Crowdsec - A Modern Replacement for Fail2Ban
InceptionHosting
Hosting ProviderOG
in Technical
Further reading/source article: https://danielmiessler.com/study/crowdsec
key features:
- allows you to detect attacks and respond at all required levels (detect where your logs are, block at CDN or application level)
- is easy to install and maintain with no technical requirement. The installer even comes with a wizard duh!
- is designed to be integrated with other solutions and components (ie. use CrowdSec to read your mod_security logs and automatically block attackers at your CDN level)
- is about sharing : meta-data about the attack/attacker you detect is sent to a central API, and malevolent IPs are shared with all users.
- is a lightweight : it runs standalone, doesn’t require much ram or CPU
- can work with cold logs: you can run it on “cold” logs and see what could have happened
- comes with out of the box dashboards, because we know visualisation is key
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Comments
Nice find. That has some time saving potential.
Hate radiates from the source. If you look around and see it everywhere, it's coming from you.
Looks nice. Anyone tested it yet?
I reckon some will have some views on the data sharing part, but for me frankly if it helps sharing lists of shitty IPs, count me in.
I like the concept. Bit wary about it in some ways though (e.g. falsify reports to negatively affect a competitor)
I'll throw it on a clean VPS to test & post some screenshots later
Nice one, looking forward to seeing the results.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
I’ll do the same
Pros:
Cons
Hasn't caught anything yet but maybe just slow SSH day lol. Seems to have lots of areas in the web interface that will presumably have graphs later. I'll leave it running for a while - someone @ me in a couple days if I forget.
The crowd sourced part:
That's a lot of cons :-/
Yeah but aside from the ssh resets no real show stoppers...and even that as I said might be unrelated. The VPS I used was previously stable...but I know they made hardware changes since.
Web interface & blocker being separate is explained on the github...I just didn't read it properly lol
Oh noes the clooouuuuud. It sounds like an attack vector in its own right?
Lmao! I'll try it out just for that comment
Uh yeah I didn't know that I have to install docker first, front page on the github doesn't mention anything about it. "Installer mentions it doesn't block anything " also confused me. But yes I'm lazy to read docs..
I don't see such as con's, makes sense to have the Panel and the as they call it Bouncers optional.
So you can configure it based on your needs.
Free NAT KVM | Free NAT LXC
anyone knows how to reset the dashboard user/pass? my ssh connection dropped while installing the metabase dashboard, so I can't see the user/pass
I wonder how/if the same can be implemented with some fail2ban + git + some bash script to sync the log-files around.
CrownCloud - Internet Services | Los Angeles, California | Frankfurt, Germany | Amsterdam, The Netherlands
Oh hey excitement. Got a ban - some naughty american hitting the SSH port 13 times.
Overall liking their dashboard. It's not very detailed yet but feels a bit like an empty grafana dash...the gap between not good and a pretty awesome visualisation is pretty small. Give it half a year and a couple 1000 users and could be neat AF
I wonder if this can be installed on the company USG
Looks like it's got potential once those (mainly UI/UX) issues are ironed out.
Get the best deal on your next VPS or Shared/Reseller hosting from RacknerdTracker.com - The original aff garden.
Wouldn't call it issues so much as they went for a full blown analytics front end & it just feels a little...sparse. Presumably they're working on the core rather than the shiny graphics.
Still...bit more data and the main dashboard now looks pretty shiny already
Either this or once it's working they make it a paid service. As usual..
Holy hell...see that "No.31,Jin-rong Street" in the logs at the bottom? Thought that looked familiar...
https://www.bgpmon.net/chinese-isp-hijacked-10-of-the-internet/
Can you disable the sharing? Also how would IPs eventually get cleaned? Are they on a time out period?
vallumd provides clustered cohesion.
Will test it for NanoKVM, maybe a chance that it catches these port scans before they reach the SSH servers on the VM's.
Worth a try, will let you know how it works out.
Free NAT KVM | Free NAT LXC
Thats a good idea, will look into that myself.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
https://wiki.x8e.net/doku.php?id=crowdsec_setup
My setup for the big testings.
Yea the webinterface is the same stuff you basically see on CLI, nothing fancy.
I would not put that on any production since just bloat you don't need.
Free NAT KVM | Free NAT LXC
Thanks, implemented and got immediate bans from frantech xD.
wow, scam.
I did setup the same shit, did not got any bans yet despite I see failed SSH attempts.
edit:
https://hub.crowdsec.net/author/crowdsecurity/configurations/ban-report-ssh_bf_report
Free NAT KVM | Free NAT LXC
nice, hopefully it will stay open source
Considering the number of badly coded scripts reporting to RBLDNS's and abuseipdb I have little faith in any community sourced database.
An example of this we see alot is the reporting of attack targets because the reporters own IP services being used for reflection or amplification
X4B - DDoS Protection: Affordable Anycast DDoS protection including Layer 7 mitigation with PoPs in the Europe, Asia, North and South America.
Latest Offer: Brazil Launch 2020 Offer