You’re somewhat right. All elements of CrowdSec communicate via http rest api. This means that it can be fully distributed and centralised. Bouncers can be on dumb endpoints, log parsing can happen where the log is currently placed - and the LAPI can be completely centralised so you only need one in your enterprise environment.
Also, thinking that CrowdSec is ‘just a f2b replacement’ is wrong. The fail2ban use case is easy to understand so it’s a story we often tell. But CrowdSec is so much more. It’s intelligence, so to speak, is much more versatile than f2b as it can detect all sorts of resource abuse like L7 DDoS, scalping, credit card stuffing and data exfiltration. Also traffic can be blocked on L3 via host firewalls (iptables/nfttables or pf) or L7 firectly in applications like nginx, Wordpress, in any PHP app, in node.js, Magento CMS, in Cloudflare, in Caddy, in Traefik and much more.
Literally the sky is the limit - is very much about getting the right idea for a use case.
Hi
And welcome to the NethServer community!
I do like the idea of the “Unban me” button at the bottom of your page!
The idea is good.
It all makes or breaks with:
A) crappy lists
B) bad availability of lists
A lot of issues with threatshield are with badly available / maintained lists.
My 2 cents
Andy
Hi all,
Taking a look at CrowdSec: Installation & Example Scenario: Taking a look at CrowdSec: Installation & Example Scenario - YouTube.
Michel-André
Hi and thanks 
You’re right. Fortunately we’ve thought a lot about this.
We have two datlakes: smoke and fire. All intel is sent into the smoke datalake where the consensus system assess it based on a trust ranking system. Very shortly put all agents who reports data to us gets a trust ranking from 1 to 99 based on for how long they’ve reported intel and how trustworthy and stable they’ve been. In order for an ip to be deemed ‘bad’ it needs a certain amount of votes and points based on that trust ranking. That means that it’s really expensive and hard to poison the fire datalake. And on top of that there’s ips that can’t ever be banned such as CDN networkds, SEO bots etc. Finally all ips live in the fire datalake for 72 hrs. After that they will have to be resubmitted (=bad actor needs to still be active) to remain there.
All in all I think it’s a pretty good design. Of course there’s details I have omitted in this short write-up but these are the basics.
What do you think?
Excuse me, what? So, once on the fire datalake, all it takes for bad actor to be withdrawn from fire DL is to become silent ( ceasse all activity ) for 72 hrs? After 72 hrs they can become " vocal " again?
Seriously flawed…
You must be kidding !!
Why? What are these details?
Why? If its wrong, than what we should think CS tries to be?
But, we already have well established, proven, working mechanism for detection and prevention of DDoS and other attacks. Its called CloudFlare; we dont need yet another clone.
For every serious security admin, thats huge NO-NO
GROK = REGEX…
Public-facing one or within cooperate network? If public facing than - unless its fully secured - its huge design flaw; if that server is accessed internally than ok.
True; just to add :: f2b is well-established.
Thats why you try to defend CS.
Now, regarding project’s README.md::
CrowdSec is not a SIEM, storing your logs (neither locally nor remotely). Your data are analyzed locally and forgotten. Signals sent to the curation platform are limited to the very strict minimum: IP, Scenario, Timestamp. They are only used to allow the system to spot new rogue IPs, rule out false positives or poisoning attempts.
So: not storing logs / data, but, at, the same time, sending data somewhere? Some thoughts:
- where is this " curation platform " hosted ?,
- if whole project is OSS, than we. should be able to have ( at least read ) access to this " curation platform ", dont you think?
- user’s IP is PII so storing it without user consent is illegal ( GDPR ),
- any guarantee that " curated platform " is leak-proof?
- if you say that other installations of CS rely on this " curated platform " than how do you know what other people do with data downloaded from this platform?
- whats the data retention period on this platform?
- if CS is not SIEM, than what it is? From what one can read, as well as how you present CS, its clear that CS is ( or at least tries to be ) fully fledged SIEM software
Netherver-fail2ban does it, we enable jails when we found the relevant logs that is a pretty feature.
Obviously you can enable a jail manually also
you mean that nethserver-fail2ban enable jails with default config?
We customize software to be enabled and started with securized configurations, this is the dna of NethServer
As far as i can remember, yes. nethserver-fail2ban configure some “contextual” jails due to modules of Nethserver, and as “a starter” can help a lot the establishment of not naked server for password guessing attacks.
Nevertheless, the sysadmin should review and validate the settings, and not trust the defaults. And NethServer is not for endusers, but for sysadmins, even not skilled/experieced.
@cronlabspl please, try to be nice and polite. Don’t avoid criticism and analysis, but also please don’t disrespect projects that are not interesting/safe for you and the mantainers.
Currently as concept I am not that fond of Crowdsec, I expressed why some posts ago on this topics. As bear, pizza or meat, it’s common for having different tastes, even not liking at all the plate/drink
Ok, maybe I’m not the best… expression for “playing it nice”
but anyway critics with reasons and explainations could lead any project to improvement.
@pike I see absolutely no thing thats either not nice or not polite in Crowdsec the next fail2ban generation - #17 by cronlabspl.
All I have done is I asked some hard questions for SC team ( specifically @klausagnoletti ) to answer. Thats it.
Hi
Just to put a few things in perspective:
User cronlabspl has been on this platform since Decenber 11, 2021 - not even a week.
Probably without even reading the full post, a post starting with:
For starters, this is an english based community. That isn’t even a proper english sentence or statement, as you’re probably well aware…
And second, if you’ll excuse the term - for a one day fly - I do think your critic is rather harsch!
Who are you to write “we” as in “for this forum”?
If you sum up your statements as ask a few hard questions, then sum mine up as my hard personal opinion to your behaviour on this platform!
Wishing you a good day, @cronlabspl !
My 2 cents
Andy
Hi @cronlabspl and thanks for your comments.
I have commented those of your comments I feel it make sense to comment 
Excuse me, what? So, once on the fire datalake, all it takes for bad actor to be withdrawn from fire DL is to become silent ( ceasse all activity ) for 72 hrs? After 72 hrs they can become " vocal " again?
Seriously flawed…
The point is that in the vast majority of cases, a machine that is malevolent now is a legitimate machine that was breached. Sooner than later, the owner is going to be made aware of it (abuse email etc.) and is going to clean up its mess. On the other hand, if the machine start to attack again, it is going to be banned again (and quicker than the first time) and being shared back to the community. Past participative initiatives have failed to “expire” bad IPs, and it lead to issues for legitimate people. Obviously we don’t want that.
Why? If its wrong, than what we should think CS tries to be?
Seeing CS as a f2b replacement is seeing only the tip of the iceberg. It’s so much more. The real endgame here is the participative CTI.
But, we already have well established, proven, working mechanism for detection and prevention of DDoS and other attacks. Its called CloudFlare; we dont need yet another clone.
Are you using cloudflare to deal with scalping or credit card stuffing ? CS is going to simply leverage cloudflare as a way to remediate an attack, more business-oriented scenarios (ie. credit card stuffing, or scalping for example) are so dependent on your local application that you usually need to come up with your own scenarios.
For every serious security admin, thats huge NO-NO
This has been commented elsewhere. No need to repeat that.
GROK = REGEX…
The goal here is mostly to hide the complexity of such regexps
- where is this " curation platform " hosted ?,
AWS Europe, mostly
- if whole project is OSS, than we. should be able to have ( at least read ) access to this " curation platform ", dont you think?
No, however the IPs that have been reliably flagged as being malevolent are automatically shared back to the community (sent to each user to be integrated into their blocklists)
- user’s IP is PII so storing it without user consent is illegal ( GDPR ),
Yes. That is why neither collect nor store that.
- any guarantee that " curated platform " is leak-proof?
Noone in their right mind who knows anything about security would want to make claims that anything is ‘hacker-proof’. But we do our best. Most developers have a background as pentesters and out code has been audited by an acknowledged 3. party earlier this year. So I can say that we do our best.
- if you say that other installations of CS rely on this " curated platform " than how do you know what other people do with data downloaded from this platform?
We don’t, we redistribute the IPs that we know for sure are bad to the community, so that they can protect themselves against these
- whats the data retention period on this platform?
Could you elaborate on which data you’re talking about? The ‘smoke’ datalake with the ‘maybe’ malevolent ips or the ‘fire’ datalake with the verified ones?
- if CS is not SIEM, than what it is? From what one can read, as well as how you present CS, its clear that CS is ( or at least tries to be ) fully fledged SIEM software
Not to us. We don’t claim (or think) that it’s a SIEM. We do however think that CS is a lot of things in one: IDS, IPS, firewall, CTI and more. There’s nothing quite like it out there already.
In terms of our business model, data, privacy and open source there has (naturally) been critical questions before - and we expect it to happen again (which is totally fine). People tend to expect that when something’s free there’s a nasty downside. I honestly can’t see that here. In case you are interested in those issues as well, our CEO wrote a couple of posts on Reddit about it: here and here.
I hope my replies answered at least some of your questions. If not, feel free to ask again. And have a nice day!
/k
Un logiciel libre ne devient libre qu’une fois qu’il a été payé
In french : a free software is free only when it has been paid
@cronlabspl I am really not sure you try to have constructive talk in the NethServer community, you have trolled the crowdsec community yesterday in their channel and from what I heard you have been blocked.
I propose you stop now else you will be blocked too in our community
this is an Interesting Approach I am interested in it has anyone followed up this tool in nethserver yet as a module?
For whom’s interested…
Crowdsec sponsored an italian influencer which is a linux course creator and reseller, open source developer and project contributor. Sponsorship is related to a video on the Alphabet platform.
Crowdsec is also carrying people in as ambassadors of the project.
If the so called “ambassador” is an Italian influencer (also a linux enthusiast and developer, needed to say) seems more like “testimonial”.
So it’s advertising to me. If it’s called in a proper way that’s no harm on that.
I forgot… A tracked link it’s quite unpolite on foreing sites.
I think it is a bit early right now, NS7 has still 2 years of life, we are in a do not change stage and push the efforts to ns8, so for now we are building the next generation of NethServer.
Actually NS8 won’t have a firewall (for now) so I think we need to wait a bit on it and see what is going on. Another project could come with a firewall but I do not know much for now.
What I have in mind is to use crowdsec to read the attack on the logs and to send the bans to the firewall, I know it is possible.