I am still discovering Crowdsec…
Is it possible to implement Crowdsec on a central router with central syslog and firewall banner, and have all remotes services like nextcloud, nginx, … sending there logs to the central server ?
Is it a correct implementation ?
Easiest can be done with Crowdsec ?
Thanks in advance for your feedback or answer…
Hello @Gandalf !
Yes, that’s definitely a possibility. To have crowdsec checking all your logs, you can either have :
- several machines with crowdsec agents running (reading their own logs) and pushing to a unique local api (as described here)
- have your machines centralizing logs (via rsyslog, syslog-ng or such) and have a single crowdsec agent running on the machine where logs are centralized
As the local API is exposing a HTTP API, you can then have either :
- a bouncer running on your “main” firewall
- multiple bouncers running to protect services individually (at nginx level, firewall level etc.)
- a mix of both
Hope this answers your question, more tutorials are going to come out on this topic !
1 Like
Whoo thanks… so great !
It is definitely what I want to do with Fail2Ban and central RSysLog…
Now I know what to use to get my solution being in live !
Thanks again
I will try now some of the solutions you proposed to get some benchmarks in real life situation…
A necessary advice…
For my specific usage, when the firewall is between servers and internet…
How can I talk, when an IP is aggressive on my Web Server, to be blacklisted (BANNED) on the router ?
I already have add firewall-bouncer on the router.
The router have them API being accessible to the servers…
Is it sufficient then ?
I am a little lost…
I’m not 100% sure to follow you here
If I understand correctly, you’re asking if the bouncer on your FW being able to speak to the HTTP API of LAPI is enough ? Then the answer is “yes”
As your firewall-bouncer will get the IPs from the LAPI, as long as the LAPI has the right info, it will work. And by “right info” I mean :
- either because your web logs are processed directly on the machine were LAPI is
- or because the agent that process the web logs is pushing its alerts to the LAPI your bouncer is querying
1 Like
Thanks !
I will have to test it now, to simulate a bad access… 
Tests done … following your blogs tutorials !
All is good and works fine
that looks really cool 
do you need any assistance or reviews ? please let us know if you need help
1 Like
I find some bugs in Debian ARM64…
I will post issues on GitHub
Yes, awesome…
A “home” light solution which simply WORKS !
I will, thank you for your assistance…
May be I will wrote an howto from my notes !