HackMD
Simple Guide to install and maintenance CrowdSec on Debian Server
CrowdSec is a very good and modern replacement if your server is using fail2ban before. Here is the simple guideline to teach you how to install and using it simply on your Debian based server, which shouldn't be much different on using it on Centos or Windows server as well.
Management Console Login Information:
Link: https://app.crowdsec.net/
Local CLI command Control:
https://docs.crowdsec.net/docs/user_guides/decisions_mgmt/
With this command you would see all the command information
(If you found SSH connection will suddenly disconnect by using MobaXterm, remember to disable SSH Browser. To copy file, use WinSCP instead.)
How to unban a local temporary banned IP
CrowdSec’s every action, including ban someone, all kind of action will be called “action”. First, list out off the IP which have made “decision” to confirm if the IP is really being banned by some reason:
It will show a list looks like this:
bf means brute force, user keep entering wrong password may trigger this rule as well
Then you may unban the IP with “1.2.3.4” format, it would support in range as well in “1.2.3.4/24” format as well:
All you may delete all the existing ban at once if in need:
How to Whitelist the IP
You may want to white some IP for some reason, the whitelist can be saved in any custom name in yaml format under /etc/crowdsec/parsers/. For example, creating a whitelist as /etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml with following content:
And then reload the crowdsec service to activate the list:
sudo systemctl reload crowdsec
Then, 1.1.1.1/24 and 1.1.1.1 will be whitelist forever
(Reference: https://docs.crowdsec.net/docs/whitelist/create/ )
How to install CrowdSec on our server:
The installation step is easy:
Ensure you do this after the new server have fully setup, it will save you a lot of time to check if all the behavior setting is correctly enabled or not, although it usually will do it itself and do it right.
Login the console, go to “Security engines” Tab, then Engines. Click “Add Security Engine” button, then “How to install a security engine or a bouncer?” link, it will then show you the full step of it. Please run all the command to ensure both agent and bouncer (means the firewall blocker it relies on to fetch new decision and block it if hit) have all installed:
Once you enter the last commend:
the Console will pops up on top in the same page and need your confirm, confirm the ID and accept it:
For future management, once accepted, you should change its name into our server name, and give it a correct tag:
Run command to install collection for block port scanning:
After that, restart the CrowdSec service on the server to ensure it is fully Sync with:
Go to the Blocklists page, and ensure the newly added machine have added into the blocklist to correct ban method (It doesn’t mean that without blocklist it won’t work. CrowdSec will check the blocklist and see if it is a blacklist IP first, if it is not, it will still then check it’s behaviors by rules for further checking):
Done! Bouncer may show 0 at first, just give it sometime, and bouncer will shows up after being auto-configurated.
