Problem Introduction: Why Does Your Server Need an Extra Layer of Protection?
When managing public servers on the Internet, ensuring network security is always the top priority. After conducting security audits on over 10 different servers, I’ve noticed that most share common fundamental vulnerabilities. One of these is the lack of a proactive and sufficiently robust protection layer against automated and large-scale attacks.
Traditional solutions like operating system firewalls (UFW, iptables) are effective at the network layer, helping to prevent unauthorized access to specific ports. However, they struggle to cope with more sophisticated application-layer attacks, such as SSH brute-force, web vulnerability scanning, or Layer 7 Distributed Denial of Service (DDoS) attacks.
Tools like Fail2Ban have done a decent job of local brute-force prevention, but they rely solely on static rules and operate independently on each server. In an increasingly sophisticated and large-scale botnet landscape, a local protection solution alone is insufficient. Instead, we need a system that can ‘learn’ from global threats. This system must proactively detect unusual behavior and cooperatively block them across a wide area. That’s where CrowdSec becomes a noteworthy solution.
Core Concepts: How Does CrowdSec Work?
What is CrowdSec?
CrowdSec is an open-source Intrusion Prevention System (IPS) designed to detect and respond to behavior-based cyberattacks. CrowdSec’s unique selling point lies in its “community” aspect: it collects data on attacking IPs from millions of agents worldwide, then shares this information to protect all members within the network.
How CrowdSec Operates
To better understand, I will outline CrowdSec’s operational mechanism through its main components:
- Agent: This is the software running on your server. Its task is to monitor and collect log files from the system and applications (e.g., SSH, Nginx, Apache, Redis, MySQL logs…).
- Parsers: The agent uses parsers to analyze raw log lines into structured, more understandable events. For example, a log line about a failed SSH login will be transformed by the parser into an event containing information about the source IP, time, and error type.
- Scenarios: These are sets of rules defining attack behavior. For example, a scenario might stipulate that “if there are 10 failed SSH login events from the same IP within 5 minutes, it’s a brute-force attack”. When events processed by the parser match a scenario, CrowdSec generates an alert.
- Decisions: Based on these alerts, CrowdSec makes decisions on how to handle the attacking IP. The most common decision is to “block this IP for a certain period”, for example, 4 hours.
- Bouncers: These are modules responsible for enforcing CrowdSec’s decisions. For example,
crowdsec-firewall-bouncerwill add rules to the operating system’s firewall (like iptables or nftables) to block that IP. Other bouncers can integrate with Cloudflare, Nginx, or other systems to block at multiple levels. - CrowdSec Security Engine (Community Blocklist): This is the heart of the community system. When an agent detects and blocks an attacking IP, information about that IP (anonymized and curated) can be shared with CrowdSec’s database. Subsequently, other agents can download this list of malicious IPs to proactively block them, even if they have never attacked their server. I particularly appreciate this feature. It helps create a common defense network where every server contributes and receives protection from the community.
Comparison with Fail2Ban and Other Solutions
As I mentioned, Fail2Ban is a good tool for local brute-force prevention. But compared to CrowdSec, it has limitations:
- Detection Scope: Fail2Ban focuses only on local services. CrowdSec can monitor and react to a wider range of attack types across multiple applications.
- Community Aspect: Fail2Ban is entirely local, lacking the ability to share information about attacking IPs with other servers. CrowdSec, with its Community Blocklist, helps you automatically protect against threats already detected elsewhere.
- Features: CrowdSec has a powerful CLI (
cscli) to centrally manage components, view metrics, alerts, and decisions. - Scalability: CrowdSec is easily scalable with different bouncers to block at multiple layers, not just limited to the operating system firewall.
In summary, if Fail2Ban is like a personal gatekeeper, CrowdSec is a large-scale defense network. This system is much more organized and proactive in protecting servers.
Detailed Practice: Installing and Configuring CrowdSec on Ubuntu
Now, let’s get started with installing and configuring CrowdSec on your Ubuntu server. I will guide you step by step.
Step 1: System Preparation
First, update the system to ensure all software packages and dependencies are at their latest versions.
sudo apt update
sudo apt upgrade -y
Step 2: Install CrowdSec
CrowdSec has its own repository, which makes installation and updates easier.
First, add the CrowdSec repository:
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
Next, install the CrowdSec agent and crowdsec-firewall-bouncer-iptables. This bouncer will automatically integrate with your operating system’s firewall to block malicious IPs.
sudo apt install crowdsec crowdsec-firewall-bouncer-iptables -y
After installation, verify the status of the services to ensure they are running normally:
sudo systemctl status crowdsec
sudo systemctl status crowdsec-firewall-bouncer
You should see both services with an active (running) status.
Step 3: Basic Configuration and Exploration with cscli
cscli (CrowdSec Command Line Interface) is the main tool for interacting with CrowdSec. I will introduce some basic commands.
Using cscli
- Check metrics: To view an overview of performance and the number of events/decisions.
sudo cscli metrics
- View list of Decisions: This is a list of IPs currently blocked by CrowdSec.
sudo cscli decisions list
- View list of Scenarios: The attack detection rules that CrowdSec is currently using.
sudo cscli scenarios list
- View list of Parsers: The log analysis modules.
sudo cscli parsers list
- View list of Collections: A collection is a set of pre-configured parsers and scenarios for a specific service (e.g., SSH, Nginx).
sudo cscli collections list
Activate Collections for Services
By default, CrowdSec monitors SSH. For CrowdSec to work effectively with other services on your server, you need to install the corresponding collections.
Example with SSH: The crowdsecurity/ssh-auth collection is usually installed by default when you install crowdsec. If not, you can install it:
sudo cscli collections install crowdsecurity/ssh-auth
sudo systemctl restart crowdsec
Example with Nginx (if your server has Nginx):
sudo cscli collections install crowdsecurity/nginx
sudo systemctl restart crowdsec
Similarly, if you use Apache, there’s the crowdsecurity/apache2 collection. You can search for other collections using the command cscli collections list -a.
Test CrowdSec Operation
To see how CrowdSec works, you can try simulating a simple SSH brute-force attack from another computer (or another terminal) that is not your server.
From another machine, try logging into your server via SSH with an incorrect password multiple times. For example, 5-10 times:
ssh user@your_server_ip
# Enter incorrect password multiple times
After several failed attempts, return to the server’s terminal and check for alerts and decisions:
sudo cscli alerts list
sudo cscli decisions list
You will see alerts about failed SSH logins and then a decision to block the source IP of the attacking machine. If you try to SSH from that machine again, you will no longer be able to connect.
To see how the blocking rule has been added to iptables, you can use the command:
sudo iptables -L -n | grep crowdsec
You will see a chain named crowdsec-blacklists and the IP blocking rules added to it.
Step 4: Leverage the Community Blocklist
To truly benefit from CrowdSec’s community power, you should register your server with the CrowdSec Central API.
Upon registration, your server will contribute detected attacking IPs (curated and anonymized) to CrowdSec. In return, you will receive a list of malicious IPs from millions of other agents worldwide.
To register, you need to create a free account on app.crowdsec.net. Afterwards, you will receive an enrollment key to connect your agent:
sudo cscli console enroll [YOUR_ENROLL_KEY]
This step is not mandatory, but I highly recommend it as it will significantly enhance your server’s defensive capabilities.
Step 5: Other Useful cscli Commands
- Delete all blocking decisions: If you accidentally blocked a legitimate IP (or your own IP) and want to unblock it immediately.
sudo cscli decisions delete --all
- List registered machines (agents): Useful if you manage multiple servers.
sudo cscli machines list
- List installed bouncers:
sudo cscli bouncers list
Conclusion: More Effective Server Protection with CrowdSec
By now, you have completed the installation and configuration of CrowdSec on your Ubuntu server. This provides a proactive and robust security layer, helping your server defend against automated attacks such as brute-force or scanning.
With its community-based approach, CrowdSec not only protects your individual server. It also contributes to building a safer cyberspace for all Internet users.
Security is an ongoing process, not a “set it and forget it” solution. However, integrating CrowdSec into your defense strategy will significantly reduce risks from common threats. Continue to monitor its performance and explore other advanced CrowdSec features to optimize protection for your infrastructure.
