Crowdsec

Outnumbering cybercriminals all together

CrowdSec is a collaborative IPS, Cloud Firewall, AI Firewall.

Analyze behaviors, respond to attacks & share signals across the community.

After we tested Crowdsec, we found it is very powerful and potential for WAF. There is a few notes for starters.

Create your own whitelist, do not block your self out, by edit this file: /etc/crowdsec/parsers/s02-enrich/whitelists.yaml

Adding IP or cidr to whitelist is straight forward but using expression is working in my case.

the work around is enable postoverflows features:

Check features:

cscli postoverflows list -a

If you host a web site in your server and using cloudflare as CDN, you should use these features. They are not enable by default, I found cloudflare, google seo bot was blocked by default.

cscli postoverflows install crowdsecurity/cdn-whitelist

cscli postoverflows install crowdsecurity/rdns

cscli postoverflows install crowdsecurity/seo-bots-whitelist

and I found the whitelist expression here is more easy to understanding:

Like : /etc/crowdsec/postoverflows/s01-whitelist/seo-bots-whitelist.yaml

expression:
– “any(File(‘rdns_seo_bots.txt’), { len(#) > 0 && evt.Enriched.reverse_dns endsWith #})”
– “RegexpInFile(evt.Enriched.reverse_dns, ‘rdns_seo_bots.regex’)”
– “any(File(‘ip_seo_bots.txt’), { len(#) > 0 && IpInRange(evt.Overflow.Alert.Source.IP ,#)})”

So you can put something like that in your own whitelist.yaml

and add your own txt file, path for Centos7 is /var/lib/crowdsec/data

Do not use/change those existing files, Crowdsec may do auto-update and loss your changes.