Stefan Mogeritsch
aa157e82f8
- Documented Access Control features (e.g., Device Approvals, Password Rotation, 2FA, Custom Login Pages). - Added detailed descriptions for Logs & Analytics (Access Logs, Request Logs, Action Logs). - Included configuration instructions and feature-specific notes for Pangolin Cloud and Enterprise Edition. Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>
7.1 KiB
Documentation Index
Fetch the complete documentation index at: https://docs.pangolin.net/llms.txt Use this file to discover all available pages before exploring further.
CrowdSec
CrowdSec is a modern, open-source, collaborative behavior detection engine, integrated with a global IP reputation network. It functions as a massively multiplayer firewall, analyzing visitor behavior and responding appropriately to various types of attacks.
Installation
Crowdsec can be installed using the Pangolin Installer.
Configuration
By default, Crowdsec is installed with a basic configuration, which includes the Crowdsec Bouncer Traefik plugin.
Choose the right logs
Syslog
For systems utilizing Syslog, the following volumes should be added to the docker-compose.yml file:
service:
crowdsec:
volumes:
- /var/log/auth.log:/var/log/auth.log:ro
- /var/log/syslog:/var/log/syslog:ro
Create a syslog.yaml file under /config/crowdsec/acquis.d with the following content:
filenames:
- /var/log/auth.log
- /var/log/syslog
labels:
type: syslog
Journalctl
To log iptables to journalctl, execute the following command on your host system:
iptables -A INPUT -j LOG --log-prefix "iptables: "
Update the docker-compose.yml file as follows:
service:
crowdsec:
image: crowdsecurity/crowdsec:latest-debian
environment:
COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/linux crowdsecurity/iptables
volumes:
- ./config/crowdsec:/etc/crowdsec
- ./config/crowdsec/db:/var/lib/crowdsec/data
- ./config/traefik/logs:/var/log/traefik:ro
- /var/log/journal:/var/log/host:ro
Create a journalctl.yaml file under /config/crowdsec/acquis.d with the following content:
source: journalctl
journalctl_filter:
- "--directory=/var/log/host/"
labels:
type: syslog
Securing the Host System (SSH)
By default, only Traefik requests are secured through the Crowdsec bouncer. To extend protection to your host system ( e.g., SSH), follow these steps to add a firewall bouncer:
- Install the Crowdsec repositories. Refer to the installation documentation:
curl -s https://install.crowdsec.net | sudo sh
- Install the firewall bouncer. For Debian/Ubuntu systems using IPTables, refer to the documentation:
sudo apt install crowdsec-firewall-bouncer-iptables
- Create an API key for the firewall bouncer to communicate with your CrowdSec Docker container. ("vps-firewall" is a placeholder name for the key):
docker exec -it crowdsec cscli bouncers add vps-firewall
- Copy the dispalyed API key and insert it into the bouncer's configuration file:
nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
- Restart the firewall bouncer:
systemctl restart crowdsec-firewall-bouncer
- Update the
docker-compose.ymlfile to expose communication port8080for the CrowdSec container and restart the container:
service:
crowdsec:
ports:
- 6060:6060 # Metrics port
- 8080:8080 # Local API port
- Verify communication between the firewall bouncer and the CrowdSec container by running:
docker exec crowdsec cscli metrics
The output should look like this:
+------------------------------------------------------------------+
| Local API Bouncers Metrics |
+---------------------------+----------------------+--------+------+
| Bouncer | Route | Method | Hits |
+---------------------------+----------------------+--------+------+
| traefik-bouncer | /v1/decisions/stream | HEAD | 2 |
| traefik-bouncer@10.0.4.20 | /v1/decisions | GET | 3 |
| vps-firewall | /v1/decisions/stream | GET | 84 | <---------
+---------------------------+----------------------+--------+------+
Custom Ban Page
To display a custom ban page to attackers, follow these steps:
- Place a
ban.htmlpage in the/config/traefikdirectory. If you prefer not to create your own, you can download the official example:
wget https://raw.githubusercontent.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/refs/heads/main/ban.html
- Update the
/config/traefik/dynamic_config.ymlfile to include the following:
http:
middlewares:
crowdsec:
plugin:
crowdsec:
banHTMLFilePath: /etc/traefik/ban.html
Custom Captcha Page
To use a custom captcha page, follow these steps:
- Place a
captcha.htmlpage in the/config/traefikdirectory. If you don't want to create your own, you can download the official example:
wget https://raw.githubusercontent.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/refs/heads/main/captcha.html
- Update the
/config/traefik/dynamic_config.ymlfile with the following configuration, replacing<SERVICE>with your captcha provider (MUST BE eitherhcaptcha,recaptcha, orturnstile), and<KEY>with the appropriate site and secret keys:
http:
middlewares:
crowdsec:
plugin:
crowdsec:
captchaHTMLFilePath: /etc/traefik/captcha.html
captchaGracePeriodSeconds: 300
captchaProvider: <SERVICE>
captchaSiteKey: <KEY>
captchaSecretKey: <KEY>
Testing
You can test your configuration by adding a temporary ban or captcha for your IP. The ban will last for one minute.
To add a ban:
docker exec crowdsec cscli decisions add --ip <YOUR IP> -d 1m --type ban
To trigger a captcha challenge:
docker exec crowdsec cscli decisions add --ip <YOUR IP> -d 1m --type captcha