Fail2ban as agent for CrowdSec?

Hi
As there is still no current / updated version of crowdsec available in Debian repositories (others, even those from CrowdSec are not an option) I’m stucked with fail2ban on my reverse proxy (the services/servers behind the reverse proxy do run crowdsec agents in containers and the firewall bouncer is in place, but reverse proxy is set up plain software installation) …

I wonder if there is a way to use fail2ban as an agent for CrowdSec. As far as I’ve seen, fail2ban can report to AbuseIPDB and I think it would be handy to have fail2ban report as an agent to the CrowdSec local api.

Has anyone tried this? Should this be possible?

1 Like

Hello,

I never tried using fail2ban as an agent for crowdsec.
However, I was curious about what you mean by :

The repositories that we make available to users are not ok for you ? (cf. Install CrowdSec (Linux) | CrowdSec)

Hello!

I’ve already thought about it myself. In theory, it should not be difficult - to add in folder /etc/fail2ban/action.d file with something like

actionban = cscli decisions add --ip < ip > --duration < duration > --reason < reason >

And then call the jail.local.

I am now carefully reading the documentation, I just started to master CrowdSec, so I am in no hurry to implement something - I suddenly subtract a better solution.

2 Likes

Yes. Those repositories are not ok.
It’s corporate rule to not use any other repositories as those from Debian for the Debian servers. It is allowed to use backports.

There has been a problem some time ago where a package has been retrieved from a non-Debian repo that should not have been hosted there (new version of a library). IT security department wasn’t amused. Since then, only official Debain repos are allowed.
As far as I understand, when I add another repo it will trust all packages on the repo. Which might be a security issue if someone places unwanted stuff.

This looks like a way to go.
I might use a script via ssh to pass the detected ip to the lapi server and use the cscli on the lapi-Server to add the detected ip. Can use a dedicated user on the lapi server only allowed to run this one script.

1 Like

I started to create an agent for fail2ban to write alerts to crowdsec. It currently provides correct ip and bantime and shows up with scenario ‘fail2ban/’ in Crowdsec metrics.
I’m a bit stuck on wirting the shell scripting to enhance AS/Country info from whois. After this I will probably put a PR to fail2ban repository to get this agent added to fail2ban.

1 Like

Hi! I am very interested in your integration. I love fail2ban, and had suggested some sort of crowdsec-fail2ban collaboration to support legacy and special cases. Makes me happy to see someone else shared my views and was able to execute something so nice. Kudos and thanks.

How can I help? What issues are you having?

I currently have a working version. fail2ban project requested/suggested a few changes so it will take some more days.

Using the action does not need to install any Crowdsec dependency but to register an agent on the local API and to give the credentials to the fail2ban config.
Currently it allows to block by ip and bantime. It uses whois to grep some information for country, etc. But whois info is not very accurate. For blocking the ip is sufficiant.
So, any help on ‘how to get more accurate info on an ip’ usable in a script would be appriciated.

3 Likes

well, accurate is a very relative word in relation to identifying IP addresses.
if you want your script to avoid querying external sites/databases, then the options are indeed limited… and also depends on what you can/want to install.

Do you have a repo? I’d take a look and maybe send you a PR.

1 Like

I have added a draft PR to fail2ban here. As you see, it is a simple but working solution.
There is still room for improvements:

  • what’s the scenario hash for?
  • better/optional more accurate finding of info, e.g. ASN, country
  • adding more info, e.g. the called url to be put into event infos (needs tweaks to parser?)

Using fail2ban as an agent for Crowdsec does possibly not follow the itentional idea of fail2ban nor Crowdsec. But in my case it closes a gap so I consider it a valid use case.

1 Like

In case my solution will not make it into fail2ban I assume a small tutorial on Crowdsec website would be helpful for people with the same need.

Is there any chance to find like a small tutorial one what you did to include fail2ban? I’d love to do combine the two.

Actually I haven’t made a tutorial as my pull request has not yet been accepted to fail2ban repository.

Anyway: these are the steps:

  • get the file with the action from my pull request: https://github.com/fail2ban/fail2ban/pull/3407/files and put it into the action.d folder under /etc/fail2ban

  • add/create a new machine / agent to your local api using cscli. Write down machine name and password.

  • edit your local.jail file and add the action. In my case it looks like this:

 [DEFAULT]
action_crowdsec = crowdsec

destemail = ne20002@****.ch
action = %(action_)s
         %(action_crowdsec)s[lookup=whois, lapi_url="http://cs-lapi:8014", machine_id="ReverseProxy", password="*****"]

maxretry = 3
findtime = 3600

...

You need to set your values for lapi_url, machine_id and password. With my setup the crowdsec request to its local api is added to the already existing action (you can setup yours as you need).

  • restart fail2ban

That’s it.

1 Like