Anyone heard of CrowdSec? Open Source Crowd-Sourced Security Engine

YmpkerYmpker OGContent Writer

Just read about this one in /r/selfhosted.
Looks interesting as it's open source, and free on unlimited nodes and has a nice dashboard.

https://www.crowdsec.net/product/crowdsec-security-engine
https://www.crowdsec.net/product/console

https://github.com/crowdsecurity/crowdsec

Has anyone been using this?

Thanked by (1)FrankZ

Comments

  • Hi, I installed it a while back on a personal server and it works okay. It is good at catching some of those port scanners. They also recently added some blocklists, free account allows you to subscribe to 2 of them.

    I have noticed an issue with some custom iptables rules being deleted after x number of server restarts on debian 11. I am pretty sure it has something to do with crowdsec-firewall-bouncer but have not dug into it too deep yet.

    Thanked by (1)Ympker
  • @Ympker said:
    Looks interesting as it's open source, and free on unlimited nodes and has a nice dashboard.

    @xyphos10 so it's free on unlimited nodes, BUT you only get 2 blocklists?

    Websites have ads, I have ad-blocker.

  • edited May 2023

    @Ympker said:
    Has anyone been using this?

    I played with CrowdSec (or some other "collaborative firewall"?) on one of my machines several years ago. Unsure whether it had a GUI and other fancy stuff back then.

    But after checking other alternatives decided to go with SSHGuard: https://www.sshguard.net/

    Pure C, no Python, low RAM usage, all the love you need. Happily using it since then.

    Thanked by (2)FrankZ Ympker

    ☰ Probably the best Black Friday storage offersAMD EPYC VDSes with NVMe slices (ref) from 250GB to 4TB and 500GB–10TB SAN disk. / Big HDD storage VPSes (ref) from $2.42/month per TB. / Storage dedis and hybrid VPS (SSD + HDD) are there as well.

  • I like it better than Maltrail; I've only tested it in my toy servers so far.

    CC_DENY = CN,RU,IN,ID works way better for production servers

    Thanked by (2)Ympker MGarbis

    Fuck this 24/7 internet spew of trivia and celebrity bullshit.

  • YmpkerYmpker OGContent Writer

    @somik said:

    @Ympker said:
    Looks interesting as it's open source, and free on unlimited nodes and has a nice dashboard.

    @xyphos10 so it's free on unlimited nodes, BUT you only get 2 blocklists?

    @somik said:

    @Ympker said:
    Looks interesting as it's open source, and free on unlimited nodes and has a nice dashboard.

    @xyphos10 so it's free on unlimited nodes, BUT you only get 2 blocklists?

    That's what I found: https://www.crowdsec.net/pricing

    There are more details on the pricing page.
    I had assumed there was one curated blacklist collaboratively updated by the crowd/community.

  • @Ympker said:

    @somik said:

    @Ympker said:
    Looks interesting as it's open source, and free on unlimited nodes and has a nice dashboard.

    @xyphos10 so it's free on unlimited nodes, BUT you only get 2 blocklists?

    @somik said:

    @Ympker said:
    Looks interesting as it's open source, and free on unlimited nodes and has a nice dashboard.

    @xyphos10 so it's free on unlimited nodes, BUT you only get 2 blocklists?

    That's what I found: https://www.crowdsec.net/pricing

    There are more details on the pricing page.
    I had assumed there was one curated blacklist collaboratively updated by the crowd/community.

    Yes there is one big list of bad IPS that come from detections presented by all participants worldwide. That is free. The blacklists mentioned are additional IP lists curated by crowdsec as well as other third party sources. You get 2 free.

    Thanked by (1)Ympker
  • You can even self host the list of bad IPS detected from your local instances via crowdsec-blocklist-mirror

    Thanked by (1)Ympker
  • I had assumed there was one curated blacklist collaboratively updated by the crowd/community.

    The default functionality of blocking based on community signals is always there. It‘s dynamically updated based on input received from all CrowdSec users.

    Blocklists are a new addition and they are externally curated, i.e. not based on user detections.
    https://www.crowdsec.net/blog/new-ip-external-blocklists

    I‘ve been using CrowdSec for nearly a year now on all my servers.

    Thanked by (1)Ympker
  • @error said:

    I came to say the same thing. I would say it is slower to block than fail2ban and possibly others, something that has been raised in github issues, but works well enough on my servers.

    Keith

  • I'm using it with CyberPanel right now.

    Thanked by (1)Ympker

    Android 14 | Windows 11 | Ubuntu 24.04

  • edited May 2023

    I tried it a while back but I found it to be a bit cumbersome, it has quite some moving parts (that can fail). Documentation is also all over the place.
    For me it became pretty much redundant once I switched to Cloudflare Tunnels. Cloudflare does a pretty good job at keeping out the bad guys. Yes I know opinions about Cloudflare differ, just my two cents.

    Thanked by (1)Ympker
  • havochavoc OGContent Writer

    Threw it on an idle box a couple years back. Was ok, but wasn't overly impressed. Might need to give it another go since it presumably has improved

  • I found it to have much higher CPU usage than fail2ban (like 5-10x) when only blocking SSH. So I just switched all my servers to key auth only and removed crowdsec and fail2ban, since that's the only authed service I run on them (that doesn't use an IP whitelist).

    Thanked by (1)Ympker
  • I ran it for maybe six months on a few boxes that I know are heavily targeted.
    It is a good idea, but it's a bit messy and the documentation needs a lot of work. Every time I fiddled with it I could not stop thinking "this does not need to be this complex". Also, the amount of resources taken does not match the amount of work that should be needed for something like this. I think they aim for huge installations because everything seems like it was built for huge networks with hundreds of nodes with unlimited cpu and ram.

    Pro's are that it does work, the dashboards look nice and it scales well. Invest some time into really understanding how it works and you could probably do some really cool things. I set it up with a "master" node and attached a few satellites to it, worked nicely with central dashboard and distributed blocklist.

    Thanked by (1)Ympker
  • Great experience that it blocked ::1 - I had to add it manually to the whitelist afterwards.

  • @bjo said:
    Great experience that it blocked ::1 - I had to add it manually to the whitelist afterwards.

    lmao

  • Just setup it last week using the cloudflare bouncer and planning to install the nginx bouncer next.
    Also enabled rules in cloudflare and it's blocking 10K IPs.

Sign In or Register to comment.