Crowdsec is a cool cyber security solution. You can install it on your Linux server and it will run as a daemon. Upon starting it will have a look which services you have running and start to read those logs and flag up shady behaviour.
You can install a remediation component and it will … remediate those issues. In this case an ip tables remediation component will block the abusing IP, so it becomes similar to fail2ban in this regard.
In addition you can enrol in their cloud service for free. This gives you monitoring from the cloud dashboard and the ability to implement blocklists that will block IPs that have been flagged by others.
So yeah it’s pretty easy to set up. Feel free to set up your applications first because when crowdsec is set up it will detect the alerts coming from those services, in my case nginx.
Official docs:
https://doc.crowdsec.net/u/getting_started/installation/linux/
In my case I have been using Rocky Linux 9.7
Manual repo installation is best because piping a random script of the internet to sudo bash is never a good idea 🫠what could be in the script!? (then again we are installing their software and just trusting that, the paranoid among us can comb the source code, build that and repeat every time the repo is updated)
dnf install crowdsec -y
This package is just to scan the logs and detect the issues
setsebool -P httpd_can_network_connect 1
In my instance since selinux was switched on I had to allow this bool. In addition the crowdsec service would not start because I was already running something at port 8080. So I had to edit these files
vim /etc/crowdsec/local_api_credentials.yaml
Edit this line to not be 8080
url: http://127.0.0.1:8081
Also edit listen uri in this file vim /etc/crowdsec/config.yaml
api:
client:
insecure_skip_verify: false
credentials_path: /etc/crowdsec/local_api_credentials.yaml
server:
log_level: info
listen_uri: 127.0.0.1:8081
I started writing this a while ago and life just happens to you I guess! 🤣 All in all it’s a great security solution especially if you’ve only got a couple of VPSs and they’re european so have solud data protection rules. Peace!