Crowdsec the next fail2ban generation

crowdsec will be the next generation of fail2ban, I am still watching it, maybe one day :wink:

But https://www.lesechos.fr/pme-regions/innovateurs/crowdsec-veut-devenir-le-waze-de-la-cybersecurite-1255803

It is a startup, wait and see what it could become…They burn money sometimes

1 Like

https://crowdsec.net/

May i suggest a topic for chatting about goods and bads of crowdsec approach?

2 Likes

The main feature is to detect and ban IP on servers and to store IP in a centralized database, an attaquer will be banned on all servers and not only in the server that he has been banned. I suppose the startup wants to sell the access to the database.

The access to the database I am not sure it worths it because the IP are used and abandoned quickly but when you have an architecture of NethServer in a datacenter for example, it makes sense that an IP could be banned on all your server. For that retrieving IP locally and use it on all your crowdsec instances the idea is pleasant.

2 Likes

It’s power… is also it’s weakness.
This “db” crowd-created is “more rule” and so “more CPU power” used for retrieving, processing, checking and “let the buggers drop” when they try to connect.

On the other side, missing login/knocks on the server could save CPU power, but it’s a lot of balancing.

This might be useful for avoiding emerging botnets, well known buccaneers, but… buccaneers may be already available/stored into threatshield. Which is, in my humble opinion, the nice complement for Fail2ban.

Being dependent on Crowdsec means, for avoiding useless duplications, traffic and cpu-power consumption, complete removal of ThreadShield and Fail2ban.

This startup created a really interesting and well-saleable business plan.
Free product for gaining “antennas” for gathering data. AI development about analysis for create the “pro set”, which might be refined, smaller and weighted for have the biggest defense/load balance.
Costs? Few developers for creating the product (payed list), data centers for distributing the payed version and keeping syncing between “free antennas” for delivering the free-not-refined version, allowing lower data consumption on their infrastructure.

At least, by my perception. Maybe it will be a real gamechanger, but until now is a “nicer repack” of something known, with people trying to create a business about that.

2 Likes

Like 99.9999999999999 percent of startup, they try to sell something sometime not helpfull, they hopefully know a time where free money can boost there projects.

Put .com to your name and you will see a lot of gogo ask you please take my money

The idea of having some built in common list of known bad actors in one package is very appealing. For example I have had some dedicated love from a VPS spam my end point and moved down their IP block 1 at a time. Some ability to analyze this behavior and correct for it/inform others automatically seems nice but I also acknowledge the potential for false positives and abuse.

The business model they have in mind is explained in the FAQ (and in some other sites where they have spread the word, like on dev.to)

Don't know the current state of things but there were some attempts with fail2ban

https://github.com/stintel/vallumd
https://github.com/buanzo/fail2ban-zmq-tools
https://www.saas-secure.com/online-services/fail2ban-ip-sharing.html
https://serverfault.com/questions/625656/sharing-of-fail2ban-banned-ips
https://www.blackhillsinfosec.com/configure-distributed-fail2ban/

Not the same but AbuseIPDB can feed from fail2ban from the “crowd”.
Don’t know if someone here has used/evaluated OSSEC-HIDS (some years back it was considered a Swiss army knife). Anyway… going a bit off-topic.

Looks like crowdsec could provide something with more features and easier to implement without being full SIEM solution.

1 Like

Yes the project is interesting, I still need to check again however the installation was not so easy (obviously at the time I checked). Instead to install the database on each host you split the installation. One database hosted on a server, then on each host you install the equivalent log reader and jail.

Fail2ban is simple, easy to understand for a sysadmin, do a regex, set a log to watch, and it is over.

1 Like

Also, Fail2ban can be contextual.
The data processed is… .coherent with the offenders that are trying to break into the box. Threatshield might (or might not) be a little more proactive, if you’re not into the first, second and third group attack, but the size of the data to be checked is far bigger.

Downside of this approach: users if not forced, will still use… fakewords, instead of passwords.

1 Like