Blog V2

On July 8, 2021, the CrowdSec team released CrowdSec v1.1.x - the latest version of their free and open-source cybersecurity solution designed to protect Linux servers, services, containers, or virtual machines exposed on the Internet with a server-side agent - with new packages and repositories, as well as improvements to to the CrowdSec agent itself. LinuxSecurity spoke with the CrowdSec team to provide readers with insight into what they can expect from this exciting release, and how they can get started with CrowdSec v1.1.x.

A Brief Introduction to CrowdSec

CrowdSec is a modernized, collaborative version of the Fail2Ban intrusion-preventioBlog 1190x620px Tutorialn tool that is designed to run on complex modern architectures including clouds, containers and lambdas. It leverages a behavior analysis system based on logs to determine whether someone is trying to hack you. If your agent detects such aggression, the offending IP is then sent for curation. If it passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to “immunize” them against this IP. Philippe Humeau, CEO and co-founder of the company explains, “The goal is to leverage the power of the crowd to create a real-time IP reputation database. Ultimately, CrowdSec harnesses the power of the community to create an extremely accurate IP reputation system that benefits all its users. With its collaborative, transparent roots, Open Source has provided and continues to provide our team with the optimal framework to accomplish this mission”.

Enhancing Package Support with Package Cloud

As part of the CrowdSec v1.1.x release, CrowdSec has moved its services to Package Cloud, a fast, reliable and secure cloud-hosted package distribution. This move has enabled CrowdSec to distribute more packages to their customers. Thibault Koechlin, CTO, elaborates, “Alongside existing packages for Debian and Ubuntu including Bionic, Bullseye, Buster, Focal, Stretch, Focal for x86-64 and arm, we now provide packages for Red Hat Enterprise Linux (RHEL), CentOS and Amazon Linux. We encourage users to update repositories’ URLs as soon as they can. The “old” repository (S3 bucket used as a repository) will no longer be updated and will be decommissioned shortly.”

As part of this landmark release, CrowdSec has also added RPM and Debian package support to its firewall bouncer, which fetches new and old decisions from a CrowdSec API and adds them to a blocklist used by supported firewalls, and its custom bouncer, which fetches new and expired or removed decisions from a CrowdSec Local API and passes them as arguments to a custom user script.

Various improvements have also been made to CrowdSec itself, one of the most notable being a revamp of the data acquisition process to add support for CloudWatch sources. Their CTO states, “We are excited to announce that CrowdSec can also now act as a syslog server, which should allow for the addition of many more data sources in future releases!”

Getting Started with CrowdSec v1.1.x

With the release of v1.1.x, getting started with CrowdSec is now easier than ever! To install CrowdSec on Ubuntu or Debian, add the repositories:

curl -s | sudo bash 

Then install:

sudo apt-get install crowdsec -y

On a CentOS or Red Hat Enterprise Linux (RHEL) system, add the repositories:

curl -s | sudo bash 

Then install:

sudo dnf install crowdsec 

If you install new services after this, you can update CrowdSec to install the required collections using:

/usr/share/crowdsec/ -c 

Repel Attacks with Bouncers

CrowdSec’s detection capabilities provide visibility into the threats targeting your system; however, deterring attacks requires an intelligent, proactive security strategy, which is where bouncers come into play! 

Bouncers work by querying CrowdSec’s API to know when to block an IP. They can be downloaded directly from the CrowdSec Hub.

To install the Cs-firewall-bouncer in an Ubuntu or Debian repository, use:

sudo apt install crowdsec-firewall-bouncer-nftables crowdsec-firewall-bouncer

If you are an CentOS or RHEL user, use:

sudo dnf install crowdsec-firewall-bouncer-nftables

The CrowdSec Console: CrowdSec Values Your Feedback!

The brand-new CrowdSec Console, which is now in private beta, provides an easy-to-use web interface to inspect multiple CrowdSec agents spread across different networks. You can create a Console account and find instructions to enroll the CrowdSec agent app.

Philippe, CEO, concludes, “The CrowSec team encourages testing and feedback! To get in touch with us, visit our Gitter channel. We look forward to continuing to provide our users with versatile, reliable and user-friendly intrusion-prevention services.”

CrowdSec Console