-
Notifications
You must be signed in to change notification settings - Fork 2k
Update adding CrowdSec #9154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Update adding CrowdSec #9154
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -299,3 +299,151 @@ running:: | |
fail2ban-client status nextcloud | ||
|
||
.. _fail2ban download page: https://www.fail2ban.org/wiki/index.php/Downloads | ||
|
||
CrowdSec | ||
-------- | ||
|
||
CrowdSec offers a crowd-based cybersecurity suite, designed to protect your online services, a dashboard to visualize & act upon threats and a TIP (Threat Intel Platform) to block IP known to carry aggressions. | ||
|
||
CrowdSec is an open-source and collaborative security stack leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. | ||
|
||
Setup CrowdSec | ||
^^^^^^^^^^^^^^ | ||
|
||
Following Ibracorp's and CrowdSec's documentation at ``https://docs.ibracorp.io/crowdsec/crowdsec/unraid/traefik-bouncer/nextcloud-collection`` and ``https://hub.crowdsec.net/author/crowdsecurity/collections/nextcloud``. | ||
|
||
The following captured from ``https://docs.crowdsec.net/docs/getting_started/install_crowdsec`` | ||
|
||
CrowdSec can be used with, or replace Fail2ban with the following. | ||
|
||
Install CrowdSec (Linux) | ||
^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
||
For those that prefer hands-on approach, you can as well manually install crowdsec. | ||
|
||
Install repositories | ||
|
||
Installing our repositories allows you to access the latest packages of CrowdSec and bouncers. | ||
|
||
We are using packagecloud.io service. While curl | sudo bash can be convenient for some, alternative installation methods are available. | ||
|
||
Debian/Ubuntu | ||
EL/Centos7 | ||
EL/Centos Stream 8 | ||
Amzn Linux 2 | ||
OpenWRT | ||
CloudLinux | ||
|
||
``curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash`` | ||
|
||
Install CrowdSec | ||
|
||
Debian/Ubuntu | ||
EL/Centos7 | ||
EL/Centos Stream 8 | ||
Amzn Linux 2 | ||
OpenWRT | ||
CloudLinux | ||
|
||
``apt install crowdsec`` | ||
|
||
You now have CrowdSec running ! You can move forward and install a bouncer, or take a tour of the software beforehand ! | ||
|
||
Directories: | ||
|
||
The application lives in the folder \etc\crowdsec using less than 0.5 MBytes of storage. | ||
The data is stored in the folder \lib\crowdsec\data and needs around 97 MBytes of storage. | ||
|
||
Keep in mind that a CrowdSec package is only in charge of the "detection", and won't block anything on its own. You need to deploy a bouncer to "apply" decisions. | ||
|
||
Install a bouncer | ||
^^^^^^^^^^^^^^^^^^ | ||
|
||
Debian/Ubuntu | ||
EL/Fedora/Centos7 | ||
EL/Fedora/Centos8 | ||
Amzn Linux 2 | ||
OpenWRT | ||
CloudLinux | ||
|
||
``apt install crowdsec-firewall-bouncer-iptables`` | ||
|
||
While we're suggesting the most common firewall bouncer, check our hub for more of them. Find a bouncer directly for your application (nginx, php, wordpress) or your providers (cloudflare, AWS/GCP/...) | ||
|
||
Running CrowdSec on raspberry pi os/raspbian | ||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
||
Please keep in mind that raspberry pi OS is designed to work on all raspberry pi versions. Even if the port target is known as armhf, it's not exactly the same target as the debian named armhf port. | ||
|
||
The best way to have a CrowdSec version for such an architecture is to do: | ||
|
||
install golang (all versions from 1.16 will do) | ||
export GOARCH=arm | ||
export CGO=1 | ||
Update the GOARCH variable in the Makefile to arm | ||
install the arm gcc cross compiler (On debian the package is gcc-arm-linux-gnueabihf) | ||
Compile CrowdSec using the usual make command | ||
|
||
``hhttps://docs.ibracorp.io/crowdsec/crowdsec/docker-compose`` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. (Type here in the URL) |
||
Docker CrowdSec Install | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Similar story as above also here. We should not copy the CrowdSec install docs but refer to them instead and focus on the configuration of the nextcloud collection |
||
^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
||
Create CrowdSec shared log folder | ||
``sudo mkdir /var/log/crowdsec; sudo chown -R $USER:$USER /var/log/crowdsec`` | ||
Create the CrowdSec appdata folder | ||
``sudo mkdir /opt/appdata/crowdsec`` | ||
Create docker-compose.yml | ||
``version: "3.4" | ||
|
||
services: | ||
crowdsec: | ||
image: crowdsecurity/crowdsec | ||
container_name: crowdsec | ||
expose: | ||
- 8080 | ||
environment: | ||
PGID: "1000" | ||
volumes: | ||
- /opt/appdata/crowdsec/data:/var/lib/crowdsec/data | ||
- /opt/appdata/crowdsec:/etc/crowdsec | ||
- /var/log/auth.log:/var/log/auth.log:ro | ||
- /var/log/crowdsec:/var/log/crowdsec:ro | ||
restart: unless-stopped | ||
|
||
networks: | ||
default: | ||
external: true | ||
name: proxy`` | ||
|
||
Start crowdsec | ||
``sudo docker-compose up -d`` | ||
|
||
Docker Collection Install | ||
^^^^^^^^^^^^^^^^^^^^^^^^^ | ||
|
||
This assumes that you have CrowdSec Running, and now we are going to add the collection. | ||
^^^^^^^ | ||
|
||
Run a console command in your CrowdSec container | ||
``docker exec -it crowdsec sh`` ---- Replace ``crowdsec`` with your docker name | ||
|
||
``cscli collections install crowdsecurity/nextcloud`` | ||
|
||
Map your nextcloud logs to crowdsec shared folder | ||
This assumes that you know how to enable logging, set your RP to allow real IP's in the logs and know how to troubleshoot. | ||
|
||
``/shared/crowdsec:/mnt/user/appdata/shared/crowdsec/`` | ||
|
||
``docker-compose up -d nextcloud`` | ||
|
||
Edit your acquis.yml file in your CrowdSec's appdata folder (appdata/crowdsec) to add these lines : (don't leave any empty spaces) | ||
|
||
--- | ||
filenames: | ||
- /var/log/crowdsec/nextcloud.log | ||
labels: | ||
type: Nextcloud | ||
Now restart CrowdSec | ||
``docker-compose up -d crowdsec`` | ||
|
||
Futhermore, continue at CrowdSec's hub to read about the collection ``https://hub.crowdsec.net/author/crowdsecurity/collections/nextcloud`` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a pure copy of https://docs.crowdsec.net/docs/getting_started/install_crowdsec (which might even violate author rights).
So I would suggest to simply replace it with something like:
And the part in our documentation should basically only focus on the configuration, like installing the nextcloud collection from https://hub.crowdsec.net/author/crowdsecurity/collections/nextcloud etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But also there don't copy the manual, if it's useful refer to the site, if it's a single line to execute good enough.