CrowdSec setup feedback and general questions

crowdsec
1

Hello Crowdsec team!

I have managed to installed CrowdSec on my Cloud VPS, It took me bit to understand all of Crowdsec components and how they interact with each other. I made diagram to showcasing my setup.

Crowdsec and firewall-bouncer-iptables service are running and the logs shows no errors.
I have noticed many crawlers/web-scanner with ntopng blacklisted flow and those IPs shows up in CrowdSec Threat Intelligence but they are not block by crowdsec ban decisions.

$ sudo cscli decisions list
No active decisions

Screenshot from 2023-10-12 13-00-32
Screenshot from 2023-10-12 13-00-321465Ă—480 91.3 KB

In the example above the IP 37.221.92.222 shows up in CrowdSec Threat Intelligence But not on Crowsec ban decisions nor in the iptables ipset list crowdsec-blacklists

I have connected my setup to the CrowdSec Cloud dashboard, added third-party blocklists, It has been running for about a month and it has made only 3 ban decisions.

I have also noticed that crowdsec’s nginix-proxy-manager collection don’t parse the npm logs, even though I followed the collection hub setup instructions.

I would like understand what to expect from my setup and how to improve it.
How can I block bots/web-scanner checking for vulnerabilities on my VPS?
How can I block brute-force and other web attack scenarios on NextCloud?

I see this as an opportunity to configure my crowdsec engine to detect malicious traffic and contribute to the crowdsec community blocklist.

Thank you for your advice.

1 Like
2

Hello @securegh !

Thanks for the detailed explaination :slight_smile:

In the example above the IP 37.221.92.222 shows up in CrowdSec Threat Intelligence But not on Crowsec ban decisions nor in the iptables ipset list crowdsec-blacklists

This IP, while being “known” to the crowdsec community (as you have seen), is not part (yet) of the community blocklist because it didn’t have enough reports. We need to have a high confidence for an IP to end up in the community blocklist, as false-positives can be damaging for many users (plus there is a performance dimension to this too). The blocklist is intended to preemptively block very aggressive IPs, while the security engine (behaviour analysis) blocks more custom or targeted things.

I have connected my setup to the CrowdSec Cloud dashboard, added third-party blocklists, It has been running for about a month and it has made only 3 ban decisions.

I think something might be off in the setup then (or you’re the luckiest guy on the internet, I have tens of bans on my personal webserver on a daily basis). Looking at your metrics, it seems that logs are not parsed, which explains the lack of decisions.

Now the goal is to understand why the logs are not parsed :slight_smile:

A good approach is to try cscli explain on a sample of your logs and see where it’s failing. Don’t hesitate to report back your results here! I’m not too familiar with this log format, if you need help, you should provide us a sample of the logs, and we can figure out what is wrong with the logs (or the parser).

I would like understand what to expect from my setup and how to improve it.
How can I block bots/web-scanner checking for vulnerabilities on my VPS?
How can I block brute-force and other web attack scenarios on NextCloud?

The default http scenarios (once your logs are correctly parsed :smiley: ) should deter the bots/web-scanners, and you can use the existing nextcloud collection to detect bruteforce attacks specific to nextcloud!

Hope this helps, don’t hesitate to drop by on discord.gg/crowdsec if you need further help :slight_smile:

1 Like