Request for advice about Crowdsec implementation

I am still discovering Crowdsec…
Is it possible to implement Crowdsec on a central router with central syslog and firewall banner, and have all remotes services like nextcloud, nginx, … sending there logs to the central server ?
Is it a correct implementation ?
Easiest can be done with Crowdsec ?
Thanks in advance for your feedback or answer…

Hello @Gandalf !

Yes, that’s definitely a possibility. To have crowdsec checking all your logs, you can either have :

  • several machines with crowdsec agents running (reading their own logs) and pushing to a unique local api (as described here)
  • have your machines centralizing logs (via rsyslog, syslog-ng or such) and have a single crowdsec agent running on the machine where logs are centralized

As the local API is exposing a HTTP API, you can then have either :

  • a bouncer running on your “main” firewall
  • multiple bouncers running to protect services individually (at nginx level, firewall level etc.)
  • a mix of both :slightly_smiling_face:

Hope this answers your question, more tutorials are going to come out on this topic !

1 Like

Whoo thanks… so great !
It is definitely what I want to do with Fail2Ban and central RSysLog…
Now I know what to use to get my solution being in live !
Thanks again

I will try now some of the solutions you proposed to get some benchmarks in real life situation…

A necessary advice…
For my specific usage, when the firewall is between servers and internet…
How can I talk, when an IP is aggressive on my Web Server, to be blacklisted (BANNED) on the router ?
I already have add firewall-bouncer on the router.
The router have them API being accessible to the servers…
Is it sufficient then ?
I am a little lost…

I’m not 100% sure to follow you here :slightly_smiling_face:
If I understand correctly, you’re asking if the bouncer on your FW being able to speak to the HTTP API of LAPI is enough ? Then the answer is “yes”

As your firewall-bouncer will get the IPs from the LAPI, as long as the LAPI has the right info, it will work. And by “right info” I mean :

  • either because your web logs are processed directly on the machine were LAPI is
  • or because the agent that process the web logs is pushing its alerts to the LAPI your bouncer is querying
1 Like

Thanks !
I will have to test it now, to simulate a bad access… :wink:

Tests done … following your blogs tutorials !
All is good and works fine

DashBoard working fine in a LXC container… in OpenWrt 21.02-RC3

1 Like

that looks really cool :smiley:
do you need any assistance or reviews ? please let us know if you need help

I find some bugs in Debian ARM64…
I will post issues on GitHub

Yes, awesome…
A “home” light solution which simply WORKS !

I will, thank you for your assistance…

May be I will wrote an howto from my notes !