Stay Ahead With Linux Security Features
security advisory attack A Linux server gets cleaned up after an intrusion. The suspicious process is terminated, credentials are rotated, and the system is rebooted during maintenance. Everything seems secure. A few hours later, the same outbound connection appears again. . Situations like that point to persistence . The attacker no longer needs the original exploit because something on the host continues restoring access behind the scenes. Finding that mechanism is often more important than understanding how the...
Jun 08, 2026
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -3 articles for you...
102
intrusion preventionsecurity toolopen sourceCrowdSec v1.1.x Release: Exciting Features and Installation Steps
On July 8, 2021, the CrowdSec team released CrowdSec v1.1.x - the latest version of their free and open-source cybersecurity solution designed to protect Linux servers, services, containers, or virtual machines exposed on the Internet with a server-side agent - with new packages and repositories, as well as improvements to to the CrowdSec agent itself. LinuxSecurity spoke with the CrowdSec team to provide readers with insight into what they can expect from this exciting release, and how they can get started with CrowdSec v1.1.x. . A Brief Introduction to CrowdSec CrowdSec is a modernized, collaborative version of the Fail2Ban intrusion-preventio n tool that is designed to run on complex modern architectures including clouds, containers and lambdas. It leverages a behavior analysis system based on logs to determine whether someone is trying to hack you. If your agent detects such aggression, the offending IP is then sent for curation. If it passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to “immunize” them against this IP. Philippe Humeau, CEO and co-founder of the company explains, “The goal is to leverage the power of the crowd to create a real-time IP reputation database. Ultimately, CrowdSec harnesses the power of the community to create an extremely accurate IP reputation system that benefits all its users. With its collaborative, transparent roots, Open Source has provided and continues to provide our team with the optimal framework to accomplish this mission”. Enhancing Package Support with Package Cloud As part of the CrowdSec v1.1.x release, CrowdSec has moved its services to Package Cloud , a fast, reliable and secure cloud-hosted package distribution. This move has enabled CrowdSec to distribute more packages to their customers . Thibault Koechlin, CTO, elaborates, “Alongside existing packages for Debian and Ubuntu including Bionic, Bullseye, Buster, Focal, Stretch, Focal for x86-64 and arm, we now provide packagesfor Red Hat Enterprise Linux (RHEL), CentOS and Amazon Linux. We encourage users to update repositories’ URLs as soon as they can. The “old” repository (S3 bucket used as a repository) will no longer be updated and will be decommissioned shortly.” As part of this landmark release, CrowdSec has also added RPM and Debian package support to its firewall bouncer , which fetches new and old decisions from a CrowdSec API and adds them to a blocklist used by supported firewalls, and its custom bouncer , which fetches new and expired or removed decisions from a CrowdSec Local API and passes them as arguments to a custom user script. Various improvements have also been made to CrowdSec itself, one of the most notable being a revamp of the data acquisition process to add support for CloudWatch sources. Their CTO states, “We are excited to announce that CrowdSec can also now act as a syslog server, which should allow for the addition of many more data sources in future releases!” Getting Started with CrowdSec v1.1.x With the release of v1.1.x, getting started with CrowdSec is now easier than ever! To install CrowdSec on Ubuntu or Debian, add the repositories: curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash Then install: sudo apt-get install crowdsec -y On a CentOS or Red Hat Enterprise Linux (RHEL) system, add the repositories: curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash Then install: sudo dnf install crowdsec If you install new services after this, you can update CrowdSec to install the required collections using: /usr/share/crowdsec/wizard.sh -c Repel Attacks with Bouncers CrowdSec’s detection capabilities provide visibility into the threats targeting your system; however, deterring attacks requires an intelligent, proactive security strategy, which is where bouncers come into play! Bouncers work by querying CrowdSec’s API to know when to block anIP. They can be downloaded directly from the CrowdSec Hub . To install the Cs-firewall-bouncer in an Ubuntu or Debian repository, use: sudo apt install crowdsec-firewall-bouncer-nftables crowdsec-firewall-bouncer If you are an CentOS or RHEL user, use: sudo dnf install crowdsec-firewall-bouncer-nftables The CrowdSec Console: CrowdSec Values Your Feedback! The brand-new CrowdSec Console, which is now in private beta, provides an easy-to-use web interface to inspect multiple CrowdSec agents spread across different networks. You can create a Console account and find instructions to enroll the CrowdSec agent app . Philippe, CEO, concludes, “The CrowSec team encourages testing and feedback! To get in touch with us, visit our Gitter channel . We look forward to continuing to provide our users with versatile, reliable and user-friendly intrusion-prevention services.” . Explore the latest enhancements in CrowdSec v1.1.x for bolstered protection and learn straightforward installation methods across different operating systems.. CrowdSec Installation,Linux Security Tools,Intrusion Detection,Cloud Package Management. . Brittany Day
Aug 01, 2021
•
102
security advisorydebianDebianDebian: CrowdSec v.1.0.X Security Advisory - Local REST API Features
Thank you to the Crowdsec project for contributing this article. The official release of CrowdSec v.1.0.X introduces several improvements to the previous version, including a major architectural change: the introduction of a local REST API. . This local API allows all components to communicate more efficiently to support more complex architectures, while keeping it simple for single-machines users. It also makes the creation of bouncers (the remediation component) much simpler and renders them more resilient to upcoming changes, which limits maintenance time. In the new 1.0 release, the CrowdSec architecture has been deeply remodeled: All CrowdSec components (the agent reading logs, cscli for humans, and bouncers to deter the bad guys) can now communicate via a REST API, instead of reading or writing directly in the database. With this new version, only the local API service will interact with the database (e.g. SQLite, PostgreSQL and MySQL). In this tutorial, we are going to cover how to install and run CrowdSec on a Linux server: CrowdSec setup Testing detection capabilities Bouncer set up Observability Set up the environment The machine I used for this test is a Debian 10 Buster t2.medium EC2. To make it more relevant, let’s start by installing nginx: $ sudo apt-get update $ sudo apt-get install nginx Configure the security groups so that both secure shell (SSH) (tcp/22) and HTTP (tcp/80) can be reached from the outside world. This will be useful for simulating attacks later. Install CrowdSec Grab the latest version of CrowdSec: $ curl -s https://api.github.com/repos/crowdsecurity/crowdsec/releases/latest | grep browser_download_url| cut -d '"' -f 4 | wget -i - Here is the installation process : $ tar xvzf crowdsec-release.tgz $ cd crowdsec-v1.0.0/ $ sudo ./wizard.sh -i The wizard helps guide installation and configuration. First, the wizard identifies services present on themachine. It allows you to choose which services to monitor. For this tutorial, go with the default option and monitor all three services: Nginx, SSHD, and the Linux system. For each service, the wizard identifies the associated log files and asks you to confirm (use the defaults again): Once the services and associated log files have been identified correctly (which is crucial, as this is where CrowdSec will get its information), the wizard prompts you with suggested collections. A collection is a set of configurations that aims to create a coherent ensemble to protect a technological stack. For example, the crowdsecurity/sshd collection contains a parser for SSHD logs and a scenario to detect SSH bruteforce and SSH user enumeration . The suggested collections are based on the services that you choose to protect. The wizard’s last step is to deploy generic whitelists to prevent banning private IP addresses . It also reminds you that CrowdSec will detect malevolent IP addresses but will not ban any of them . You need to download a bouncer to block attacks. This is essential to remember: CrowdSec detects attacks; bouncers block them. Now that the initial setup is done, CrowdSec should be up and running. Deter attacks with CrowdSec By installing CrowdSec, you should already have coverage for common Internet background noise. Check it out! Attacking a web server with wapiti Simulate a web application vulnerability scan on your Nginx service using Wapiti, a web application vulnerability scanner. You need to do this from an external IP, and keep in mind that private IPs are whitelisted by default : ATTACKER$ wapiti -u [*] Saving scan state, please wait... Note ======== This scan has been saved in the file /home/admin/.wapiti/scans/34.248.33.108_folder_b753f4f6.db ... On your freshly equipped machine, we can see the attacks in the logs : My IP triggered different scenarios : crowdsecurity/http-path-traversal-probing : detects path traversal probing attempts patterns in the URI or the GET parameters crowdsecurity/http-sqli-probbing-detection : detects obvious SQL injection probing attempts patterns in the URI or the GET parameters Bear in mind that the website you attacked is an empty Nginx server . If this were a real website, the scanner would perform many other actions that would lead to more detections. Checking results with cscli Cscli is one of the main tools for interacting with the CrowdSec service, and one of its features is visualizing active decisions and past alerts. The cscli decisions list command displays active decisions at any time, while cscli alerts list shows past alerts (even if decisions are expired or the alert didn't lead to a decision). You can also inspect a specific alert to get more details with cscli alerts inspect -d (using the ID displayed in the left-hand column of the alerts list). cscli offers other features, but one to look at now is to find out which parsers and scenarios are installed in the default setup. Observability Observability (especially for software that might take defensive countermeasures) is always a key point for a security solution. Besides its "tail the logfile" capability, CrowdSec offers two ways to achieve this: Metabase dashboards , and Prometheus metrics . Metabase dashboard cscli allows you to deploy a new Metabase and Docker . Begin by installing Docker using its official documentation . If you’re using an AWS EC2 instance, be sure to expose tcp/3000 to access your dashboard. cscli dashboard setup enables you to deploy a new Metabase dashboard running on Docker with a random password. Prometheus metrics While some people love visual dashboards, others prefer different kinds of metrics. This is where CrowdSec’s Prometheus integration comes into play. One way to visualize these metrics is with cscli metrics : The cscli metrics command exposes only a subset of Prometheus metrics that are important for system administrators . You can find a detailed description of the metrics in the documentation. The metrics are split into various sections : Buckets: How many buckets of each type were created, poured or have overflowed since the daemon startup? Acquisition: How many lines or events were read from each of the specified sources, and were they parsed and/or poured to buckets later? Parser: How many lines/events were delivered to each parser, and did the parser succeed in processing the mentioned events? Local API: How many times was each route hit and so on? Viewing Crowdsec’s Prometheus metrics via cscli metrics is more convenient but doesn’t do justice to Prometheus. It is out of scope for this article to deep dive into Prometheus, but these screenshots offer a quick look at what CrowdSec's Prometheus metrics look like in Grafana. Defend attacks with bouncers CrowdSec's detection capabilities provide observability into what is going on. However, to protect yourself, you need to block attackers, which is where bouncers play a major part. Remember: CrowdSec detects, bouncers deter. Bouncers work by querying CrowdSec’s API to know when to block an IP . You can download them bouncers directly from the CrowdSec Hub : For this example, use cs-firewall-bouncer . It directly bans directly any malevolent IP at the firewall level using iptables or nftables Note: if you used your IP to simulate attacks, unban your IP before going further: sudo cscli decisions delete -i X.X.X.X Install the bouncer First, download the bouncer from the Hub: $ wget githubusercontent $ tar xvzf cs-firewall-bouncer.tgz $ cd cs-firewall-bouncer-v0.0.5/ The bouncer can be installed with a simple install script: The install script will check if you have iptables or nftables installed and prompt you to install if not. Bouncers communicate withCrowdSec via a REST API, so check that the bouncer is registered on the API. The last command ( sudo cscli bouncers list ) shows our newly installed bouncer. Test the bouncer Warning: Before going further, ensure you have another IP available to access your machine and that you will not kick yourself out. Using your smartphone's internet connection will work. Now that you have a bouncer to protect you, try the test again. Try to access the server at the end of the scan : ATTACKER$ curl --connect-timeout 1 curl: (28) Connection timed out after 1001 milliseconds See how it turns out from the defender’s point of view. For the technically curious, cs-firewall-bouncer uses either nftables or iptables. Using nftables (used on Debian 10 by default) creates and maintains two tables named crowdsec and crowdsec6 (for IPv4 and IPv6 respectively). $ sudo nft list ruleset … table ip crowdsec { set crowdsec_blocklist { type ipv4_addr elements = { 3.22.63.25, 3.214.184.223, 3.235.62.151, 3.236.112.98, 13.66.209.11, 17.58.98.156, … } } chain crowdsec_chain { type filter hook input priority 0; policy accept; ip saddr @crowdsec_blocklist drop } } table ip6 crowdsec6 { set crowdsec6_blocklist { type ipv6_addr } chain crowdsec6_chain { type filter hook input priority 0; policy accept; ip6 saddr @crowdsec6_blocklist drop } } You can change the firewall backend used by the bouncer in /etc/crowdsec/cs-firewall-bouncer/cs-firewall-bouncer.yaml by changing the mode from nftables to iptables (ipset is required for iptables mode). Get involved We would love to hear your feedback about this latest release. If you are interested in testing the software or would like to get in touch with the team, check the following links: our website GitHub repository Gitter . This localAPI allows all components to communicate more efficiently to support more complex archite. crowdsec, thank, project, contributing, article, official, release. . Brittany Day
Mar 01, 2021
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More