Crowdsourced Security With CrowdSec

Cybersecurity in today’s market is a $220B business and current projections are that this figure is expected to grow in excess of a $340B enterprise by 2027. In a perfect environment, there would be no need for cybersecurity, but there are evil and nefarious actors in the wild both domestically and internationally whose goal it is to break into your network to control your servers and steal your or your customers’ data whether you have a personal home, small, medium-sized, corporate, or enterprise network.

CrowdSec Concept

It goes without saying that security over your personal, company network or the network of the enterprise you’ve been hired to manage as a Linux Sysadmin is no longer a nicety, but is a necessity. The current trend in how network security is handled in the workplace is the adoption of crowdsourced security as a way to shore up the in-place security plans of any organization. When thinking about the concept of crowdsourcing security, think of how cybercriminals conduct their intrusions into a targeted network. They do it in a crowdsourcing manner. The main difference being that they don’t have any regard for the law or ethical behavior. Therefore, the best practice for cybersecurity would be to adopt the cybercriminals’ modus operandi but do it in a legal and ethical manner.

In this article, I’m going to introduce you to a crowdsourced security solution adaptable by anyone who cares about their network security, called CrowdSec. CrowdSec is an open-source and lightweight application that monitors network servers and permits you to detect malevolent actors and block them using something referred to as bouncers at the infrastructure, system, or application level. Click HERE to see enlarged image above.

Main features of CrowdSec

Ease of Installation

— CrowdSec is one of the easiest applications to install across most Linux distros
— CrowdSec can be installed on Linux, docker, Windows, FreeBSD, and K8.

Easy daily operation

— Keeping detection intrusion mechanisms functional and updated is a breeze through the use of cscli and hub

Reproducibility

— CrowdSec runs equally against live and cold logs making it easy to detect false positives, perform forensic analysis, or generate reporting

Observability

— Users have access to a simple deployable web interface
— OPs have access to Prometheus metrics
— Admins have access to a very friendly CLI

API Centricity

— All of the separate components of CrowdSec communicate over an HTTP API, allowing easy multi-device setups

Installation

For the purposes of this article, I will limit the installation of CrowdSec to Debian/Ubuntu-based Linux distros only. I am running AV Linux MX Edition Linux, which is based on Debian and MX-Linux (based on AntiX Linux). So, I’m going to go through the steps that I used to install CrowdSec on my system. Since I had to perform a manual installation of CrowdSec rather than using the automatic process, I will go over both for the benefit of the reader and the user of my particular operating system.

Automatic Process

Install Repositories

We’ll be using the pagecloud.io service for the purposes of installing CrowdSec. If you’re running Debian/Ubuntu Linux, then the first step will be to install the CrowdSec repositories. This will allow you to download and setup the latest packages and bouncers needed to perform actions if alerts are generated. To install the CrowdSec repositories, perform the following in the Terminal:

# curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
Install CrowdSec

Once the repositories are installed, you should run the following in the Terminal to install CrowdSec itself:

$ sudo apt install crowdsec

Now that we have CrowdSec installed in the system, we can move forward with installing the bouncer. To install the bouncer, perform the following in the Terminal:

$ sudo apt install crowdsec-firewall-bouncer-iptables , OR

$ sudo apt install crowdsec-firewall-bouncer, OR

$ sudo apt install crowdsec-firewall-bouncer-nftables

Remember: CrowdSec is only responsible for detecting intrusions and doesn’t take any actions otherwise. It is the responsibility of the bouncers to take the appropriate action to block intruders once they are detected.

Manual Procedure

If you need to install the CrowdSec repositories manually, like I do, because your Debian-based OS will not accept the automatic method, then the process is a little different. Before getting started, update your current repositories by running the following in the Terminal:

$ sudo apt-get update

Afterward, if you’re running a Debian-based Linux distro (AVL-MXE is one of those), then you’ll need to install the debian-archive-keyring so that Debian repos will be recognized. If running an Ubuntu-based distro, you can safely skip this step. To install debian-archive-keyring, perform the following in the Terminal:

$ sudo apt-get install debian-archive-keyring

Next, ensure that you have the gpg, curl, and apt-transport-https packages installed on your system. If not installed, install them by running the following command in the Terminal:

$ sudo apt install gnupg curl apt-transport-https 

Next, in order to install a deb repository, you’ll need to first install a GPG key that was used to sign it. This process will differ depending on whether your current version of apt is >= 1.1 or not. To determine your version of apt, perform the following in the Terminal:

$ sudo apt -v
For Apt version >= 1.1

Create the following directory for storing the GPG key (Apt version >= v2.4.0), by performing the following in the Terminal:

$ sudo mkdir -p /etc/apt/keyrings/

Then, add the GPG by running this command in the Terminal as root user (not sudo):

# curl -fsSL https://packagecloud.io/crowdsec/crowdsec/gpgkey | gpg --dearmor > /etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg

Finally, create a file named /etc/apt/sources.list.d/crowdsec_crowdsec.list which contains the following two lines of code:

deb [signed-by=/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg] https://packagecloud.io/crowdsec/crowdsec/ubuntu trusty main
deb-src [signed-by=/etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg] https://packagecloud.io/crowdsec/crowdsec/ubuntu trusty main

And, ensure that the bolded OS=ubuntu and Dist=trusty shown above is modified to correspond to your distribution. In the case of AVL-MXE Linux, I used the following since it is based on Debian 11:

OS=debian
Dist=bullseye
For Apt version < 1.1

Add the GPG Key as root (not sudo):

# curl -fsSL https://packagecloud.io/crowdsec/crowdsec/gpgkey | gpg --dearmor > /etc/apt/trusted.gpg.d/crowdsec_crowdsec.gpg

Create a file named /etc/apt/sources.list.d/crowdsec_crowdsec.list that contains the following code:

deb https://packagecloud.io/crowdsec/crowdsec/ubuntu trusty main
deb-src https://packagecloud.io/crowdsec/crowdsec/ubuntu trusty main

Again, substitute ubuntu trusty with debian bullseye if you’re running AVL-MXE Linux or other Debian 11-based distro of Linux. Then run the following in the Terminal to update the repositories:

$ sudo apt-get update

This will now allow you to install packages based on these repositories. There are a total of 1686 packages located here.

Setting Up An Account With CrowdSec

Once you have CrowdSec setup on your main PC and ancillary servers which you wish to monitor from the Dashboard Console on your main PC, then you’ll need to subscribe to CrowdSec via CrowdSec’s Web Console app. Subscribing to an account is very simple. You just click the Subscribe button, enter your personal or business email address, choose a strong password, and tick the box to accept the Terms of Agreement to establish an account. You will be sent an email to the email address that you used to subscribe to the Website Console service. Retrieve the code in your email and enter it in the box that pops up on the screen and your account will be established. If you, instead, already have an account with CrowdSec, simply log in. I highly recommend that you establish 2FA on the account. You’ll see the instructions on how to set that up after you log in. I have 2FA setup on my account and use the Google Authenticator as the second factor for authentication

Console access is achieved by visiting app.crowdsec.net where you will land on the Dashboard, which is a secure site.

CrowdSec Dashboard Console

In the figure above, my company name is dpNetwork (which you can select while setting up your account–this can be changed later) and the main installation of CrowdSec is on AVL-MXEDT (My AVL-MXE Linux Desktop). I have another installation of CrowdSec on my server which is AVL-MXELT (My AVL-MXE Linux Laptop). One can add an unlimited number of instances of CrowdSec for additional monitoring (even on the FREE account, which I am using). To accomplish this, simply click the Add Instance button on the inner-most right-hand side of the main Console, and you’ll be presented with an Instance Code. This code needs to be run in the Terminal of the device you’re adding for monitoring purposes. Once you run this code in the remote Terminal, you’ll be prompted to ACCEPT the additional instance. Once you click the Accept button, the instance will be added as shown above. Clicking the More Details button will provide you with Agent and Scenario information for each device being monitored. Clicking the Alerts button at the top of the Console will present you a screen showing you current alerts–if any–which have been submitted by the CrowdSec system. You can take appropriate action based on the intrusion detected. This is rather self-explanatory.

CrowdSec Alerts Window

If an intrusion attempt is detected, you will typically be given an IP address pointing to the attacker. When you receive this, there will be a Copy button next to this IP address. Press the Copy button and the IP address will be copied out to the clipboard. Then, you can click on the CTI button at the top of the Console to the right of the Alerts button and on the Cyber Threat Intelligence Window you’ll be able to paste the IP address from the clipboard into the field in the center of the screen, then click the arrow to the right, to launch more information about the intruder.

Click the Activity button to learn more about Instance Meta info that has been gathered by CrowdSec regarding your account and the activity on the monitoring of your separate instances.

CrowdSec Activity Window

And, finally, click on the Settings button to enter your settings area that will allow you to make necessary changes to information that you’ve provided earlier and to add functionality to CrowdSec as you desire.

CrowdSec Settings Window

Controlling CrowdSec From the CLI

CrowdSec can be controlled directly from the Command-Line using the CSCLI interface. Practically every facet which is controlled from the GUI can be performed from the Linux CLI and more. To access the CSCLI, run the following command in the Terminal:

$ sudo cscli

When you run this command, you’ll be presented with stdout information similar to the following:

CrowdSec CL Interface

Simply follow the instructions on what particular information you wish to obtain from CrowdSec via the Terminal from this screen and you’ll be good to go.

Securing Your Raspberry Pi Using CrowdSec

In this section, I will walk you through the process of installing the CrowdSec agent, a firewall bouncer, and scenarios onto Raspberry Pi OS on your Raspberry Pi. Before proceeding with the installation instructions, let me familiarize you with the specifications of the Raspberry Pi that is hosting my two websites, which is currently installed as an instance on my CrowdSec Dashboard and which is reporting alerts everyday from countries around the world trying to access it.

The platform that I’ve installed CrowdSec v1.3.4-debian-pragmatic is a Raspberry Pi, Model 3B+ Rev. 1.2 SBC with 1GB of RAM running Raspbian GNU/Linux 10 (buster) armv7l and Kernel version 5.10.103-v7+. The instructions that follow were successfully installed on this platform and an instance created on the CrowdSec Dashboard. The same procedure for installing CrowdSec should work just fine on a Raspberry Pi 4 as well.

Installing the CrowdSec Agent & Firewall Bouncer

First order of business is that we need to install the CrowdSec repositories. I will walk you through the automatic procedure, then point you to the manual procedure if you run into an issue or just want to install CrowdSec manually. The CrowdSec automatic installation script follows and this is what you need to run in the terminal on the Raspberry Pi.

$ curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash

Now that we have the CrowdSec repositories installed, let’s move on to the installation of the CrowdSec Agent. To install this, run the following in the terminal:

$ sudo apt install crowdsec

Just ignore the messages in the stdout in the terminal that state: WARN…. These are just warnings and should not have any impact on the final installation. I received several of these myself when I successfully installed CrowdSec on my home Raspberry Pi 3B+. Now, let’s go ahead and install the firewall bouncer. You have two options here: iptables- or nftables-based firewall bouncer.

To accomplish this, run the following command in the terminal.

$ sudo apt install crowdsec-firewall-bouncer-iptables     OR

$ sudo apt install crowdsec-firewall-bouncer-nftables

It doesn’t really matter which one you install as it shouldn’t adversely affect the installation. Once this process completes, we’ll verify that the bouncer we chose to install has been installed. Run the following command in the terminal to verify:

$ sudo cscli bouncers list

When I installed the firewall bouncer on my Raspberry Pi 3B+, this is what I saw in the terminal when I verified the bouncer installation:

Firewall Bouncer Installation Verification

Yours should look similar and may have only one line instead of two. Now, let’s wrap up by installing a Bash SHELL Completion which will allow us to run shell commands easily when interfacing with the CSCLI. To accomplish this, run the following in the terminal:

$ cscli completion bash | sudo tee /etc/bash_completion.d/cscli

After the above command finishes, you can verify that SHELL completion by typing sudo cscli and double-tapping the <TAB> key:

It Works!

Installing Scenarios

CrowdSec is not very effective without the proper scenarios installed. You want the scenarios that will detect intrusions into whatever servers you have installed on the Raspberry Pi and, fortunately, this is easily done. The command should be run on the terminal and should find whatever servers you have running during its installation. The command to run is:

$ sudo cscli scenarios list

When I ran this command on my Raspberry Pi’s terminal, this was the resultant output:

Scenarios List

One scenario that did not get installed, which I would like CrowdSec to monitor is that scenario that detects incoming probes for ports in use. To accomplish this, I will need to install the iptables-scan-multi_ports scenario. To accomplish this, run the following in the terminal:

$ sudo cscli scenarios install crowdsecurity/iptables-scan-multi_ports

Make sure that you reload the CrowdSec service after performing this command so the new scenario can be detected:

$ sudo systemctl restart crowdsec   OR
$ sudo systemctl reload crowdsec

And, follow up with this command to verify the Crowdsec service restarted successfully and is running:

$ sudo systemctl status crowdsec

After performing this, I reran the command in the terminal to list out the installed scenarios. This is the output I received that clearly shows the new scenario has been installed:

Updated Scenarios List

Enrolling Your Device into the CrowdSec Dashboard

At this point, you should enroll your device instances in your CrowdSec Dashboard. This is basically a two-step process:

  • Tell the CrowdSec agent to enroll in the console.
  • Accept that connection request.

In the CrowdSec Dashboard, under the Instances menu option, click the Add Instance button on the right-hand side. You’ll be presented with a command to run in the device’s terminal. An example will look like the following:

$ sudo cscli console enroll ckskrrawm232221wmpic62frjg

This command is unique to your Dashboard account. After entering this command in the terminal, you should return to the Console Dashboard and within a few seconds, you’ll see a button asking if you wish to CANCEL or ACCEPT the request. Click the ACCEPT option, and you’ll be reminded to restart the CrowdSec service. Once you do this, the instance should appear in the Console Dashboard within a few seconds. Now, you can rename the instance by clicking on the gear symbol to the right of the instance name and type in the name of the instance you wish to see.

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published.