Where to run Crowdsec?

I’m wondering where to install Crowdsec?

Isn’t there an advantage to installing Crowdsec at the router/firewall level (opnsense) upstream? All servers behind this router, whether DNS, web, mail, etc., could benefit from the protection?

I see this way of using Crowdsec as a proactive approach on the firewall, using Crowdsec’s public IP blocklists. Because, let’s agree, the logs from WEB1 nginx server don’t reach the router level, and therefore we can’t benefit from real-time active protection. Just passive on the router? True?

Would we need to forward the nginx WEB1 logs to the firewall to use them as a Bouncer on it?

What do you think about installing Crowdsec everywhere on my LAN? On the router, on the reverse proxy, and on the web server? Using the multi-site LAPI feature? Isn’t it too resource-consuming? Just installing on the router and parsing the nginx logs that could be transmitted to the firewall?

I am aware of this approach

There was already a topic almost identical to mine in the past, but this post alone is not enough for me to understand.

Here’s how I see things.

  • Crowdsec installed with a bouncer on OPNsense Firewall, allowing for iptables manipulation for banning.

  • Crowdsec installed without a bouncer (less resources?) on a web server with port 22 open.

Both Crowdsec instances communicate via LAPI.

A hacker performs a brute-force attack on port 22 on the web server. The server reports the information to the Crowdsec Bouncer on the firewall, which applies a ban to the hacker’s IP.

Is this the expected behavior for this installation, or am I mistaken? Are there areas for improvement ?

I have a similar architecture. Firewall → Reverse proxy (haproxy) → website (nginx)
I installed crowdsec on the firewall to parse haproxy logs. And I use the haproxy bouncer to ban ips.
I guess you should install crowdsec in your webserver if you want to use app sec rules. It seems that parsing body is painful with haproxy. (Or I just miss something obvious ^^)

For the crowdsec LAPI, It seems that a plugin exist for the opnsense appliance but I never tested it. It could worth to test it. In my case I installed it on a small debian.

TLDR; I would install crowdsec on reverse proxy to parse access log and install iptable bouncer on the firewall.