]
|
||||
rule ="Host(`login.domain.com`)"
|
||||
service = "authelia"
|
||||
tls = { }
|
||||
middlewares = [ "crowdsec" ]
|
||||
```
|
||||
|
||||
|
||||
## acquis.yml
|
||||
```yml
|
||||
---
|
||||
filenames:
|
||||
- /logs/auth.log
|
||||
- /logs/syslog
|
||||
- /logs/kern.log
|
||||
labels:
|
||||
type: syslog
|
||||
|
||||
---
|
||||
filenames:
|
||||
- /logs/apache2/*.log
|
||||
- /logs/*httpd*.log
|
||||
- /logs/httpd/*log
|
||||
labels:
|
||||
type: apache2
|
||||
|
||||
---
|
||||
filenames:
|
||||
- /logs/nginx/*.log
|
||||
labels:
|
||||
type: nginx
|
||||
|
||||
---
|
||||
filenames:
|
||||
- /logs/authelia.log
|
||||
labels:
|
||||
type: authelia
|
||||
|
||||
---
|
||||
filenames:
|
||||
- /logs/traefik/*.log
|
||||
labels:
|
||||
type: traefik
|
||||
```
|
||||
|
||||
## docker-compose.yml
|
||||
```yml
|
||||
---
|
||||
services:
|
||||
crowdsec:
|
||||
image: crowdsecurity/crowdsec
|
||||
container_name: crowdsec
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- GID="${GID-1000}"
|
||||
- COLLECTIONS=crowdsecurity/linux crowdsecurity/iptables crowdsecurity/apache2 crowdsecurity/sshd crowdsecurity/traefik LePresidente/authelia crowdsecurity/nginx crowdsecurity/base-http-scenarios
|
||||
volumes:
|
||||
- /var/log/auth.log:/logs/auth.log:ro
|
||||
- /var/log/syslog.log:/logs/syslog.log:ro
|
||||
- /var/log/kern.log:/logs/kern.log:ro
|
||||
- /var/log/apache:/logs/apache:ro
|
||||
- /var/log/httpd:/logs/httpd:ro
|
||||
- /var/log/authelia.log:/logs/authelia.log:ro
|
||||
- /var/log/traefik/logs:/logs/traefik:ro
|
||||
|
||||
- ./acquis.yml:/etc/crowdsec/acquis.yaml
|
||||
- ./data:/var/lib/crowdsec/data/
|
||||
- ./config:/etc/crowdsec/
|
||||
|
||||
bouncer:
|
||||
image: fbonalair/traefik-crowdsec-bouncer
|
||||
container_name: crowdsec-bouncer
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- PORT=8090
|
||||
- CROWDSEC_BOUNCER_API_KEY=changeme
|
||||
- CROWDSEC_AGENT_HOST=crowdsec:8080
|
||||
ports:
|
||||
- 3300:8090
|
||||
```
|
||||
|
||||
|
||||
## Useful commands
|
||||
|
||||
1. List installed items
|
||||
```sh
|
||||
docker exec crowdsec cscli scenarios list
|
||||
docker exec crowdsec cscli collections list
|
||||
docker exec crowdsec cscli parsers list
|
||||
```
|
||||
|
||||
2. Block/unblock an ip
|
||||
```sh
|
||||
docker exec crowdsec cscli decisions add --ip 192.168.1.1
|
||||
docker exec crowdsec cscli decisions remove --ip 192.168.1.1
|
||||
docker exec crowdsec cscli decisions list
|
||||
docker exec crowdsec cscli decisions help # display help on decisions command
|
||||
docker exec crowdsec cscli decisions add --help # display help on add command
|
||||
```
|
||||
Loading…
Reference in New Issue
Block a user