Crowdsec Install guide for cloudron purposes

rmdes

the main consequences I have seen is a drastic drop in all the wordpress (previously using wordfence or else) attacks/prob/vuln scan etc..after a week without these plugins doing anything (the firewall intercept these scenarios before they reach nginx) my wordfence logs are now bots/humans/myself, no more attacks.

it's just brutal since Armada host quite a few domains running wordpress, so basically the surface to attack drop's considerably with crowdsec agent monitoring the door, the Wordpress containers don't even get the bots usually hitting the domains, so I also have seen a drop in CPU/Mem usage overall everywhere, it's now running since 2 weeks without any problem.

I'm sure now that the first issue I had was because of the manual installation at that point in time, for some reason it pulled another version of nginx, but even if you reproduce these steps now, the installation just work fines and if you mess with the agent API, it's really easy to replace the API accordingly, have all the pieces of the YML files correctly configured, make sure systemd service are enabled and started and running and voila !

If you want to go the safe way, just use the Firewall (in fact if you use it, the nginx bouncer is irrelevant) in my experience setting up metabase the way I did is safe and does not impact cloudron in any way that I could see.

jdaviescoates

@rmdes that all sounds great. I wonder if Crowdsec could be baked into Cloudron itself?

rmdes

@jdaviescoates I know the crowdsec people are working "upstream" with all kinds of actors to get this done for many hosting/implementations out there, in my experience, since both Cloudron and Crowdsec use iptables this integration is already the case, what should be perhaps done is how the cloudron admin activate/onboard from the dashboard or something similar but I'm not sure about the added value since technically, it is integrated in many ways already :

• has a Docker type
• IPtables
• Can plug on any SystemD service to parse logs

what could probably be optimized is how crowdsec "watches" all the docker containers and perhaps make sure the implementation does not disrupt cloudron operations in any way, make it bullet proof install tested.

klausagnoletti

@rmdes I am head of community at CrowdSec and we would be happy to work with anyone from the Cloudron community on this. For this purpose it would be a great idea to join our Discord community and talk about it there

jdaviescoates

@rmdes said in Crowdsec Install guide for cloudron purposes:

what should be perhaps done is how the cloudron admin activate/onboard from the dashboard or something similar but I'm not sure about the added value since technically, it is integrated in many ways already

That would have massive added value to me.

I wouldn't trust myself to not mess something up doing it manually!

And anything that makes life easier and simpler is welcome. So just having some option in the Cloudron admin that could enable Crowdsec would be ideal.

rmdes

@klausagnoletti I'm already there but not a Cloudron dev or anything, but yeah it would be amazing the have the existing metabase cloudron app in "flavors" one could be the default app we have now, another one could bootstrap crowdsec db and be a one click install for the underlying crowdsec installed in the host but I have no idea if it's possible.

BrutalBirdie

I am now checking out CrowdSec as well.

As of writing this the installation instruction from @Mastadamus where almost correct.

Edit nginx.conf file to put in default logging

Not needed, also the posted config is bad since it's missing the final closing curly bracket }

---

Everything else worked as described.

---

Now to the bouncer.

@rmdes said in Crowdsec Install guide for cloudron purposes:

So if you really want to test the nginx bouncer you need to disable the firewall bouncer

Ahhh ok, nah I will stick with the iptable bouncer.

BrutalBirdie

@rmdes said in Crowdsec Install guide for cloudron purposes:

I had to tweak crowdsec-firewall-bouncer.yml to this

Where? What?

https://docs.crowdsec.net/docs/bouncers/firewall/#configuration
/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

Ok.

@rmdes said in Crowdsec Install guide for cloudron purposes:

I used this approach to get all the containers (acquis.yml)

Where? What?

https://docs.crowdsec.net/docs/v1.0/acquisitions/format/#acquisition-directives
/etc/crowdsec/acquis.yaml

Ok.

@rmdes said in Crowdsec Install guide for cloudron purposes:

I used port 9999 in config.yml

Where? What?

https://docs.crowdsec.net/docs/configuration/crowdsec_configuration#configuration-directives
/etc/crowdsec/config.yaml

In yaml querry / json qurry format:
yq '.api.server.listen_uri' < /etc/crowdsec/config.yaml
127.0.0.1:8080 this changed to 127.0.0.1:9999 I assume.
Changed to :9999

@rmdes said in Crowdsec Install guide for cloudron purposes:

and accordingly into
local_api_credentials.yaml

Where? What?

https://docs.crowdsec.net/docs/next/local_api/intro/
/etc/crowdsec/local_api_credentials.yaml

In yaml querry langauge:
yq '.url' < /etc/crowdsec/local_api_credentials.yaml
http://127.0.0.1:8080 changed to :9999

@rmdes said in Crowdsec Install guide for cloudron purposes:

bouncers/crowdsec-firewall-bouncer.yaml

Where? What?
https://docs.crowdsec.net/docs/bouncers/firewall/
/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

yaml querry:
yq '.api_url' < /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
http://127.0.0.1:8080 changed to :9999

@rmdes said in Crowdsec Install guide for cloudron purposes:

install linux/ssh/nginx/docker scenarios using cscli

What? How?

https://docs.crowdsec.net/docs/v1.1/cscli/cscli_scenarios_install/
cscli scenarios install
Which scenarios can I install?
https://hub.crowdsec.net/browse/

Following your advice:

cscli scenarios install linux
cscli scenarios install sshd
cscli scenarios install nginx

I did not find and scenario for docker? @rmdes and now when I try cscli scenarios install linux I get an error.
Well it seems this are not scenarios but collections.

So it's https://docs.crowdsec.net/docs/v1.2/cscli/cscli_collections_install/

cscli collections install crowdsecurity/linux

Which is already installed by default, which also included sshd by default.

I could not find docker at all.
Maybe you can help out here @rmdes

BrutalBirdie

Now I am running crowdsec on my cloudron.
I will report back for more findings.

necrevistonnezr

@BrutalBirdie Thanks! It would be great if your, @rmdes and @Mastadamus findings could end up in a Cloudron doc in the end...!

rmdes

@BrutalBirdie Sorry have been busy and thanks for documenting my steps

The docker part is done on the /etc/crowdsec/acquis.yml
I'm not entirely convinced my regex call works appropriately
or even that in the cloudron context this is entirely needed (I have one cloudron with & without not seeing much difference)

# Docker context
source : docker
container_name_regexp:
  - ^[a-zA-Z0-9_.-]*$
labels:
  type: log_type
---

necrevistonnezr

Revisiting this topic - is Crowdesc running reliably for those who got it installed?

rmdes

not anymore, there has been a lot of changes on crowdsec side and not only the crowdsec-firewall-bouncer needs a very specific nginx version but even the wordpress bouncer could not be properly installed last time I checked.

I still have one instance running behind a Cloudflare, a server running cloudron + crowdsec but without the nginx bouncer, just the cloudflare bouncer, but even in this configuration I could not get the wordpress bouncer to work.

robi

Should the OP title be changed to reflect all of this is not recommended anymore?

girish

@robi good point, I have put a warning up front.