当前位置:网站首页>Start using crowdsec v.1.0. X

Start using crowdsec v.1.0. X

2021-02-02 18:05:07 CrowdSec

Preface

CrowdSec v.1.0.x Official release of edition Several improvements have been made to the previous version , among Including the introduction of local REST API this One major Architecture changes .

The Local API send All components can More effectively each other signal communication , by More complex architecture Provided support , And at the same time the needle For stand-alone users Kept its Simple Easy to use features . Besides , This version simplifies the bodyguard component ( Fix components ) The creation of , Make them right Future Change is more flexible , With Limit maintenance time .

In the new 1.0 In the version ,CrowdSec framework experience depth reform

CrowdSec Of All components ( agent Read log 、 human beings cscli And the bodyguard component to stop the bad guys ) Now you can go through REST API communicate , Instead of reading or writing directly to the database . stay The new version Next , Only local API Services and databases Conduct Interaction ( for example SQLitePostgreSQL and MySQL).

CrowdSec It's a security automation engine , Protect servers exposed to the Internet through server-side agents 、 service 、 Containers or virtual machines . This application is suffer Fail2Ban Inspired by the , The goal is Become a modern collaborative version of intrusion prevention tools .

CrowdSec Using a behavioral analysis system , Use your log to determine if someone is trying to intrusion . If Yours The agent detects this attack Behavior , Illegal IP Will be processed and Screening . If this signal passes through It's a screening , The IP Will be reassigned to all users who share similar technical files , Let them know about this IP Immunity .

The goal is to make use of collective Power , establish Some form of Internet neighborhood surveillance keep watch . For starting a machine The attack IP, You can choose to do it in any way you think fit Solve it threat . All in all ,CrowdSec adopt utilize collective The power to create extremely accurate IP Credit system , Benefit all users .

CrowdSec free Open source ( stay MIT Of The license under ), Its Source code can be found in GitHub Get on .CrowdSec at present Yes Linux edition , In the future It will also be transplanted to macOS and Windows.

This tutorial will show you how to Linux Install and run... On the server CrowdSec

  • CrowdSec Set up
  • Test the ability to detect
  • Bodyguard component settings
  • Observability

Set up the environment

Ben The machine used in this test is Debian 10 Buster t2.medium EC2. To highlight its The correlation , Let's start with install nginx Start :

$ sudo apt-get update

$ sudo apt-get install nginx

Configure security groups , So that you can access the security shell from the outside (SSH) (tcp/22) and HTTP (tcp/80). It's useful for future simulation attacks .

install CrowdSec

obtain Latest version CrowdSec

$ curl -s https://api.github.com/repos/crowdsecurity/crowdsec/releases/latest | grep browser_download_url| cut -d '"' -f 4  | wget -i -

Or from our GitHub Page download .

Here is the installation process :

$ tar xvzf crowdsec-release.tgz

$ cd crowdsec-v1.0.0/

$ sudo ./wizard.sh -i

You can use The wizard complete install and configure .

First , The wizard identifies the service that already exists on the machine

It allows the selection of services to monitor . This tutorial send With the default option , monitor NginxSSHD and Linux System etc. All three term service .

For each term service , The wizard will identify the relevant log files and ask user confirm ( still Use the default value )

After correctly identifying the service and related log files (CrowdSec Through this step pick up information , very important ), The wizard will prompt for the suggested collection .

aggregate It's a set of configurations , The goal is Create a coherent whole to protect the technology stack . for example ,crowdsecurity/SSH this The collection contains a SSHD Log parser And a Used to detect SSH violence Crack and SSH User enumerated scenarios .

The guide gives Set Suggestion is Based on the services you choose to protect .

The final step of the wizard is to deploy be used for Prevent the prohibition of private ownership IP Address Of General white list . It also reminds user ,CrowdSec only Detect malice IP Address , But not Shield it . You need to download a bodyguard component to prevent attacks .

Please remember :CrowdSec be responsible for Detect attacks ; Bodyguard components Responsible for preventing attacks .

Initial setup complete after ,CrowdSec Should be can Start and run .

Use CrowdSec Stop the attack

install CrowdSec after , user It should have covered the common Internet attack . Let's take a look

Use wapiti attack web The server

Use Wapiti This network application vulnerability scan Components Simulated pair Nginx Service for network application vulnerability scanning . user need adopt external IP Do this , please remember , private IP Default Put on the white list

ATTACKER$ wapiti   -u http://34.248.33.108/

[*] Saving scan state, please wait...

 Note

========

This scan has been saved in the file

/home/admin/.wapiti/scans/34.248.33.108_folder_b753f4f6.db

...

stay This application is newly installed On the machine , We can see the attack in the log :

my IP Triggered different scenes :

want remember , you The website under attack is a empty white Nginx The server . If it It's a real website , scanning Components You can do a lot of other things , This leads to more testing .

Use cscli Examination result

Cscli Is with the CrowdSec One of the main tools for service interaction , One of its functions is Activities Decision making visualization and Past alert .

Cscli decisions list The command shows the active decision at any time , and cscli alert lists can Show Past alert ( Even if the decision has expired or the alert did not lead to the decision ).

you It can also be done through cscli Alert check -d <ID> To check for specific alarms , For more details ( Use the ID).

cscli also Yes Other features , But now it's time to find out which parsers and scenarios are installed in the default settings .

Observability

can observation sex ( Especially for those who may take Software for Defense Countermeasures ) Always the key to security solutions . except “ Trace log file ” Of function outside ,CrowdSec There are also two The way To achieve Observability Metabase dashboard (Metabase dashboards) and Prometheus index (Prometheus metrics).

Metabase dashboard

User available cscli Deploy new metabase and Docker. First , Use Docker Installation of the official document Docker.

If you Use Yes. AWS EC2 example , Please make sure it's public tcp/3000 To access the dashboard .

User can Use cscli dashboard setup Deploy new Of send use Random cipher Of Metabase dashboard , stay Docker Up operation .

Prometheus indicators

Some people like visualization instrument panel , And some people Prefer different types of indicators . This is it. CrowdSec Integrate Where Prometheus played a role .

send These indicators are visualized Of Method One of It's using cscli metrics

cscli metrics The command only shows Prometheus, which is very important to the system administrator indicators Metric some A subset of . You can Find a detailed description of the indicator in the document . These indicators are divided into different parts :

  • Group bucket : Since the daemons started , establish 、 To pour or overflow Of Every type of Group bucket Yes How many? ?
  • obtain : How many rows or events are read from each specified source , And whether they are parsed and / Or be injected later Group bucket
  • Parser : How many lines are passed by each parser / event , Whether the parser successfully handled the event mentioned ?
  • Local API How many hits per route and so on ?

adopt cscli metrics see Crowdsec The Prometheus index of Meeting More convenient , But it's not fair to Prometheus . It is beyond the scope of this article to explore Prometheus , however , Through the following Screenshot Sure A quick look at CrowdSec Prometheus indicators stay Grafana In the way .

Use Bodyguard components defend against attacks

CrowdSec The ability to detect Provides an observable current situation . However , If users want to be themselves Protect Just Need to stop attackers , This is where the bodyguard component plays an important role . Please bear in mind. CrowdSec be responsible for Detect attacks ; Bodyguard components Responsible for preventing attacks .

Bodyguard components It works by Inquire about CrowdSec Application programming interface to Informed Whether it should be shielding Some IP. You can directly stay CrowdSec Hub download Bodyguard components

This example uses cs-firewall-bouncer. It can be used at the firewall level iptables or nftables direct shielding Any malice IP.

Be careful : If you Use own IP To simulate the attack , Please cancel first For the IP The shielding , Then go on :

sudo cscli decisions delete -i X.X.X.X)

install Bodyguard components

First , Download the bodyguard component :

$ wget https://github.com/crowdsecurity/cs-firewall-bouncer/releases/download/v0.0.5/cs-firewall-bouncer.tgz

$ tar xvzf cs-firewall-bouncer.tgz

$ cd cs-firewall-bouncer-v0.0.5/

The bodyguard component can be installed with a simple installation script :

set up script First Check that... Is installed iptables or nftables, without , You will be prompted to install .

because The bodyguard component passes through REST API And CrowdSec signal communication , therefore need Check if the bodyguard component is in API Registered on .

Last command (sudo cscli bouncers list) Show our new installation Of Bodyguard components .

Test the bodyguard component

Warning : Before proceeding , Please make sure Yes Another available IP To access the machine , And it won't hold Kick yourself out . Sure Internet connection using Smartphone .

With Bodyguard components Of Protect after , You can do it again test .

please Access the server at the end of the scan :

ATTACKER$ curl --connect-timeout 1 http://34.248.33.108/

curl: (28) Connection timed out after 1001 milliseconds

Let us from defender From the perspective of see result .

If you are right about technology Be curious ,cs- A firewall - Bodyguard components Used nftables or iptables. Use nftables( stay Debian 10 The default is nftables) Create and maintain two programs called crowdsec and crowdsec6 Table of ( for IPv4 and IPv6).

$ sudo nft list ruleset

table ip crowdsec {

            set crowdsec_blocklist {

                        type ipv4_addr

                        elements = { 3.22.63.25, 3.214.184.223,

                                        3.235.62.151, 3.236.112.98,

                                        13.66.209.11, 17.58.98.156, …

                        }

            }

 

            chain crowdsec_chain {

                        type filter hook input priority 0; policy accept;

                        ip saddr @crowdsec_blocklist drop

            }

}

table ip6 crowdsec6 {

            set crowdsec6_blocklist {

                        type ipv6_addr

            }

            chain crowdsec6_chain {

                        type filter hook input priority 0; policy accept;

                        ip6 saddr @crowdsec6_blocklist drop

            }

}

If you want to change Bodyguard components The firewall back end used , Can be in /etc/crowd sec/cs-firewall-bouncer/cs-firewall-bouncer.YAML Change the pattern from nftables Change to iptables(iptables Model needs to Use ipset).

welcome Participate in

We want to hear everyone Feedback on the latest version . If you are interested in testing software or want to contact the team , Please check the links below :

版权声明
本文为[CrowdSec]所创,转载请带上原文链接,感谢
https://chowdera.com/2021/02/20210202180113612X.html

随机推荐