November 12, 2020

707 words 4 mins read

crowdsecurity/crowdsec

crowdsecurity/crowdsec

Crowdsec - An open-source, lightweight agent to detect and respond to bad behaviours. It also automatically benefits from our global community-wide IP reputation database.
repo name crowdsecurity/crowdsec
repo link https://github.com/crowdsecurity/crowdsec
homepage https://crowdsec.net
language Go
size (curr.) 61818 kB
stars (curr.) 1988
created 2020-05-15
license MIT License

Crowdsec is in BETA version. It shouldn’t, and didn’t crash any production so far we know, but some features might be missing or undergo evolutions. IP Blocklists are limited to very-safe-to-ban IPs only (~5% of the global database so far, will grow soon)

<TL;DR>

A modern behavior detection system, written in Go. It stacks on Fail2ban’s philosophy, but uses Grok patterns & YAML grammar to analyse logs, a modern decoupled approach (detect here, remedy there) for Cloud/Containers/VM based infrastructures. Once detected you can remedy threats with various bouncers (block, 403, Captchas, etc.) and the blocked IPs are shared among all users to further improve their security.

About the crowdsec project

Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain.

Processing is done in 5 steps:

  1. Read Data sources (log files, streams, trails, messages …), normalize and enrich signals
  2. Matching those signals to behavior patterns, aka scenarios (*)
  3. If an unwanted behavior is detected, deal with it through a bouncer : a software component integrated into your applicative stack that supports various remediations such as block, return 403, and soon captcha, 2FA, etc.
  4. (ONLY) The aggressive IP, the scenario name triggered and a timestamp is then sent to our curation platform (to avoid poisoning & false positives)
  5. If verified, this IP is then integrated to the block list continuously distributed to all CrowdSec clients (which is used as an enrichment source in step1)

By detecting, blocking and sharing the threat they faced, all clients are reinforcing each-others (hence the name Crowd-Security). Crowdsec is designed for modern infrastructures, with its “Detect Here, Remedy There” approach, letting you analyse logs coming from several sources in one place and block threats at various levels (applicative, system, infrastructural) of your stack.

(*) CrowdSec ships by default with scenario (brute force, port scan, web scan, etc.) adapted for most context, but you can easily extend it by picking more of them from the hub. It is also very easy to adapt an existing one or create one yourself.

What it is not

CrowdSec is not a SIEM, storing your logs (neither locally nor remotely).

Your data stay in your premises and are only analyzed and forgotten.

Signals sent to the curation platform are extremely limited (IP, Scenario, Timestamp), and are only there to allow the system to rule out false positives or poisoning attemps.

Install it !

In order to install it on an amd64 platform, you can use the available prebuilt release package. Just follow the steps below. However, if you want crowdsec for a different architecture (e.g. ARM) then you must build it yourself from source. You can find the build instructions here in our documentation.

Find the latest release

Ensure you have dependencies :

apt-get install bash gettext whiptail curl wget

Note: dialog can be used instead of whiptail (it will be automatically detected by the wizard)

yum install bash gettext newt curl wget

Then :

curl -s https://api.github.com/repos/crowdsecurity/crowdsec/releases/latest | grep browser_download_url| cut -d '"' -f 4  | wget -i -
tar xvzf crowdsec-release.tgz
cd crowdsec-v*
sudo ./wizard.sh -i

Build it !

If you want to build crowdsec yourself follow these steps:

git clone https://github.com/crowdsecurity/crowdsec
cd crowdsec
make build

For more details read the chapter Installation from source in our documentation.

Key points

Fast assisted installation, no technical barrier

Out of the box detection

Easy bouncer deployment

Easy dashboard access

About this repository

This repository contains the code for the two main components of crowdsec :

  • crowdsec : the daemon a-la-fail2ban that can read, parse, enrich and apply heuristis to logs. This is the component in charge of “detecting” the attacks
  • cscli : the cli tool mainly used to interact with crowdsec : ban/unban/view current bans, enable/disable parsers and scenarios.

:warning: Beta version

Please note that crowdsec is currently in beta version, use with caution !

go database
comments powered by Disqus
dbohdan/automatic-api

dbohdan/automatic-api

March 12, 2019

A list of software that turns your database into a REST/GraphQL API
prest/prest

prest/prest

December 17, 2018

pREST is a way to serve a RESTful API from any databases written in Go
rqlite/rqlite

rqlite/rqlite

December 15, 2018

The lightweight, distributed relational database built on SQLite.
ivoras/daisy

ivoras/daisy

December 14, 2018

A private proof of authority blockchain where blocks are SQLite databases, in Go
pingcap/tidb

pingcap/tidb

December 14, 2018

TiDB is an open source distributed HTAP database compatible with the MySQL protocol
cockroachdb/cockroach

cockroachdb/cockroach

December 1, 2018

CockroachDB - the open source, cloud-native SQL database.
cayleygraph/cayley

cayleygraph/cayley

November 23, 2018

An open-source graph database
xo/usql

xo/usql

November 13, 2018

Universal command-line interface for SQL databases
prometheus/prometheus

prometheus/prometheus

October 24, 2018

The Prometheus monitoring system and time series database.