What is Crowdsec?
Source: Lawrence Systems
CrowdSec stands as an open-source Intrusion Prevention System (IPS) designed to safeguard your network from known threats by harnessing a wide array of crowd-sourced threat intelligence. What sets CrowdSec apart is its innovative approach to threat detection, using collective intelligence shared among its users. This unique method empowers CrowdSec to rapidly respond to emerging threats. When deployed on a system within your network, CrowdSec can monitor, alert, and block malicious activities.
Unlike traditional IPS platforms that rely on predefined signatures and rules to identify malicious traffic, CrowdSec employs a distinctive tactic. It calculates a reputation score for IP addresses based on community-driven threat intelligence. IP addresses with unfavorable reputation scores are promptly barred from accessing protected resources. This approach ensures that CrowdSec is swift, efficient, and highly effective in safeguarding various network resources.
CrowdSec comprises two key components: the agent and the bouncer. The agents diligently monitor log files, detecting any signs of malicious activities and sharing pertinent information with the CrowdSec community. The bouncer, on the other hand, acts as a guardian, blocking access to protected resources from undesirable IP addresses. When integrated with firewalls like OPNsense, the bouncer shields the entire network from these malicious entities. Moreover, individual services such as web servers can also benefit from bouncers, tailored to protect specific applications.
Communication within the CrowdSec ecosystem revolves around the Local API (LAPI) and the Central API (CAPI). CrowdSec agents and bouncers interface with the LAPI, which in turn communicates with the CAPI. This intricate network enables the seamless sharing and updating of crowd-sourced intelligence data. In advanced setups, multiple CrowdSec agents and bouncers can operate within a network, all reporting to a centralized local server hosting the CrowdSec LAPI. This sophisticated configuration allows for a robust and collaborative defense mechanism against evolving cyber threats.
What’s the difference between standard Suricata IDS and Crowdsec?
CrowdSec and Suricata are both powerful tools in the realm of cybersecurity, but they serve different purposes and operate in distinct ways:
1. CrowdSec:
- Purpose: CrowdSec is an open-source behavior-based security monitoring and response tool. It is designed to detect and respond to security threats by leveraging crowd wisdom and data collection. CrowdSec focuses on identifying patterns of malicious behavior and responding to these patterns in real-time.
- Detection Approach: CrowdSec uses a crowd-sourced approach, collecting and analyzing data from a large community of users to identify new threats and attack patterns. It calculates reputation scores for IP addresses based on collective intelligence, allowing for adaptive and real-time threat response.
- Use Case: CrowdSec is suitable for detecting various types of threats across different services and applications. It can monitor, alert, and block malicious activities on systems where it is deployed.
2. Suricata:
- Purpose: Suricata is an open-source Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). It is primarily used for network security monitoring and analyzing network traffic in real-time. Suricata is capable of detecting and alerting on a wide range of network threats.
- Detection Approach: Suricata uses signature-based detection, where it matches patterns in network traffic against predefined rules or signatures to identify known threats. It can also perform protocol analysis and detect anomalies in network behavior.
- Use Case: Suricata is typically used at the network perimeter to monitor incoming and outgoing traffic for signs of malicious activity. It is effective for detecting attacks such as port scans, DDoS attacks, and various types of network intrusion attempts.
Key Differences:
- Detection Method: CrowdSec relies on behavior-based analysis and crowd-sourced threat intelligence, whereas Suricata primarily uses signature-based detection along with protocol analysis and anomaly detection.
- Focus: CrowdSec is more focused on behavioral patterns and real-time response, making it adaptable to new and evolving threats. Suricata is focused on network traffic analysis and is well-suited for detecting known threats based on predefined signatures.
- Deployment: CrowdSec can be deployed on individual systems to protect applications, services, and resources. Suricata is commonly deployed at network gateways or intrusion detection points to monitor overall network traffic.
In summary, CrowdSec is geared toward behavior-based threat detection and response, while Suricata is focused on network traffic analysis and detecting known threats based on predefined signatures. The choice between the two would depend on specific security requirements and use-case scenarios.
More: https://www.crowdsec.net/blog/suricata-vs-crowdsec
Things to be aware of…
CrowdSec offers comprehensive network protection against known malicious IP addresses shared by the community, provided you establish the necessary block rules as outlined later in these guidelines. However, the current plugin functionality is limited to monitoring specific malicious activities on the web interface and SSH services of your OPNsense system. With the creation of additional log file parsers for the CrowdSec plugin, it can be expanded to monitor other services running on your OPNsense router. This potential for growth highlights the importance of community contributions to the advancement of CrowdSec, benefiting OPNsense users significantly.
In its basic configuration, the CrowdSec plugin operates as a single server setup, safeguarding services on your OPNsense system and blocking malicious IP addresses sourced from the CrowdSec community. Alternatively, CrowdSec can be configured in a multi-server setup, where multiple CrowdSec agents report to a central local API server. While the local API server can be hosted on the OPNsense machine, offloading it onto another device might be advantageous if your hardware resources are limited and your network processes a substantial volume of logs. This approach helps alleviate the strain on your OPNsense firewall.
INSTALLATION & CONFIGURATION
Step 1 – Register an account at Crowdsec.net
Please create a free account for the Crowdsec at https://crowdsec.net in order to link the Security Engine with your OPNSENSE appliance
Step 2 – Install the Crowdsec plugin on your OPNSENSE
Please go to the Opnsense > System > Firmware > Plugins and choose Crowdsec to install (+)
This will install the three services:
• os-crowdsec, the plugin itself
• crowdsec
• crowdsec-firewall-bouncer
Once installed head over to Opnsense > Services > Crowdsec Settings. On the Settings tab, select the first three checkboxes: IDS, LAPI and IPS. Click Apply.
Please note: The firewall won’t block anything unless you activate the bouncer feature. CrowdSec takes care of generating floating rules to block all incoming malicious IPv4/IPv6 addresses automatically. Additionally, it creates block list aliases for both IPv4 and IPv6, which you can incorporate into your custom firewall rules for specific purposes, if necessary.
Step 3 – Connect OPNSENSE Crowdsec plugin with your network account
Please open your Crowdsec account at https://app.crowdsec.net/ and head over to Security Engines > Connect my Security Engine now
Then look for the Enroll your CrowdSec Security Engine option and copy it’s code to the notepad
Please then go to Opnsense > System > Settings > Administration and enable the SSH connection to your Opnsense.
Connect via SSH to your Opnsense and type 8 for Option8: Shell
## Ensure that the Crowdsec is running
sudo service crowdsec start
## Now copy and paste the code given from the Crowdsec site
sudo cscli console enroll <your-unique-code>
## Reload the Crowdsec plugin using CLI
sudo service crowdsec reload
or just do restart of the service via Opnsense Dashboard
After the appliance has sent request to enroll, you’ll see an Enroll Request in your Crowdsec Account. Click on Accept Enroll
After Opnsense appliance is enrolled, please change the name tag next to it, so you would know exactly which device your currently managing.
Step 4 – Add private addresses to the whitelist
In certain scenarios, the CrowdSec agent might opt to block your client’s internal IP address if it detects behavior resembling a brute force attack. To avoid such occurrences, it’s advisable to implement an additional whitelist as a precautionary measure. This whitelist acts as a safeguard, preventing inadvertent blocks and ensuring smooth operations within your network.
Please add the whitelist via CLI and reload Crowdsec plugin:
## install the whitelists
cscli parsers install crowdsecurity/whitelists
cscli collections install crowdsecurity/opnsense
cscli collections install crowdsecurity/opnsense-gui
## reload the crowdsec agent
sudo service crowdsec reload
More: https://www.pickysysadmin.ca/2023/04/22/opensense-and-crowdsec-blocking-internal-ips/
Step 5 – Disable SSH when the configuration of Crowdsec is done
Disable the SSH from Opnsense > System > Settings > Administration from previous step
Step 6 – Check the Firewall rulesets on the WAN interface
Crowdsec should create an additional entries under Firewall > WAN rules that are linked to the Firewall > Aliases > Crowdsec lists
Step 7 – Adding additional blocklists to existing rulesets
Out of the box, CrowdSec includes a pre-installed hub collection specifically designed for OPNsense, offering protection against potential attacks on the system.
To guard against attacks originating from malicious IPs beyond OPNsense, you can utilize the various blocklists provided by CrowdSec Security Engines. These ready-made blocklists serve as effective shields, fortifying your network against threats from known malicious sources.
You can add additional blocklists from your Account > Security Engines > Engines > <select your instance> > Blocklists > Browse Available Blocklists
Select the blocklists that align with your interests, and specify the corresponding action for CrowdSec when it identifies a malicious IP (in my case, it is banning).
Reload the Crowdsec from OPNSENSE Dashboard
Step 8 – Postchecks on your Crowdsec agent
Go to Opnsense > Firewall > Aliases and check if there are lists of IPs loaded into the rules
Then please go to Opnsense > Services > Crowdsec > Overview. Check if the Agent & Bouncer are running
Check the HUB collection for scenarios
Check the parsers which will make the decisions:
Step 9 – How to check on alerts and blocked attacks
If any suspicious behavior is detected you can check the Alerts under Opnsense > Services > Crowdsec > Overview > Alerts
If the decisions are made for blocking the IP based on your rulesets you can either check it with GUI:
CLI:
OPN# cscli decisions list -a
or in your Crowdsec account under Alerts & Decisions
TESTING CROWDSEC
Bruteforce attack on SSH demo
Crowdsec on Linux
Sources:
Crowdsec Official Guide – https://docs.crowdsec.net/docs/getting_started/install_crowdsec_opnsense/
Home Network Guy Opnsense Installation – https://homenetworkguy.com/how-to/install-and-configure-crowdsec-on-opnsense/
Private addresses whitelisting for Crowdsec – https://www.pickysysadmin.ca/2023/04/22/opensense-and-crowdsec-blocking-internal-ips/
Maciej Zytowiecki
Network security expert with a deep passion for wireless networks, networking and data security. When I'm not working, you'll find me diving into hobby projects, contributing to open-source initiatives, or enjoying hands-on experiments with cutting-edge tech. My goal is to bridge the gap between complex concepts and accessible knowledge, making the world of network security both intriguing and approachable for all.