CrowdSec - an open-source massively multiplayer firewall able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global IP reputation database to protect the user network.

CrowdSec




Coverage Status

📚 Documentation 💠 Configuration Hub 💬 Discourse (Forum) 💬 Gitter (Live chat)

💃 This is a community driven project, we need your feedback.

<TL;DR>

CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read bellow for more.

2 mins install

Installing it through the Package system of your OS is the easiest way to proceed. Otherwise, to install from source, in a shell:

git clone https://github.com/crowdsecurity/crowdsec.git
cd crowdsec && ./wizard.sh -i

ℹ️ About the CrowdSec project

Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user friendly design and assistance offers a low technical barrier of entry and nevertheless a high security gain.

Processing is done in 4 steps:

CrowdSec

Once an unwanted behavior is detected, deal with it through a bouncer. The aggressive IP, scenario triggered and timestamp are sent for curation, to avoid poisoning & false positives. (This can be disabled). If verified, this IP is then redistributed to all CrowdSec users running the same scenario.

Outnumbering hackers all together

By sharing the threat they faced, all users are protecting each-others (hence the name Crowd-Security). Crowdsec is designed for modern infrastructures, with its "Detect Here, Remedy There" approach, letting you analyse logs coming from several sources in one place and block threats at various levels (applicative, system, infrastructural) of your stack.

CrowdSec ships by default with scenarios (brute force, port scan, web scan, etc.) adapted for most context, but you can easily extend it by picking more of them from the HUB. It is also easy to adapt an existing one or create one yourself.

👉 What it is not

CrowdSec is not a SIEM, storing your logs (neither locally nor remotely). Your data are analyzed locally and forgotten.

Signals sent to the curation platform are limited to the very strict minimum: IP, Scenario, Timestamp. They are only used to allow the system to spot new rogue IPs, rule out false positives or poisoning attempts.

⬇️ Install it !

Crowdsec is available for various platforms :

Or look directly at installation documentation for other methods.

🎉 Key benefits

Fast assisted installation, no technical barrier

Initial configuration is automated, providing functional out-of-the-box setup

Out of the box detection

Baseline detection is effective out-of-the-box, no fine-tuning required (click to expand)

Easy bouncer deployment

It's trivial to add bouncers to enforce decisions of crowdsec (click to expand)

Easy dashboard access

It's easy to deploy a metabase interface to view your data simply with cscli (click to expand)

Hot & Cold logs

Process cold logs, for forensic, tests and chasing false-positives & false negatives (click to expand)

📦 About this repository

This repository contains the code for the two main components of crowdsec :

  • crowdsec : the daemon a-la-fail2ban that can read, parse, enrich and apply heuristics to logs. This is the component in charge of "detecting" the attacks
  • cscli : the cli tool mainly used to interact with crowdsec : ban/unban/view current bans, enable/disable parsers and scenarios.
Owner
crowdsec
crowdsec
https://github.com/crowdsecurity/crowdsec https://crowdsec.net
Comments
  • Can't use mysql 8 DB

    Can't use mysql 8 DB

    What happened?

    -- Unit crowdsec.service has begun starting up. Jul 31 13:10:24 russiaws.ru crowdsec[2512174]: time="31-07-2022 13:10:24" level=fatal msg="unable to create database client: failed creating schema resources: dial tcp 127.0.0.1:3310: connect: connection refused" Jul 31 13:10:24 russiaws.ru systemd[1]: crowdsec.service: Control process exited, code=exited status=1 Jul 31 13:10:24 russiaws.ru systemd[1]: crowdsec.service: Failed with result 'exit-code'. -- Subject: Unit failed

    What did you expect to happen?

    work fine

    How can we reproduce it (as minimally and precisely as possible)?

    According with manual I made DB named crowdsec and made mysql user crowdsec with password crowdsec with grant all rights. MySQL not in docker.

    Anything else we need to know?

    my config

    db_config: log_level: info type: mysql #db_path: /var/lib/crowdsec/data/crowdsec.db #max_open_conns: 100 user: crowdsec password: crowdsec db_name: crowdsec host: 127.0.0.1 port: 3310 flush: max_items: 5000000 max_age: 4d

    Crowdsec version

    2022/07/31 13:17:30 version: v1.4.1-el8-rpm-e1954adc325baa9e3420c324caabd50b7074dd77 2022/07/31 13:17:30 Codename: alphaga 2022/07/31 13:17:30 BuildDate: 2022-07-25_09:53:23 2022/07/31 13:17:30 GoVersion: 1.17.5 2022/07/31 13:17:30 Platform: linux 2022/07/31 13:17:30 Constraint_parser: >= 1.0, <= 2.0 2022/07/31 13:17:30 Constraint_scenario: >= 1.0, < 3.0 2022/07/31 13:17:30 Constraint_api: v1 2022/07/31 13:17:30 Constraint_acquis: >= 1.0, < 2.0

    OS version

    NAME="AlmaLinux" VERSION="8.6 (Sky Tiger)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="8.6" PLATFORM_ID="platform:el8" PRETTY_NAME="AlmaLinux 8.6 (Sky Tiger)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:8::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/"

    ALMALINUX_MANTISBT_PROJECT="AlmaLinux-8" ALMALINUX_MANTISBT_PROJECT_VERSION="8.6" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="8.6"

    Enabled collections and parsers

    $ cscli hub list -o raw
# paste output here

    Acquisition config

    ```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

    On Windows:

    C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

    paste output here

    Config show

    $ cscli config show
# paste output here

    Prometheus metrics

    $ cscli metrics
# paste output here

    Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

  • FreeBSD support

    FreeBSD support

  • Bug/crowdsec.service crashing

    Bug/crowdsec.service crashing

    Can somebody point me in the right direction to solve this issue?

    After successfully getting the multi machine setup working I noticed that crowdsec.service was crashing on my master machine. Probably some kind of malconfig issue as I'm just getting started with crowdsec.

    I installed from repo on Ubuntu 16/18 LTS VPS servers. My setup is one master machine with the api and one client with no api connecting to the master. And I only use the cs-firewall-bouncer I did some successful tests using cscli decisions add -i 123.123.123.123 on the master and saw that the client was getting the decision and blocking the IP in the firewall... so I was thrilled, it works great.

    But then after 20 minutes crowdsec.service crashed on the master. Now it crashes regulary every 20-30 minutes...

    Below is what is reported:

    time="28-03-2021 13:24:39" level=error msg="crowdsec - goroutine crowdsec/controllersV1/FindAlerts crashed : client disconnected" time="28-03-2021 13:24:39" level=error msg="please report this error to https://github.com/crowdsecurity/crowdsec/" time="28-03-2021 13:24:39" level=error msg="stacktrace/report is written to /tmp/crowdsec-crash.707091172.txt : please join it to your issue" time="28-03-2021 13:24:39" level=fatal msg="crowdsec stopped"

    The contents of /tmp/crowdsec-crash.707091172.txt

    version: 1.0.7-4-debian-pragmatic-a8b16a66b110ebe03bb330cda2600226a3a862d7 Codename: alphaga BuildDate: 2021-03-16_19:01:37 GoVersion: 1.15.8 goroutine 2688 [running]: runtime/debug.Stack(0xc000bc8fe8, 0xc0003b1d40, 0x8e) /usr/local/go/src/runtime/debug/stack.go:24 +0x9f github.com/crowdsecurity/crowdsec/pkg/types.CatchPanic(0x14c3fb0, 0x21) /crowdsec/pkg/types/utils.go:100 +0x238 panic(0x136c9c0, 0xc0000928a0) /usr/local/go/src/runtime/panic.go:969 +0x1b9 github.com/gin-gonic/gin/render.JSON.Render(...) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/render/json.go:59 github.com/gin-gonic/gin.(*Context).Render(0xc0004ea960, 0xc8, 0x15ee6e0, 0xc0009bc2e0) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:841 +0x149 github.com/gin-gonic/gin.(*Context).JSON(...) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:884 github.com/crowdsecurity/crowdsec/pkg/apiserver/controllers/v1.(*Controller).FindAlerts(0xc0003195e0, 0xc0004ea960) /crowdsec/pkg/apiserver/controllers/v1/alerts.go:163 +0x177 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/crowdsecurity/crowdsec/pkg/apiserver/controllers/v1.PrometheusMachinesMiddleware.func1(0xc0004ea960) /crowdsec/pkg/apiserver/controllers/v1/metrics.go:83 +0x96 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/appleboy/gin-jwt/v2.(*GinJWTMiddleware).middlewareImpl(0xc000152640, 0xc0004ea960) /root/go/pkg/mod/github.com/appleboy/gin-jwt/[email protected]/auth_jwt.go:403 +0x22b github.com/appleboy/gin-jwt/v2.(*GinJWTMiddleware).MiddlewareFunc.func1(0xc0004ea960) /root/go/pkg/mod/github.com/appleboy/gin-jwt/[email protected]/auth_jwt.go:365 +0x34 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/crowdsecurity/crowdsec/pkg/apiserver/controllers/v1.PrometheusMiddleware.func1(0xc0004ea960) /crowdsec/pkg/apiserver/controllers/v1/metrics.go:105 +0x145 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/gin-gonic/gin.RecoveryWithWriter.func1(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/recovery.go:83 +0x65 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/gin-gonic/gin.LoggerWithConfig.func1(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/logger.go:241 +0xe5 github.com/gin-gonic/gin.(*Context).Next(0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/context.go:161 +0x3b github.com/gin-gonic/gin.(*Engine).handleHTTPRequest(0xc0001523c0, 0xc0004ea960) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:409 +0x67a github.com/gin-gonic/gin.(*Engine).ServeHTTP(0xc0001523c0, 0x15fa2a0, 0xc000011128, 0xc000481600) /root/go/pkg/mod/github.com/gin-gonic/[email protected]/gin.go:367 +0x14d net/http.serverHandler.ServeHTTP(0xc0004640e0, 0x15fa2a0, 0xc000011128, 0xc000481600) /usr/local/go/src/net/http/server.go:2843 +0xa3 net/http.initALPNRequest.ServeHTTP(0x15fd3a0, 0xc000301920, 0xc0001a0700, 0xc0004640e0, 0x15fa2a0, 0xc000011128, 0xc000481600) /usr/local/go/src/net/http/server.go:3415 +0x8d net/http.(*http2serverConn).runHandler(0xc000073980, 0xc000011128, 0xc000481600, 0xc00042f760) /usr/local/go/src/net/http/h2_bundle.go:5719 +0x8b created by net/http.(*http2serverConn).processHeaders /usr/local/go/src/net/http/h2_bundle.go:5453 +0x505

  • captcha does't work

    captcha does't work

    What happened?

    Uploading image.png…

    What did you expect to happen?

    image

    How can we reproduce it (as minimally and precisely as possible)?

    Uploading image.png…

    Anything else we need to know?

    image decision dispaly ,but access website no captcha

    Crowdsec version

    $ cscli version
# paste output here

    OS version

    # On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

    Enabled collections and parsers

    $ cscli hub list -o raw
# paste output here

    Acquisition config

    ```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

    On Windows:

    C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

    paste output here

    Config show

    $ cscli config show
# paste output here

    Prometheus metrics

    $ cscli metrics
# paste output here

    Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

  • Register bouncers on container init

    Register bouncers on container init

    This PR allows users to add bouncers on container init, rather than having to exec into the container and run cscli, for automated deployment scenarios. jq is added to the Dockerfile to support parsing cscli output.

    Supports both environment variables (in the format BOUNCER_KEY_<NAME>=<API-KEY>) and docker secrets (in the format BOUNCER_KEY_<name> with the contents <API-KEY>). Adding multiple bouncers and mixing environment and secrets are supported (though environment will take precedence in the event of conflicting names).

    The init script checks that both a name and a key value have been provided, then it checks to see if there is already an existing bouncer with that name registered (in which case it skips it), and then registers the bouncer with the NAME and KEY provided.

    This allows you to do something like:

    services:
  crowdsec:
    image: docker.io/crowdsecurity/crowdsec:latest
    container_name: crowdsec
    environment:
      - BOUNCER_KEY_traefik=mysecretkey12345

  bouncer-traefik:
    image: docker.io/fbonalair/traefik-crowdsec-bouncer:latest
    container_name: crowdsec-bouncer-traefik
    environment:
      - CROWDSEC_BOUNCER_API_KEY=mysecretkey12345
    depends_on:
      - crowdsec

    On first init of the crowdsec container the logs should output something along the lines of:

    Api key for 'traefik':

   mysecretkey12345

Please keep this key since you will not be able to retrieve it!

    And cscli bouncers list should show:

    --------------------------------------------------------------
 NAME  IP ADDRESS  VALID  LAST API PULL         TYPE  VERSION 
--------------------------------------------------------------
 traefik             ✔️   2022-03-09T20:55:12Z                
--------------------------------------------------------------
  • Bug/notifications/email: Content needs <html>...</html> tags

    Bug/notifications/email: Content needs ... tags

    Describe the bug The default config for email notifications can trigger a high-scoring Spamassassin rules due to bare HTML without <html>...</html> enclosing tags.

    To Reproduce Steps to reproduce the behavior:

    1. Set up email notifications, with minimal edits to the default notifications/email.yaml
    2. Trigger an email
    3. Check the content of the solitary text/html attachment

    Expected behavior All reasonable attempts should be made for these emails to not look like spam.

    Technical Information (please complete the following information):

    • OS: Debian buster (currently oldstable)
    • Version: crowdsec 1.3.2 from the APT repository

    Additional context Spamassassin reports the following on crowdsec notification emails:

            *  3.8 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML
        *      tag

    and indeed the only part of a crowdsec notification email starts with:

    <a href=...

    Now, obviously, I've gone and whitelisted (won't even go through Spamassassin processing) the crowdsec emails in question now, and I can tweak my local config file to add the missing tags (presumably also <body>), but this is a small improvement that could be made to the defaults.

  • Possible delay in logs procсessing

    Possible delay in logs procсessing

    What happened?

    Event records in sqlite database are created in batches (as if they are accumulated for some time and only then are flushed). Then, it looks like crowdsec makes decisions based on the record creation time, not the time from logs. As a result, the system triggers bans counting very old events.

    What did you expect to happen?

    Making decisions crowdsec should take into account the time field from its sqlite3 database, table events.

    How can we reproduce it (as minimally and precisely as possible)?

    Not sure, complete description below.

    Anything else we need to know?

    First of all, I have to note that my servers have lots of free resources, there are no lags and I see in real time that logs are generated without delay.

    When I tried to introduce crowdsec, I noticed weird records in its logs. In my scenarios, I use leaky buckets with capacity of 10 and 1-minute leakspeed. Mostly it banned for 11 events in less than 1 minute. But sometimes I saw records like 15 events over 8m21.82413899s which should have never taken place. And sometimes means a lot of false positives. Examining the case, I found out the events in the sqlite db have different created_at / updated_at and time dates. It looks to me that (for some reason) crowdsec doesn't process my logs in real time. Again, I see logs written to the local files and remote syslog server without delay, and crowdsec is not utilizing 100% of CPU and is not reloading or restarting.

    The same thing happens with syslog data source as well as journald.

    Tried using cache_size as suggested here https://github.com/crowdsecurity/crowdsec/issues/1464 with no effect

    Considering that past events can get into the database after some time, I would like to have a function that allows crowdsec to rely on the time from logs and not the creation time of db entries.

    Below is an example of logs and relevant db records (local time UTC+3).

    Crowdsec version

    $ cscli version
2022/08/05 15:48:59 version: v1.4.1-debian-pragmatic-e1954adc325baa9e3420c324caabd50b7074dd77
2022/08/05 15:48:59 Codename: alphaga
2022/08/05 15:48:59 BuildDate: 2022-07-25_09:19:19
2022/08/05 15:48:59 GoVersion: 1.17.5
2022/08/05 15:48:59 Platform: linux
2022/08/05 15:48:59 Constraint_parser: >= 1.0, <= 2.0
2022/08/05 15:48:59 Constraint_scenario: >= 1.0, < 3.0
2022/08/05 15:48:59 Constraint_api: v1
2022/08/05 15:48:59 Constraint_acquis: >= 1.0, < 2.0

    OS version

    # On Linux:
$ cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
$ uname -a
Linux host_name 5.4.0-121-generic #137~18.04.1-Ubuntu SMP Mon Jun 20 07:25:24 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

    Enabled collections and parsers

    $ cscli hub list -o raw
my_nginx.yaml,"enabled,local",n/a,,collections
my_ssh.yaml,"enabled,local",n/a,,collections
my_vsftpd.yaml,"enabled,local",n/a,,collections
crowdsecurity/dateparse-enrich,enabled,0.2,,parsers
crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers
crowdsecurity/http-logs,enabled,0.8,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers
crowdsecurity/syslog-logs,"enabled,tainted",?,,parsers
crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers
my_ftp_parser.yaml,"enabled,local",n/a,,parsers
my_nginx_parser.yaml,"enabled,local",n/a,,parsers
my_ssh_parser.yaml,"enabled,local",n/a,,parsers
whitelist.yaml,"enabled,local",n/a,,parsers
my_ftp_script.yaml,"enabled,local",n/a,,scenarios
my_nginx_script.yaml,"enabled,local",n/a,,scenarios
my_ssh_script.yaml,"enabled,local",n/a,,scenarios
local-whitelist.yaml,"enabled,local",n/a,,postoverflows

    Acquisition config

    ```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* journalctl_filter: - _SYSTEMD_UNIT=vsftpd.service labels: type: ftp --- journalctl_filter: - _SYSTEMD_UNIT=ssh.service labels: type: ssh --- source: syslog listen_addr: 127.0.0.1 listen_port: 1108 labels: type: nginx --- cat: '/etc/crowdsec/acquis.d/*': No such file or directory

    On Windows:

    C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

    paste output here

    Config show

    $ cscli config show
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log/
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
cscli:
  - Output                  : human
  - Hub Branch              :
  - Hub Folder              : /etc/crowdsec/hub
Local API Server:
  - Listen URL              : 127.0.0.1:8080
  - Profile File            : /etc/crowdsec/profiles.yaml
  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 2d
      - Flush size          : 5000000

    Prometheus metrics

    $ cscli metrics
INFO[05-08-2022 04:25:01 PM] Buckets Metrics:
+--------------------------+---------------+-----------+--------------+--------+---------+
|          BUCKET          | CURRENT COUNT | OVERFLOWS | INSTANTIATED | POURED | EXPIRED |
+--------------------------+---------------+-----------+--------------+--------+---------+
| my/ftp_script            | 3             | 598       | 2.05k        | 9.71k  | 1.45k   |
| my/ftp_slow_brute_script | 18            | 7         | 1.33k        | 9.71k  | 1.30k   |
| my/nginx_button_script   | 155           | 1.95M     | 2.18M        | 22.24M | 224.36k |
| my/nginx_proxy_script    | 331           | 79.84k    | 311.34k      | 1.40M  | 231.17k |
| my/nginx_status_script   | -             | 107       | 13.98k       | 35.52k | 13.87k  |
| my/ssh_script            | 4             | 73        | 4.20k        | 29.19k | 4.13k   |
| my/ssh_slow_brute_script | 25            | 40        | 2.46k        | 29.19k | 2.39k   |
+--------------------------+---------------+-----------+--------------+--------+---------+
INFO[05-08-2022 04:25:01 PM] Acquisition Metrics:
+----------------------------------------------------+------------+--------------+----------------+------------------------+
|                       SOURCE                       | LINES READ | LINES PARSED | LINES UNPARSED | LINES POURED TO BUCKET |
+----------------------------------------------------+------------+--------------+----------------+------------------------+
| journalctl:journalctl-_SYSTEMD_UNIT=ssh.service    | 211.26k    | 29.23k       | 182.04k        | 58.37k                 |
| journalctl:journalctl-_SYSTEMD_UNIT=vsftpd.service | 2.39M      | 9.72k        | 2.38M          | 19.41k                 |
| syslog:127.0.0.1                                   | 156.28M    | 34.64M       | 121.64M        | 23.67M                 |
+----------------------------------------------------+------------+--------------+----------------+------------------------+
INFO[05-08-2022 04:25:01 PM] Parser Metrics:
+--------------------------+---------+---------+----------+
|         PARSERS          |  HITS   | PARSED  | UNPARSED |
+--------------------------+---------+---------+----------+
| child-my/ftp_parser      | 2.39M   | 9.72k   | 2.38M    |
| child-my/nginx_parser    | 465.67M | 34.64M  | 431.03M  |
| child-my/ssh_parser      | 411.12k | 29.23k  | 381.89k  |
| crowdsecurity/non-syslog | 158.88M | 158.88M | -        |
| my/ftp_parser            | 2.39M   | 9.72k   | 2.38M    |
| my/local_whitelist       | 99.25k  | 99.25k  | -        |
| my/nginx_parser          | 156.28M | 34.64M  | 121.64M  |
| my/ssh_parser            | 211.26k | 29.23k  | 182.04k  |
| my/whitelist             | 34.68M  | 34.68M  | -        |
| my/whitelist_trusted     | 34.68M  | 34.68M  | -        |
+--------------------------+---------+---------+----------+
INFO[05-08-2022 04:25:01 PM] Local Api Metrics:
+-------------------------+--------+-------+
|          ROUTE          | METHOD | HITS  |
+-------------------------+--------+-------+
| /credits-site-offers/.* | PURGE  | 15    |
| /credits-site-one/.*    | PURGE  | 1     |
| /v1/alerts              | POST   | 80981 |
| /v1/decisions/stream    | GET    | 55234 |
| /v1/heartbeat           | GET    | 9205  |
| /v1/watchers/login      | POST   | 159   |
+-------------------------+--------+-------+
INFO[05-08-2022 04:25:01 PM] Local Api Machines Metrics:
+--------------------------------------------------+---------------+--------+-------+
|                     MACHINE                      |     ROUTE     | METHOD | HITS  |
+--------------------------------------------------+---------------+--------+-------+
| c8e3e5b9d1e640a6bf0a63bb3f7c9d6eNKKvHnjnxx0NxNCH | /v1/heartbeat | GET    | 9205  |
| c8e3e5b9d1e640a6bf0a63bb3f7c9d6eNKKvHnjnxx0NxNCH | /v1/alerts    | POST   | 80981 |
+--------------------------------------------------+---------------+--------+-------+
INFO[05-08-2022 04:25:01 PM] Local Api Bouncers Metrics:
+----------------------------+----------------------+--------+-------+
|          BOUNCER           |        ROUTE         | METHOD | HITS  |
+----------------------------+----------------------+--------+-------+
| FirewallBouncer-1658923396 | /v1/decisions/stream | GET    | 55234 |
+----------------------------+----------------------+--------+-------+
INFO[05-08-2022 04:25:01 PM] Local Api Decisions:
+--------------------------+----------+--------+-------+
|          REASON          |  ORIGIN  | ACTION | COUNT |
+--------------------------+----------+--------+-------+
| my/ssh_slow_brute_script | crowdsec | ban    | 1     |
| my/ftp_script            | crowdsec | ban    | 9     |
| my/nginx_button_script   | crowdsec | ban    | 15    |
| my/nginx_proxy_script    | crowdsec | ban    | 72    |
| my/ssh_script            | crowdsec | ban    | 3     |
+--------------------------+----------+--------+-------+
INFO[05-08-2022 04:25:01 PM] Local Api Alerts:
+--------------------------+-------+
|          REASON          | COUNT |
+--------------------------+-------+
| my/ftp_script            | 95    |
| my/ftp_slow_brute_script | 4     |
| my/nginx_button_script   | 581   |
| my/nginx_proxy_script    | 3812  |
| my/ssh_script            | 24    |
| my/ssh_slow_brute_script | 9     |
+--------------------------+-------+

    Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

    $ grep 51.75.166.15 /var/log/crowdsec.log  | grep "05-08-2022"
time="05-08-2022 13:06:04" level=info msg="Ip 51.75.166.15 performed 'my/nginx_button_script' (173 events over 4h35m50.833866353s) at 2022-08-05 10:06:04.165278018 +0000 UTC"
time="05-08-2022 13:06:04" level=info msg="(c8e3e5b9d1e640a6bf0a63bb3f7c9d6eNKKvHnjnxx0NxNCH/crowdsec) my/nginx_button_script by ip 51.75.166.15 : 1h ban on Ip 51.75.166.15"
time="05-08-2022 16:19:13" level=info msg="Ip 51.75.166.15 performed 'my/nginx_button_script' (18 events over 8m35.482457865s) at 2022-08-05 13:19:13.536115242 +0000 UTC"
time="05-08-2022 16:19:14" level=info msg="(c8e3e5b9d1e640a6bf0a63bb3f7c9d6eNKKvHnjnxx0NxNCH/crowdsec) my/nginx_button_script by ip 51.75.166.15 : 1h ban on Ip 51.75.166.15"

$ sqlite3 /var/lib/crowdsec/data/crowdsec.db
sqlite> select * from events where serialized like '%51.75.166.15%';
1464440|2022-08-05 10:06:04.170914908+00:00|2022-08-05 10:06:04.170915108+00:00|2022-08-05 09:59:35.803555621+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
1464441|2022-08-05 10:06:04.170915658+00:00|2022-08-05 10:06:04.170915798+00:00|2022-08-05 10:03:24.183895395+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
1464442|2022-08-05 10:06:04.170916038+00:00|2022-08-05 10:06:04.170916188+00:00|2022-08-05 10:03:24.51312344+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
1464443|2022-08-05 10:06:04.170916418+00:00|2022-08-05 10:06:04.170916548+00:00|2022-08-05 10:03:37.830518321+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
1464444|2022-08-05 10:06:04.170916778+00:00|2022-08-05 10:06:04.170916918+00:00|2022-08-05 10:03:38.164442578+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
1464445|2022-08-05 10:06:04.170917148+00:00|2022-08-05 10:06:04.170917278+00:00|2022-08-05 10:04:26.884540776+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
1464446|2022-08-05 10:06:04.170917518+00:00|2022-08-05 10:06:04.170917638+00:00|2022-08-05 10:04:27.233135766+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
1464447|2022-08-05 10:06:04.170917868+00:00|2022-08-05 10:06:04.170918068+00:00|2022-08-05 10:05:18.422935082+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
1464448|2022-08-05 10:06:04.170918308+00:00|2022-08-05 10:06:04.170918438+00:00|2022-08-05 10:05:18.718767843+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
1464449|2022-08-05 10:06:04.170918678+00:00|2022-08-05 10:06:04.170918808+00:00|2022-08-05 10:06:03.817144863+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
1464450|2022-08-05 10:06:04.170919008+00:00|2022-08-05 10:06:04.170919138+00:00|2022-08-05 10:06:04.164888438+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133017
1467590|2022-08-05 13:19:14.170761756+00:00|2022-08-05 13:19:14.170761916+00:00|2022-08-05 13:14:21.658032638+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
1467591|2022-08-05 13:19:14.170762426+00:00|2022-08-05 13:19:14.170762536+00:00|2022-08-05 13:14:45.588505246+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
1467592|2022-08-05 13:19:14.170762826+00:00|2022-08-05 13:19:14.170762926+00:00|2022-08-05 13:14:45.915124564+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
1467593|2022-08-05 13:19:14.170763086+00:00|2022-08-05 13:19:14.170763216+00:00|2022-08-05 13:16:17.626209489+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
1467594|2022-08-05 13:19:14.170763366+00:00|2022-08-05 13:19:14.170763586+00:00|2022-08-05 13:16:17.967371233+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
1467595|2022-08-05 13:19:14.170763756+00:00|2022-08-05 13:19:14.170763846+00:00|2022-08-05 13:16:54.867314065+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
1467596|2022-08-05 13:19:14.170763996+00:00|2022-08-05 13:19:14.170764086+00:00|2022-08-05 13:16:55.196026272+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
1467597|2022-08-05 13:19:14.170764226+00:00|2022-08-05 13:19:14.170764316+00:00|2022-08-05 13:18:55.488550354+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
1467598|2022-08-05 13:19:14.170764456+00:00|2022-08-05 13:19:14.170764546+00:00|2022-08-05 13:18:55.819360088+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
1467599|2022-08-05 13:19:14.170764686+00:00|2022-08-05 13:19:14.170764776+00:00|2022-08-05 13:19:13.114883349+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
1467600|2022-08-05 13:19:14.170764926+00:00|2022-08-05 13:19:14.170765026+00:00|2022-08-05 13:19:13.535783484+00:00|[{"key":"datasource_path","value":"127.0.0.1"},{"key":"datasource_type","value":"syslog"},{"key":"reason","value":"button"},{"key":"service","value":"http"},{"key":"source_ip","value":"51.75.166.15"}]|133302
  • Output plugins

    Output plugins

    1. New package called csplugin is added. This handles plugin discovery, feeding them config and dispatching alerts
    2. LAPI Server's controller has access to a PluginChannel, it pushes new alerts to this channel.
    3. Slack plugin is at https://github.com/sbs2001/crowdsec-slack-plugin

    Example setup

    1. In config_paths at /etc/crowdsec/config.yaml add the following :
      notification_dir: /etc/crowdsec/notifications
  plugin_dir: /etc/crowdsec/plugins
    1. At /etc/crowdsec/notifications create a file with any name eg slack.yaml with the contents :-
    type: slack
name: slacktoto
format: |
        slacktoto
        {{range .Decisions}}
         {{.Type}} decision : {{.Value}} has triggered the scenario {{.Scenario}} and has been banned for {{.Duration}}
        {{end}}

webhook: https://hooks.slack.com/services/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    1. In profiles.yaml register the plugin via adding the following
    notifications:
 - slacktoto
    1. Build the plugin and put it at /etc/crowdsec/plugins with name notification-slack .
    git clone https://github.com/sbs2001/crowdsec-slack-plugin
cd crowdsec-slack-plugin
 go build  -o notification-slack && sudo cp  notification-slack   /etc/crowdsec/plugins/notification-slack
sudo systemctl reload crowdsec

    Any alert matching the profile will create a notification on the slack channel.

    Note: the diff is slightly large due to some refactor in tests.

  • Bug Crowsec does not block IP with IPTABLES

    Bug Crowsec does not block IP with IPTABLES

    Hello. I have installed crowdsec in Debian It detect SSH attach and says ban but does not create ipables rules ...

    `# cscli bouncers list

    NAME IP ADDRESS VALID LAST API PULL TYPE VERSION

    FirewallBouncer-1650891152 ✔️ 2022-04-25T12:52:32Z

    # cscli decisions list +-------+----------+--------------------+---------------------------+--------+---------+--------------------------------+--------+--------------------+----------+ | ID | SOURCE | SCOPE:VALUE | REASON | ACTION | COUNTRY | AS | EVENTS | EXPIRATION | ALERT ID | +-------+----------+--------------------+---------------------------+--------+---------+--------------------------------+--------+--------------------+----------+ | 13301 | crowdsec | Ip:153.34.238.67 | crowdsecurity/ssh-bf | ban | CN | 4837 CHINA UNICOM China169 | 6 | 3h58m38.32836517s | 11 | | | | | | | | Backbone | | | | | 9 | crowdsec | Ip:195.122.226.164 | crowdsecurity/ssh-slow-bf | ban | RU | 8580 MTS PJSC | 19 | 3h47m8.780944499s | 9 | | 8 | crowdsec | Ip:157.230.98.148 | crowdsecurity/ssh-slow-bf | ban | DE | 14061 DIGITALOCEAN-ASN | 17 | 3h43m6.992929346s | 8 | | 4 | crowdsec | Ip:176.111.173.242 | crowdsecurity/ssh-slow-bf | ban | EE | 213010 GigaHostingServices OU | 11 | 3h29m24.845633943s | 4 | +-------+----------+--------------------+---------------------------+--------+---------+--------------------------------+--------+--------------------+----------+

    `

    `root@pror:~# iptables -L
    Chain INPUT (policy ACCEPT) target prot opt source destination

    Chain FORWARD (policy ACCEPT) target prot opt source destination

    Chain OUTPUT (policy ACCEPT) target prot opt source destination
    `

  • High CPU on Multi-Server Setup

    High CPU on Multi-Server Setup

    What happened?

    I have a 4 node multi-server setup. All nodes are VPS linked by a wireguard VPN connection. After updating to version crowdsec 1.4.0 using the debian repo I am seeing consistently high CPU usage on the LAPI node. The 3 satellite nodes all remain at 1% to 5% cpu usage but the LAPI node ranges from 50% to 100%.

    I have attached copies of config.yaml, log file starting approx 24 hours before I upgraded, cscli metrics and an extract from top.

    I have prometheus collecting stats for grafana but don't know how to extract the data. If you can give me a pointer, I can provide these as well. Let me know if there is anything else

    config.yaml.txt crowdsec.log metrics.txt top.txt

    What did you expect to happen?

    LAPI node cpu usage to remain at approx 5%.

    How can we reproduce it (as minimally and precisely as possible)?

    Install version 1.4.0 in a multi-server setup.

    Anything else we need to know?

    No response

    Crowdsec version

    2022/07/21 11:58:04 version: v1.4.0-debian-pragmatic-865ff5c88dd133eb81a1128f8d4765b4be0cbd22 2022/07/21 11:58:04 Codename: alphaga 2022/07/21 11:58:04 BuildDate: 2022-07-19_09:24:14 2022/07/21 11:58:04 GoVersion: 1.17.5 2022/07/21 11:58:04 Platform: linux 2022/07/21 11:58:04 Constraint_parser: >= 1.0, <= 2.0 2022/07/21 11:58:04 Constraint_scenario: >= 1.0, < 3.0 2022/07/21 11:58:04 Constraint_api: v1 2022/07/21 11:58:04 Constraint_acquis: >= 1.0, < 2.0

    OS version

    PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/"

    Enabled collections and parsers

    crowdsecurity/base-http-scenarios,enabled,0.6,http common : scanners detection,collections crowdsecurity/http-cve,enabled,1.0,,collections crowdsecurity/linux,enabled,0.2,core linux support : syslog+geoip+ssh,collections crowdsecurity/nginx,enabled,0.2,nginx support : parser and generic http scenarios,collections crowdsecurity/sshd,enabled,0.2,sshd support : parser and brute-force detection,collections crowdsecurity/dateparse-enrich,enabled,0.2,,parsers crowdsecurity/geoip-enrich,enabled,0.2,"Populate event with geoloc info : as, country, coords, source range.",parsers crowdsecurity/http-logs,enabled,0.8,"Parse more Specifically HTTP logs, such as HTTP Code, HTTP path, HTTP args and if its a static ressource",parsers crowdsecurity/nginx-logs,enabled,1.2,Parse nginx access and error logs,parsers crowdsecurity/sshd-logs,enabled,1.9,Parse openSSH logs,parsers crowdsecurity/syslog-logs,enabled,0.8,,parsers crowdsecurity/whitelists,enabled,0.2,Whitelist events from private ipv4 addresses,parsers sshd-zlogs-extra.yaml,"enabled,local",n/a,,parsers crowdsecurity/apache_log4j2_cve-2021-44228,enabled,0.4,Detect cve-2021-44228 exploitation attemps,scenarios crowdsecurity/f5-big-ip-cve-2020-5902,enabled,0.1,Detect cve-2020-5902 exploitation attemps,scenarios crowdsecurity/fortinet-cve-2018-13379,enabled,0.2,Detect cve-2018-13379 exploitation attemps,scenarios crowdsecurity/grafana-cve-2021-43798,enabled,0.1,Detect cve-2021-43798 exploitation attemps,scenarios crowdsecurity/http-backdoors-attempts,enabled,0.2,Detect attempt to common backdoors,scenarios crowdsecurity/http-bad-user-agent,enabled,0.7,Detect bad user-agents,scenarios crowdsecurity/http-crawl-non_statics,enabled,0.3,Detect aggressive crawl from single ip,scenarios crowdsecurity/http-cve-2021-41773,enabled,0.1,cve-2021-41773,scenarios crowdsecurity/http-cve-2021-42013,enabled,0.1,cve-2021-42013,scenarios crowdsecurity/http-generic-bf,enabled,0.2,Detect generic http brute force,scenarios crowdsecurity/http-open-proxy,enabled,0.2,Detect scan for open proxy,scenarios crowdsecurity/http-path-traversal-probing,enabled,0.2,Detect path traversal attempt,scenarios crowdsecurity/http-probing,enabled,0.2,Detect site scanning/probing from a single ip,scenarios crowdsecurity/http-sensitive-files,enabled,0.2,"Detect attempt to access to sensitive files (.log, .db ..) or folders (.git)",scenarios crowdsecurity/http-sqli-probing,enabled,0.2,A scenario that detects SQL injection probing with minimal false positives,scenarios crowdsecurity/http-xss-probing,enabled,0.2,A scenario that detects XSS probing with minimal false positives,scenarios crowdsecurity/jira_cve-2021-26086,enabled,0.1,Detect Atlassian Jira CVE-2021-26086 exploitation attemps,scenarios crowdsecurity/nginx-req-limit-exceeded,enabled,0.1,Detects IPs which violate nginx's user set request limit.,scenarios crowdsecurity/pulse-secure-sslvpn-cve-2019-11510,enabled,0.2,Detect cve-2019-11510 exploitation attemps,scenarios crowdsecurity/spring4shell_cve-2022-22965,enabled,0.2,Detect cve-2022-22965 probing,scenarios crowdsecurity/ssh-bf,enabled,0.1,Detect ssh bruteforce,scenarios crowdsecurity/ssh-slow-bf,enabled,0.2,Detect slow ssh bruteforce,scenarios crowdsecurity/thinkphp-cve-2018-20062,enabled,0.3,Detect ThinkPHP CVE-2018-20062 exploitation attemps,scenarios crowdsecurity/vmware-cve-2022-22954,enabled,0.2,Detect Vmware CVE-2022-22954 exploitation attempts,scenarios crowdsecurity/vmware-vcenter-vmsa-2021-0027,enabled,0.1,Detect VMSA-2021-0027 exploitation attemps,scenarios http-strict-probing.yaml,"enabled,local",n/a,,scenarios ltsich/http-w00tw00t,enabled,0.1,detect w00tw00t,scenarios ssh-extra.yaml,"enabled,local",n/a,,scenarios ssh-strict-bf.yaml,"enabled,local",n/a,,scenarios whitelists-extra.yaml,"enabled,local",n/a,,postoverflows whitelists-monitors.yaml,"enabled,local",n/a,,postoverflows

    Acquisition config

    #Generated acquisition file - wizard.sh (service: nginx) / files : /var/log/nginx/sjs.access.log /var/log/nginx/access.log /var/log/nginx/error.log /var/log/nginx/php7.4-fpm.log /var/log/nginx/hamish.access.log /var/log/nginx/grafana.log /var/log/nginx/weddell.access.log filenames: - /var/log/nginx/sjs.access.log - /var/log/nginx/access.log - /var/log/nginx/error.log - /var/log/nginx/php7.4-fpm.log - /var/log/nginx/hamish.access.log - /var/log/nginx/grafana.log - /var/log/nginx/weddell.access.log labels: type: nginx --- #Generated acquisition file - wizard.sh (service: sshd) / files : /var/log/auth.log filenames: - /var/log/auth.log labels: type: syslog --- #Generated acquisition file - wizard.sh (service: linux) / files : /var/log/syslog /var/log/messages filenames: - /var/log/syslog - /var/log/messages labels: type: syslog ---

    Config show

    Global: - Configuration Folder : /etc/crowdsec - Data Folder : /var/lib/crowdsec/data - Hub Folder : /etc/crowdsec/hub - Simulation File : /etc/crowdsec/simulation.yaml - Log Folder : /var/log/ - Log level : info - Log Media : file Crowdsec: - Acquisition File : /etc/crowdsec/acquis.yaml - Parsers routines : 1 cscli: - Output : human - Hub Branch : - Hub Folder : /etc/crowdsec/hub Local API Server: - Listen URL : 10.90.80.11:8080 - Profile File : /etc/crowdsec/profiles.yaml - Trusted IPs: - 127.0.0.1 - ::1 - Database: - Type : sqlite - Path : /var/lib/crowdsec/data/crowdsec.db - Flush age : 7d - Flush size : 5000

    Prometheus metrics

    No response

    Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

    Custom SSH Parser - [sshd-zlogs-extra.yaml.txt](https://github.com/crowdsecurity/crowdsec/files/9158831/sshd-zlogs-extra.yaml.txt)

    Custom Scenarios - ssh-strict-bf.yaml.txt ssh-extra.yaml.txt http-strict-probing.yaml.txt

  • Installation fail on Ubuntu bionic

    Installation fail on Ubuntu bionic

    What happened?

    crowdsec_wizard: acquisition file path: /etc/crowdsec/acquis.yaml /usr/local/bin/cscli: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found (required by /usr/local/bin/cscli) ERR[11/12/22:10:45:05] crowdsec_wizard: fail to install collection crowdsec/whitelists

    What did you expect to happen?

    Install on OS

    How can we reproduce it (as minimally and precisely as possible)?

    Try to install or update an existing crowdsec

    Anything else we need to know?

    No response

    Crowdsec version

    1.4.3

    OS version

    4.15.0-200-generic #211-Ubuntu SMP Thu Nov 24 18:16:04 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

    Ubuntu bionic

    Enabled collections and parsers

    $ cscli hub list -o raw
# paste output here

    Acquisition config

    ```console # On Linux: $ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/* # paste output here

    On Windows:

    C:> Get-Content C:\ProgramData\CrowdSec\config\acquis.yaml

    paste output here

    Config show

    $ cscli config show
# paste output here

    Prometheus metrics

    $ cscli metrics
# paste output here

    Related custom configs versions (if applicable) : notification plugins, custom scenarios, parsers etc.

Related tags
Security linux security protection detection attacks-prevention
A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.
 A scanner/exploitation tool written in GO, which leverages Prototype Pollution to XSS by exploiting known gadgets.

ppmap A simple scanner/exploitation tool written in GO which automatically exploits known and existing gadgets (checks for specific variables in the g

Jan 9, 2023
go-xss is a module used to filter input from users to prevent XSS attacks

go-xss 根据白名单过滤 HTML(防止 XSS 攻击) go-xss is a module used to filter input from users to prevent XSS attacks go-xss是一个用于对用户输入的内容进行过滤,以避免遭受 XSS 攻击的模块

Nov 3, 2022
A minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2021-44228.

jndi-ldap-test-server This is a minimalistic LDAP server that is meant for test vulnerability to JNDI+LDAP injection attacks in Java, especially CVE-2

Oct 3, 2022
zero-trust remote firewall instrumentation
 zero-trust remote firewall instrumentation

ShieldWall embraces the zero-trust principle and instruments your server firewall to block inbound connections from every IP on any port, by default.

Jan 1, 2023
Package for controlling the Windows firewall (aka Windows Filtering Platform, WFP)

wf What This is a package for controlling the Windows Filtering Platform (WFP), also known as the Windows firewall. See its docs: https://godoc.org/in

Dec 6, 2022
A web-based testing platform for WAF (Web Application Firewall)'s correctness

WAFLab ?? WAFLab is a web-based platform for testing WAFs. Live Demo https://waflab.org/ Architecture WAFLab contains 2 parts: Name Description Langua

Oct 25, 2022
Coraza WAF is a golang modsecurity compatible web application firewall library
 Coraza WAF is a golang modsecurity compatible web application firewall library

Coraza Web Application Firewall, this project is a Golang port of ModSecurity with the goal to become the first enterprise-grade Open Source Web Application Firewall, flexible and powerful enough to serve as the baseline for many projects.

Jan 9, 2023
Akuma Scan comes with the purpose of scanning/detecting WAF (Web Application Firewall) on a certain website. Made to be easy, accurate and agile.

.m. ,_ ' ;M; ,;m ` ;M;.

Mar 21, 2022
A Declarative Cloud Firewall Reverse Proxy Solution with Companion Mobile App
 A Declarative Cloud Firewall Reverse Proxy Solution with Companion Mobile App

A declarative Cloud firewall reverse proxy solution with inbuilt DDoS protection and alerting mechanism to protect your servers and keeping an eye on those malicious requests

Aug 10, 2022
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.
 go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

Nov 17, 2022
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.
 mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

mesh-kridik Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security scanner that performs various security checks on a

Dec 14, 2022
Scan and analyze OSS dependencies and licenses from compiled Go binaries
 Scan and analyze OSS dependencies and licenses from compiled Go binaries

golicense - Go Binary OSS License Scanner golicense is a tool that scans compiled Go binaries and can output all the dependencies, their versions, and

Nov 6, 2022
Serpscan is a powerfull php script designed to allow you to leverage the power of dorking straight from the comfort of your command line.
 Serpscan is a powerfull php script designed to allow you to leverage the power of dorking straight from the comfort of your command line.

SerpScan Serpscan is a powerful PHP tool designed to allow you to leverage the power of dorking straight from the comfort of your command line. Table

Nov 11, 2022
Cyber Stasis is an economic simulator in the form of a fictional game based on global real-time demand and supply.
 Cyber Stasis is an economic simulator in the form of a fictional game based on global real-time demand and supply.

Cyber Stasis Cyber Stasis is an economic simulator in the form of a fictional game based on global real-time demand and supply. How to Play The game r

Dec 31, 2022
A probably paranoid Golang utility library for securely hashing and encrypting passwords based on the Dropbox method. This implementation uses Blake2b, Scrypt and XSalsa20-Poly1305 (via NaCl SecretBox) to create secure password hashes that are also encrypted using a master passphrase.

goSecretBoxPassword This is a Golang library for securing passwords it is based on the Dropbox method for password storage. The both passphrases are f

Jan 3, 2023
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer.

Quick start Prepare keys (on both sides): [ -f ~/.ssh/id_ed25519 ] && [ -f ~/.ssh/id_ed25519.pub ] || ssh-keygen -t ed25519 scp ~/.ssh/id_ed25519.pub

Dec 30, 2022
Curl & exec binary file in one step. Also a kind of stealth dropper.
 Curl & exec binary file in one step. Also a kind of stealth dropper.

curlNexec ?? Certainly useful , mainly for fun, rougly inspired by 0x00 article Short story curlNexec enable us to execute a remote binary on a local

Jan 2, 2023
Incident Response - Fast suspicious file finder

FastFinder - Incident Response - Fast suspicious file finder What is this project designed for? FastFinder is a lightweight tool made for threat hunti

Dec 28, 2022
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)
 DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

Dec 27, 2022