Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[NFR] Add CrowdSec as a "Modern" alternative to Fail2ban #119

Open
joglomedia opened this issue Dec 22, 2021 · 3 comments
Open

[NFR] Add CrowdSec as a "Modern" alternative to Fail2ban #119

joglomedia opened this issue Dec 22, 2021 · 3 comments
Assignees
@joglomedia
Labels
new feature request New feature request / suggestion

Comments

@joglomedia
Copy link
Owner

Describe the Issue / Bug
Add CrowdSec as replacement alternative to Fail2ban for intrusion detection system

https://crowdsec.net/

Installing CrowdSec

https://doc.crowdsec.net/docs/getting_started/install_crowdsec
@joglomedia joglomedia self-assigned this Dec 22, 2021
@joglomedia joglomedia added the new feature request New feature request / suggestion label Dec 22, 2021
@joglomedia joglomedia changed the title [NFR] Add CrowdSec as replacement alternative to Fail2ban for intrusion detection system [installer] Add CrowdSec as an alternative to Fail2ban Dec 22, 2021
@joglomedia joglomedia changed the title [installer] Add CrowdSec as an alternative to Fail2ban [installer] Add CrowdSec as a "Modern" alternative to Fail2ban Dec 22, 2021
@joglomedia
Copy link
Owner Author

Sample installation:

https://opensource.com/article/21/1/crowdsec-rest-api

@joglomedia joglomedia changed the title [installer] Add CrowdSec as a "Modern" alternative to Fail2ban [NFR] Add CrowdSec as a "Modern" alternative to Fail2ban Apr 15, 2023
@joglomedia
Copy link
Owner Author

Enable SQLite WAL

insert the following line in /etc/crowdsec/config.yaml, section db_config:

use_wal: true

Then restart Crowdsec using systemctl restart crowdsec.

https://discourse.crowdsec.net/t/warning-sqlite-without-wal-and-cannot-update-community-blocklist/1042/2

@joglomedia
Copy link
Owner Author

Exclude / whitelist known ISP (ex Indihome)

sudo cscli collections install crowdsecurity/whitelist-good-actors
sudo cscli parsers install crowdsecurity/geoip-enrich
sudo cscli postoverflows install crowdsecurity/rdns

Create new config file

sudo nano /etc/crowdsec/postoverflows/s01-whitelist/isp_indihome_whitelists.yaml

Add below

name: lemper/isp_indihome_whitelists
description: "Whitelist events from known ISP ipv4 addresses"
whitelist:
  reason: "Known ISP ipv4 ranges AS7713 (PT Telekomunikasi Indonesia)"
  expression:
   - evt.Enriched.ASNNumber == "7713"
   - evt.Enriched.ASNNumber == "AS7713"

evt.Enriched.ASNNumber
evt.Enriched.ASNOrg

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@joglomedia joglomedia

Labels
new feature request New feature request / suggestion
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@joglomedia