Hi all!
First of, let me say I am not a programmer but a hobbyist trying to provide services to other colleagues/friends, and I am quite new to the whole cybersecurity thing, I just recently started exploring Crowdsec, so I apologize for any dumb or obvious question in advance.
My setup is shaping like this: a VPS (hetzner) with Debian 12, Docker, and UFW. I use Caddy as a reverse proxy to serve apps over the internet without exposing any port in UFW except for 443 (I had to do it because of some authentik stuff). Caddy has been built with the crowdsec bouncer.
I installed crowdsec with docker through the official compose. I am only using the caddy bouncer with some collections, and the acquis.yaml pointing to the relevant logs of each application. Everything works pretty well.
I also added the iptables collection, however I realized that in order to leverage the journald logs I need:
a) to change the image from the Alpine default to the Debian one
b) to make nftables log to journald with the nftables equivalent of iptables -A INPUT -m state --state NEW -j LOG.
According to this discord discussion, though, since I am using UFW, I can just let crowdsec analyze UFW logs, without messing with nftables but adapting this example repo.
However, I have a few questions:
- Is the logging to journald really not needed, or would I lose something if I only rely on UFW logs? My understanding is that UFW only registers blocked attempts, not all new connections.
- Do I need the firewall bouncer for this setup? Am I understanding correctly that Crowdsec would not be able to act on the parsed logs without it?
There was another answer related to a similar situation that could have helped me better understand the issue, but the discord link points to a non-accessible discussion (for me).
Thanks in advance for any guidance!
My configuration:
compose.yml
services:
crowdsec:
image: crowdsecurity/crowdsec:v1.6.8
container_name: crowdsec
restart: unless-stopped
ports:
- "127.0.0.1:8080:8080"
environment:
COLLECTIONS: "crowdsecurity/linux crowdsecurity/appsec-generic-rules crowdsecurity/caddy crowdsecurity/whitelist-good-actors crowdsecurity/http-cve crowdsecurity/iptables firix/authentik LePresidente/gitea"
GID: "${GID}"
DOCKER_HOST: "tcp://socket-proxy-read:2375"
volumes:
- ./config/acquis.yaml:/etc/crowdsec/acquis.yaml
- /path/to/log/caddy:/var/log/caddy:ro
- /path/to/forgejo/gitea/log:/var/log/gitea:ro
- ./db:/var/lib/crowdsec/data/
- ./config:/etc/crowdsec/
env_file:
- .env
networks:
- backend
networks:
backend:
external: true
acquis.yaml
filenames:
- /var/log/caddy/*.log
labels:
type: caddy
---
filenames:
- /var/log/gitea/*.log
labels:
type: gitea
---
source: docker
container_name:
- authentik-server
labels:
type: authentik