CrowdSec is a free, open-source and collaborative IPS. Analyze behaviors, respond to attacks & share signals across the community.With CrowdSec, you can set up your own intrusion detection system that parses logs, detects and blocks threats, and shares bad actors with the larger CrowdSec community.It works great with a reverse proxy like traefik to help keep hackers at bay.Could this be a viable alternative to fail2ban?
version:'3.8'services:crowdsec:image:crowdsecurity/crowdsec:latestcontainer_name:crowdsecenvironment:GID:"${GID-1000}"COLLECTIONS:"crowdsecurity/linuxcrowdsecurity/traefik"# depends_on: #uncomment if running traefik in the same compose file# - 'traefik'volumes:-./config/acquis.yaml:/etc/crowdsec/acquis.yaml-crowdsec-db:/var/lib/crowdsec/data/-crowdsec-config:/etc/crowdsec/-traefik_traefik-logs:/var/log/traefik/:ronetworks:-proxyrestart:unless-stoppedbouncer-traefik:image:docker.io/fbonalair/traefik-crowdsec-bouncer:latestcontainer_name:bouncer-traefikenvironment:CROWDSEC_BOUNCER_API_KEY:some-api-keyCROWDSEC_AGENT_HOST:crowdsec:8080networks:-proxy# same network as traefik + crowdsecdepends_on:-crowdsecrestart:unless-stoppednetworks:proxy:external:truevolumes:crowdsec-db:crowdsec-config:traefik_traefik-logs:# this will be the name of the volume from trarfic logsexternal:true# remove if traefik is running on same stack
1
2
3
4
cd config
touch acquis.yaml
nano acquis.yaml
docker-compose up -d--force-recreate
version:'3'services:traefik:image:traefik:latestcontainer_name:traefikrestart:unless-stoppedsecurity_opt:-no-new-privileges:truenetworks:-proxyports:-80:80-443:443environment:-CF_API_EMAIL=user@example.com-CF_DNS_API_TOKEN=YOUR_API_TOKEN# - CF_API_KEY=YOUR_API_KEY# be sure to use the correct one depending on if you are using a token or keyvolumes:-/etc/localtime:/etc/localtime:ro-/var/run/docker.sock:/var/run/docker.sock:ro-/home/username/traefik/data/traefik.yml:/traefik.yml:ro-/home/username/traefik/data/acme.json:/acme.json-/home/username/traefik/data/config.yml:/config.yml:ro-traefik-logs:/var/log/traefiklabels:-"traefik.enable=true"-"traefik.http.routers.traefik.entrypoints=http"-"traefik.http.routers.traefik.rule=Host(`traefik-dashboard.local.example.com`)"-"traefik.http.middlewares.traefik-auth.basicauth.users=USER:BASIC_AUTH_PASSWORD"-"traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"-"traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"-"traefik.http.routers.traefik.middlewares=traefik-https-redirect"-"traefik.http.routers.traefik-secure.entrypoints=https"-"traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.local.example.com`)"-"traefik.http.routers.traefik-secure.middlewares=traefik-auth"-"traefik.http.routers.traefik-secure.tls=true"-"traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"-"traefik.http.routers.traefik-secure.tls.domains[0].main=local.example.com"-"traefik.http.routers.traefik-secure.tls.domains[0].sans=*.local.example.com"-"traefik.http.routers.traefik-secure.service=api@internal"networks:proxy:external:truevolumes:traefik-logs:
# check to be sure you have your middleware set for bothentryPoints:http:address:":80"http:middlewares:-crowdsec-bouncer@filehttps:address:":443"http:middlewares:-crowdsec-bouncer@file
Dashboard
To add a self-hosted dashboard update your docker-compose.yml
dashboard:#we're using a custom Dockerfile so that metabase pops with pre-configured dashboardsbuild:./dashboardrestart:alwaysports:-3000:3000environment:MB_DB_FILE:/data/metabase.dbMGID:"${GID-1000}"depends_on:-'crowdsec'volumes:-crowdsec-db:/metabase-data/networks:crowdsec_test:ipv4_address:172.20.0.5
restart container
1
docker-compose up -d--force-recreate
Default’s credentials for metabase are crowdsec@crowdsec.net and !!Cr0wdS3c_M3t4b4s3?? Be sure to change this.