Required Knowledge

• How to SSH into servers and use SSH keys

Install Crowdsec

Crowdsec is pushed via Ansible, but if you're following along at home... follow the official guide instead :P

Firewall Bouncer

This guide is applicable to Ubuntu 20.04 LTS, which uses nf tables by default

1. Run the below commands and take note of the API key

   Copy

   apt install crowdsec-firewall-bouncer-iptables -y
   cscli bouncer add firewall #copy the API key

2. Remove and edit the config file

   Copy

   rm /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
   nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

3. Paste in my config below (please update the variables marked with a $)

   Copy

   mode: nftables
   update_frequency: 300s
   log_mode: file
   log_dir: /var/log/
   log_level: info
   log_compression: true
   log_max_size: 100
   log_max_backups: 3
   log_max_age: 30
   api_url: http://127.0.0.1:8080/
   api_key: $APIKeyFromStep1
   insecure_skip_verify: false
   disable_ipv6: false
   deny_action: DROP
   deny_log: false
   supported_decisions_types:
     - ban
   #to change log prefix
   #deny_log_prefix: "crowdsec: "
   #to change the blacklists name
   blacklists_ipv4: crowdsec-blacklists
   blacklists_ipv6: crowdsec6-blacklists
   #type of ipset to use
   ipset_type: nethash
   #if present, insert rule in those chains
   iptables_chains:
     - INPUT
   #  - FORWARD
   #  - DOCKER-USER
   
   ## nftables
   nftables:
     ipv4:
       enabled: true
       set-only: false
       table: crowdsec
       chain: crowdsec-chain
       priority: -10
     ipv6:
       enabled: true
       set-only: false
       table: crowdsec6
       chain: crowdsec6-chain
       priority: -10
   
   nftables_hooks:
     - input
     - forward
   
   # packet filter
   pf:
     # an empty string disables the anchor
     anchor_name: ""
   
   prometheus:
     enabled: false
     listen_addr: 127.0.0.1
     listen_port: 60601

4. Restart the service and review the nft tables

   Copy

   systemctl restart crowdsec-firewall-bouncer.service
   systemctl restart crowdsec
   nft list tables

5. You should see an output similar to below

   Copy

   table ip nat
   table ip filter
   table ip6 filter
   table ip crowdsec
   table ip6 crowdsec6

Cloudflare Bouncer

I've read online that the original bouncer isn't as good as the workers module but I'm a bit nervous to use the worker as, to me, it reads like it reviews every request coming through Cloudflare. This is great because it checks current data against current data but you only get x amount of free worker compute. If you're DDOS'd I imagine the bill would be big. So I've gone with the WAF based bouncer, which is pretty slow to update and can get API limited.

Generate an API key for Cloudflare

1. Navigate to user profile > API keys

2. Create a new API token and pick custom token

3. Give it the following permissions
4. Click continue to summary and then create token

5. Copy the API token into your password vault

Gather your Account and Zone IDs

1. Go to your Cloudflare dashboard and open one of the domains you wish to protect with Cloudflare

2. Scroll down and locate the API section on the right

3. Take note of your Zone ID (I would recommend formatting it like $ZONEID #my.domain.com)

4. Take note of your Account ID

5. Repeat steps 1 - 3 for each domain you wish to protect (the account ID will most likely be the same for each)

Install the Crowdsec module and bouncer

Example config:

#Cloudflare Config.
cloudflare_config:
  accounts:
  - id: ACCOUNT_ID
    token: API_TOKEN
    ip_list_prefix: crowdsec
    default_action: managed_challenge
    zones:
    - actions:
      - managed_challenge # valid choices are either of managed_challenge, js_>      zone_id: 182bacc7aaeda7bf1f1e35c79883b3f8 #agamersgrind.com
    - actions:
      - managed_challenge
      zone_id: ZONE_ID1 #my.domain.com
    - actions:
      - managed_challenge
      zone_id: ZONE_ID2 #your.domain.net
      ### Want to add another zone? Copy paste from here...
    - actions:
      - managed_challenge
      zone_id: ZONE_ID3 #grandmas.domain.xyz
      ### ... End copy paste here

  update_frequency: 5m # the frequency to update the cloudflare IP list. I have set this frequency to be very low to reduce risk of API limiting

Allow CURL or remote access to Crowdsec Engine

Some tools, such as Docker containers, are considered 'external' to the host device. This causes Crowdsec (and potentially the firewall) to block communications for this app or module.

For example, I had to do this for the Wordpress Crowdsec plugin, which sits inside my Wordpress container.

1. SSH into the server you wish to link back too (generally the host machine)

2. Input the below command allow Crowdsec through the firewall and to edit the Crowdsec config file

   Copy

   ufw allow 8080
   nano /etc/crowdsec/config.yml

3. Locate 127.0.0.1:8080 and change it to 0.0.0.0:8080 This allows any device to talk to the Crowdsec engine on that device

4. Save the config file

5. Input the below command to restart Crowdsec

   Copy

   systemctl restart crowdsec

6. You will now be able to CURL the Crowdsec engine