Outnumbering cybercriminals all together
CrowdSec is a collaborative IPS, Cloud Firewall, AI Firewall.
Analyze behaviors, respond to attacks & share signals across the community.
After we tested Crowdsec, we found it is very powerful and potential for WAF. There is a few notes for starters.
Create your own whitelist, do not block your self out, by edit this file: /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
Adding IP or cidr to whitelist is straight forward but using expression is working in my case.
the work around is enable postoverflows features:
Check features:
cscli postoverflows list -a
If you host a web site in your server and using cloudflare as CDN, you should use these features. They are not enable by default, I found cloudflare, google seo bot was blocked by default.
cscli postoverflows install crowdsecurity/cdn-whitelist
cscli postoverflows install crowdsecurity/rdns
cscli postoverflows install crowdsecurity/seo-bots-whitelist
and I found the whitelist expression here is more easy to understanding:
Like : /etc/crowdsec/postoverflows/s01-whitelist/seo-bots-whitelist.yaml
expression:
– “any(File(‘rdns_seo_bots.txt’), { len(#) > 0 && evt.Enriched.reverse_dns endsWith #})”
– “RegexpInFile(evt.Enriched.reverse_dns, ‘rdns_seo_bots.regex’)”
– “any(File(‘ip_seo_bots.txt’), { len(#) > 0 && IpInRange(evt.Overflow.Alert.Source.IP ,#)})”
So you can put something like that in your own whitelist.yaml
and add your own txt file, path for Centos7 is /var/lib/crowdsec/data
Do not use/change those existing files, Crowdsec may do auto-update and loss your changes.