Crowsec new user - suggested approach for my usage

I’m brand new to Crowdsec, a potential user rather than a current user. I set CS up on my new Ubuntu 20.04 web server in AWS (replacing an Amazon Linux server) but then removed it because I couldn’t find a bouncer I needed. I also noticed CS being fairly new isn’t as well documented as it will eventually be, particularly around bouncers.

I had wanted to use a bouncer that updated the Cloudflare firewall for the five sites on my server (ie that means five different firewalls). The Cloudflare bouncer looks to use the old database model rather than the new API model so I’m not confident it will actually work and I don’t want to spend the time if it’s not likely to work. The tutorials I found mostly seem to skip bouncers as well. I already have fail2ban set up to update the CloudFlare firewall.

I’d like to give Crowdsec another go rather than go back to fail2ban if someone can give me a bit guidance, as it seems a better option going forward.

My Configuration and Use Case

I have three low volume Wordpress websites and one custom PHP website on their own domains, all served using Nginx on one server with no load balancer. The sites are proxied using CloudFlare and I use AWS security groups so that only Cloudflare and my static IP can directly reach the server. I don’t currently use iptables. Each website has its own Nginx logfile. I generally prefer to do things in Nginx than Wordpress as it’s much more efficient than having to start a PHP thread which is much slower and still takes significant resources.

Questions

  1. Is Crowdsec mature and flexible enough for production web servers?
  2. Is there a working Cloudflare bouncer? If so is Crowdsec / the bouncer able to determine which of the five sites in my CloudFlare account it needs to add an IP ban to based on which log file it got the IP from? Banning from each of the five Cloudflare firewalls would also be fine.
  3. If there’s no Cloudflare bouncer that meets my needs would the best approach be the Nginx bouncer? That’s currently at v0.0.4 which doesn’t inspire confidence that it’s working and easy to configure. Is that bouncer working and effective?
  4. Will the iptables bouncer work given all of the requests are routed via Cloudflare? My knowledge of iptables is it’s more TCP level than request level. Or is there some kind of logic that can make this work?

Thanks for any thoughts or suggestions :slight_smile:

Hello @tomwaldnz and welcome !

Yes, the existing cloudflare bouncer is deprecated and it’s part of our to-do-list to create a new one. From what you’re saying, it sounds like nginx might be your best option (given that you can install the lua requirements).

The (debian) packages are still fresh, but the software is stable.

Currently there are some users that baked their own cloudflare bouncer, but none are published up-to-date. Hopefully this will soon be fixed.

If you’re running X crowdsec it should be fine, but I don’t think having one instance distributing the appropriate bans on each cloudflare accounts would be trivial as of now :sweat_smile:

Yes, that bouncer should be effective given that you don’t have a huge traffic. The hardest requirement would be to have the lua libraries used by the nginx bouncer (libnginx-mod-http-lua & lua-logging).

Yes, as you suspected, firewall bouncer won’t play nice with cloudflare and will end up banning cloudflare ips.

Thanks @thibault I appreciate the time you took to reply and the information.

Unless I start to have problems I think I’ll give crowdsec six months or a year to mature before I try again. It has a lot of promise but the packages, the bouncers, and the documentation need a fair bit of work before they’re simple enough for people who aren’t Linux experts can do this effectively and within a reasonable amount of time. I’ve turned on some CloudFlare features that will increase security for now, which should mitigate many issues.