CrowdSec replacing Fail2ban

Discussion in 'Feature Requests' started by IzFazt, Dec 11, 2020.

  1. IzFazt

    IzFazt Member HowtoForge Supporter

    much better resource usage
    Code:
    https://crowdsec.net/
     
    Jesse Norell likes this.
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    So your request is to use this in the Perfect Server tutorials? Include the logs in the panel? Or?
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I haven't heard of crowdsec before, but have wanted to write something that does exactly that for some time. Will definitely look into this more. I really hope they have open sourced the collection server/database piece, so that anyone can run their own (because the public service gets DoS'd or shuts down, etc.). If you can use multiple public collection services, I'd suggest we set one up for the ispconfig community, preconfigured for use (both for security incidents and spamming).
     
    IzFazt likes this.
  4. IzFazt

    IzFazt Member HowtoForge Supporter

    Yes sir, we've had resource problems with fail2ban, currently using crowdsec.
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Do you have measurement data on resource usage for fail2ban and crowdsec you can share here?
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Also somewhat germane to your question, do you have any custom configuration, or just using the collections/configuration/bouncers right from crowdsec hub? What all did you envision or hope an ISPConfig integration would configure and do? It seems like a Perfect Server tutorial that had a few commands to run the crowdsec install wizard and get it pointed at the control panel node, which itself runs the web interface, would be sufficient?

    Also to answer my earlier wandering, they do not make the "consensus engine" available to the public currently, and it sounds like probably no plans to do so any time soon.
     
  7. IzFazt

    IzFazt Member HowtoForge Supporter

    Hi Jesse, holidays so sorry for my late reply, Happy New Year!

    That would be sufficient indeed. There is currently one issue which I had to resolve in my personal setup, I had to turn this report off as it crashed crowdsec after the first attempt on port 22

    Code:
    cscli scenarios remove crowdsecurity/ban-report-ssh_bf_report
    all other stuff on their hub I currently have activated.
     
  8. brainz

    brainz Member

    crowdsec works great love it.... Also works along side fail2ban..

    Screen Shot 2.jpg
     
    Last edited: Nov 27, 2021
    ahrasis and Taleman like this.
  9. IzFazt

    IzFazt Member HowtoForge Supporter

    Yes works together smooth , but I turned Fail2ban off. Crowdsec is so much more effective because bad IP's don't even pass the firewall. The owners of these IP's do not only focus on brute force. Crowdsec in conjunction with the CSF firewall - which also has a Fail2ban alike brute force protection feature as only one of it's many features - offers in my humble opinion a better protection then the default Fail2ban / Firewall setup from ISPConfig. CSF also allows you to add extra DNSBL lists. Also you should modify the default sysctl.conf (credits Aysad Kozanoglu, Github) and so on. Brute Force is only one of the many treats, still coming in a lot, almost always SSH or FTP.
     
    ahrasis and Taleman like this.

Share This Page