I have been running crowdsec on my OpenWRT firewall for a bit now, I am just curious as to what others think about it?

Thank you @irmadlad the webui you suggested is showing the logs a lot better than my vibe coded HA plug ins (both my ssh honey pot and my plug in showed nothing) looking over the logs shows so much activity that is happening.

  • daniskarma@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 hours ago

    I’m using it. It’s good. Even without the cloud services the bouncer and scenarios are more powerful than fail2ban.

    Shame about no self hosted web ui but someone posted here a project I’m ought to look up oncw I arrive home.

    • Reannlegge@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 hour ago

      Yes the self hosted webui is awesome, I get to see that I am getting the warm embrace from China for the most part. I still use my vibe coded thing for my quick monitor on an old ipad in my kitchen but if I want to see it in more detail I use the webui.

  • irmadlad@lemmy.world
    link
    fedilink
    English
    arrow-up
    33
    ·
    2 days ago

    When I ran Crowdsec, I thought it was a great piece of software, and a very decent free tier. I didn’t have any real complaints other that there was not a way, at the time that I knew of, to have the UI selfhosted. I think now someone has created a selfhostable user front end to it, but I haven’t dabbled in that.

    Here we go: https://corelab.tech/crowdsec-web-ui-setup-guide/

    I think this gent posted this a week or so ago.

  • The Zen Cow Says Mu@infosec.pub
    link
    fedilink
    English
    arrow-up
    16
    ·
    2 days ago

    i run it on opnsense. When my services were on individual subdomains each with their own certificate, they got hit a lot and crowdsec blocked lots of bots and scripts

    I ultimately moved all my services to a wildcard sub-subdomain, and poof all the bots went away and now crowdsec doesn’t do much other than block port scanners which the firewall does anyway.

    it’s not worth the hassle to uninstall though.

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        7
        arrow-down
        1
        ·
        edit-2
        2 days ago

        Yes, and also by trying common subdomains under the main domain (like jellyfin., home. etc.) (They also scan the entire IPv4 address space, all TCP ports, over and over, but that’s a different discussion.)

        If you’re using DDNS you have to also be careful where you put the A and AAAA records. Some people put them on the main domain and then do a wildcard CNAME pointing to it for all the subdomains, or individual subdomain CNAMEs. But since the main domain is known from TLS cert logs it’s trivial for bots to also check to see if there’s A/AAAA records on it.

        It’s better to put the A/AAAA on a dedicated subdomain, obfuscate the name beyond trivial guesses (eg. maybe don’t use ip.), and make an individual CNAME for each services that points to the IP subdomain, and obfuscate those service subdomains similarly.

        For those who aren’t familiar with DNS, the information in it is publicly available to anybody who can name a [sub]domain and record type explicitly, but they refuse to do “list all the records for all the subdomains of this domain”. So bots are limited to asking for the most commonly used record types on the main domain but can’t get to records on subdomain names unless they can name the subdomain. (For completion, asking for a list of all records is possible, but nowadays due to abuse that function is restricted on all the public servers to just the known IPs of their fellow redundant servers.)

        A similar limitation applies to reverse proxies, bots can’t get to a service behind it unless they can correctly name the FQDN that the proxy uses for that service. (But please note that a reverse proxy works independently of DNS. If the proxy has foo.example.com defined to reach a service, it will work even if that domain isn’t in DNS or doesn’t exist.)

        Even after taking these measures you have to keep in mind that this is not security, it’s obscurity. It cuts down on bot scans which is great but don’t assume it means nobody knows your service domains. Your ISP probably knows them, there are DNS servers out there that know them, your mobile carrier can see them, and if you ever connect to WiFi when away from home the owners of those WiFi can see them (think hotels, airports, coffee shops etc.) It’s not out of the question for a coffee shop WiFi to have been compromised and to collect URLs and attempt attacks against them. Use VPN or a SSH tunnel to connect to services whenever possible, rather than exposing them publicly, and if you must expose them publicly then use mTLS or at the very least a custom header key.

      • RxBrad@infosec.pub
        link
        fedilink
        English
        arrow-up
        12
        ·
        2 days ago

        That was my experience also. Within minutes of spinning up any new subdomain with a dedicated A DNS record, I had bots that scraped it from https://crt.sh/ knocking on the door.

        With wildcard subdomains and relatively obscure URLs, it’s pretty quiet.

    • confusedpuppy@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      5
      ·
      2 days ago

      I also haven’t seen any bot activity after I started using wildcard sub domains. My ISP blocks all incoming on common ports so I also use uncommon ports. I assume the combination of the two makes it too time consuming to find me.

      I hid my ssh port with a wireguard connection so I also don’t see any attempts on my ssh port anymore either. My logs, including fail2ban, are quiet and boring.

      It’s nice to have a quiet corner of the internet for myself.

      • irmadlad@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 day ago

        My logs, including fail2ban, are quiet and boring.

        Every once in a while, I’ll tail my f2b logs, almost half heartily hoping I find an anomaly. But, no…it’s a snoozefest. pFsense out there on the edge, just doing it’s job.

  • Mereo@lemmy.ca
    link
    fedilink
    English
    arrow-up
    7
    ·
    2 days ago

    It’s great! I use it on both my home server and my Hetzner server. It blocks connections based on behaviors defined by scenarios. I configured it to block any connections it decides to block via the firewall.

    So far, so good. I don’t even know it’s running. It just does its job of blocking bots.

  • SomeDudeFromSpace@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    2 days ago

    I had it running in front of my Matrix server. With the default configuration it gave a lot of false positives, leaving friends out of the server. Also, most of my users use VPNs regularly, so geo-blocking was a hassle too. I tuned it a bit, but kept giving me headaches, so I ended up disabling it. I’ll spend more time tuning it someday.

    • Reannlegge@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 day ago

      Fine tuning is a great thing to keep in mind, just like a bloated pihole lots of false positives and over looked spots.

    • talentedkiwi@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 day ago

      Yeah, I keep getting myself blocked because of something I’m hosting is giving a lot of false positives. I suppose I’ll have to dig into it at some point. For now I just whitelist the IPs I use.

    • stratself@lemdro.id
      link
      fedilink
      English
      arrow-up
      2
      ·
      2 days ago

      I don’t think geoblocking would be a great fit for Matrix, since you’d be contacted by servers from all over the world. It’s more suitable for something like a static website

  • Mio@feddit.nu
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    2
    ·
    2 days ago

    I believe it is a good start with crowdsec but feels like it gives false protection. The blocking only happens after they have done a couple of attempts and not before.

    • Encrypt-Keeper@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 day ago

      How would it, or any software for that matter determine a given request is malicious before it does something malicious?

      • Mio@feddit.nu
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        16 hours ago

        Yes, that is the hard part. But it can be done. Geoip blocking like only allow your country - blocking every China or Russian user etc. If you are selfhosting at home and worry about your SSH access, then you can do a lot of things to block then early. It is all about authentication. Lets say you require VPN access in - example Wireguard. You could require access only through somebody else, like Cloud flare tunnel. You could also do “port knocking” but that is not encrypted. You could require the user first has to be authenticated somewhere else, like require first Microsoft login and only then your ip is allowed.

    • Reannlegge@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 day ago

      My first baby step into self hosting (years before I realized self hosting was the answer) was pihole. I realized it got most of the ads and I was happy with that, years went by and I realized more ads were getting through, so I learnt about fine tuning my ad list and regex lists. A little while went by and I heard that the google was selling .zip tlds so I learnt a little more about regex, not because I was worried I would unleash something on my LAN but just incase someone else did.

      Layers there are layers of things I needed to do to prevent the ads, and than layers of things I needed to do to prevent spam. So I knew there was going to be layers of things I would need to do to protect myself when I got a “real” home lab on the Wild Wild WAN. Home Labbing is like sex, sure it is fun but it can be dangerous if you do not protect yourself and there are layers of protection you should use.