Anyone heard of CrowdSec? Open Source Crowd-Sourced Security Engine
Just read about this one in /r/selfhosted.
Looks interesting as it's open source, and free on unlimited nodes and has a nice dashboard.
https://www.crowdsec.net/product/crowdsec-security-engine
https://www.crowdsec.net/product/console
https://github.com/crowdsecurity/crowdsec
Has anyone been using this?
Thanked by (1)FrankZ
Comments
Hi, I installed it a while back on a personal server and it works okay. It is good at catching some of those port scanners. They also recently added some blocklists, free account allows you to subscribe to 2 of them.
I have noticed an issue with some custom iptables rules being deleted after x number of server restarts on debian 11. I am pretty sure it has something to do with crowdsec-firewall-bouncer but have not dug into it too deep yet.
@xyphos10 so it's free on unlimited nodes, BUT you only get 2 blocklists?
Somik.org - Server admins cheat codes
I played with CrowdSec (or some other "collaborative firewall"?) on one of my machines several years ago. Unsure whether it had a GUI and other fancy stuff back then.
But after checking other alternatives decided to go with SSHGuard: https://www.sshguard.net/
Pure C, no Python, low RAM usage, all the love you need. Happily using it since then.
I like it better than Maltrail; I've only tested it in my toy servers so far.
CC_DENY = CN,RU,IN,IDworks way better for production serversFuck this 24/7 internet spew of trivia and celebrity bullshit.
That's what I found: https://www.crowdsec.net/pricing
There are more details on the pricing page.
I had assumed there was one curated blacklist collaboratively updated by the crowd/community.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Yes there is one big list of bad IPS that come from detections presented by all participants worldwide. That is free. The blacklists mentioned are additional IP lists curated by crowdsec as well as other third party sources. You get 2 free.
You can even self host the list of bad IPS detected from your local instances via crowdsec-blocklist-mirror
The default functionality of blocking based on community signals is always there. It‘s dynamically updated based on input received from all CrowdSec users.
Blocklists are a new addition and they are externally curated, i.e. not based on user detections.
https://www.crowdsec.net/blog/new-ip-external-blocklists
I‘ve been using CrowdSec for nearly a year now on all my servers.
I came to say the same thing. I would say it is slower to block than fail2ban and possibly others, something that has been raised in github issues, but works well enough on my servers.
Keith
I'm using it with CyberPanel right now.
KangServer.id - Love benchmarking VPS / Server
Have idling VPS? DM me!
I tried it a while back but I found it to be a bit cumbersome, it has quite some moving parts (that can fail). Documentation is also all over the place.
For me it became pretty much redundant once I switched to Cloudflare Tunnels. Cloudflare does a pretty good job at keeping out the bad guys. Yes I know opinions about Cloudflare differ, just my two cents.
Threw it on an idle box a couple years back. Was ok, but wasn't overly impressed. Might need to give it another go since it presumably has improved
I found it to have much higher CPU usage than fail2ban (like 5-10x) when only blocking SSH. So I just switched all my servers to key auth only and removed crowdsec and fail2ban, since that's the only authed service I run on them (that doesn't use an IP whitelist).
I ran it for maybe six months on a few boxes that I know are heavily targeted.
It is a good idea, but it's a bit messy and the documentation needs a lot of work. Every time I fiddled with it I could not stop thinking "this does not need to be this complex". Also, the amount of resources taken does not match the amount of work that should be needed for something like this. I think they aim for huge installations because everything seems like it was built for huge networks with hundreds of nodes with unlimited cpu and ram.
Pro's are that it does work, the dashboards look nice and it scales well. Invest some time into really understanding how it works and you could probably do some really cool things. I set it up with a "master" node and attached a few satellites to it, worked nicely with central dashboard and distributed blocklist.
Great experience that it blocked
::1- I had to add it manually to the whitelist afterwards.lmao