Try   HackMD

Simple Guide to install and maintenance CrowdSec on Debian Server

CrowdSec is a very good and modern replacement if your server is using fail2ban before. Here is the simple guideline to teach you how to install and using it simply on your Debian based server, which shouldn't be much different on using it on Centos or Windows server as well.


Management Console Login Information:

Link: https://app.crowdsec.net/

Local CLI command Control:

https://docs.crowdsec.net/docs/user_guides/decisions_mgmt/

sudo cscli help

With this command you would see all the command information

(If you found SSH connection will suddenly disconnect by using MobaXterm, remember to disable SSH Browser. To copy file, use WinSCP instead.)

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →


How to unban a local temporary banned IP

CrowdSec’s every action, including ban someone, all kind of action will be called “action”. First, list out off the IP which have made “decision” to confirm if the IP is really being banned by some reason:

sudo cscli decisions list

It will show a list looks like this:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

bf means brute force, user keep entering wrong password may trigger this rule as well

Then you may unban the IP with “1.2.3.4” format, it would support in range as well in “1.2.3.4/24” format as well:

sudo cscli decisions delete --ip 1.2.3.4

All you may delete all the existing ban at once if in need:

sudo cscli decisions delete –all

How to Whitelist the IP

You may want to white some IP for some reason, the whitelist can be saved in any custom name in yaml format under /etc/crowdsec/parsers/. For example, creating a whitelist as /etc/crowdsec/parsers/s02-enrich/mywhitelists.yaml with following content:

name: crowdsecurity/whitelists
description: "Whitelist events from my ip addresses"
whitelist:
  reason: "my ip ranges"
  ip:
    - "1.1.1.1/24"
    - "1.1.1.1"

And then reload the crowdsec service to activate the list:
sudo systemctl reload crowdsec

Then, 1.1.1.1/24 and 1.1.1.1 will be whitelist forever
(Reference: https://docs.crowdsec.net/docs/whitelist/create/ )


How to install CrowdSec on our server:

The installation step is easy:
Ensure you do this after the new server have fully setup, it will save you a lot of time to check if all the behavior setting is correctly enabled or not, although it usually will do it itself and do it right.

Login the console, go to “Security engines” Tab, then Engines. Click “Add Security Engine” button, then “How to install a security engine or a bouncer?” link, it will then show you the full step of it. Please run all the command to ensure both agent and bouncer (means the firewall blocker it relies on to fetch new decision and block it if hit) have all installed:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Once you enter the last commend:

sudo cscli console enroll <token>

the Console will pops up on top in the same page and need your confirm, confirm the ID and accept it:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

For future management, once accepted, you should change its name into our server name, and give it a correct tag:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Run command to install collection for block port scanning:

sudo cscli collections install crowdsecurity/iptables

After that, restart the CrowdSec service on the server to ensure it is fully Sync with:

sudo systemctl restart crowdsec

Go to the Blocklists page, and ensure the newly added machine have added into the blocklist to correct ban method (It doesn’t mean that without blocklist it won’t work. CrowdSec will check the blocklist and see if it is a blacklist IP first, if it is not, it will still then check it’s behaviors by rules for further checking):

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Done! Bouncer may show 0 at first, just give it sometime, and bouncer will shows up after being auto-configurated.