Photo by Dan Burton on Unsplash

Photo by Dan Burton on Unsplash

CrowdSec crowd security service

Strength in Numbers

Article from ADMIN 73/2023
By
Threats can be detected and averted at an early stage with crowd security, in which organizations form a community to take concentrated action against cyberattacks by sharing attack data. We explain how this strategy works with the CrowdSec cloud service.

Cyberattacks are constantly on the rise, and ransomware is spreading rapidly. As a result, corporations also need to update their security strategies constantly. And it is better to fight against aggressors together than go it alone, according to CrowdSec [1], an open source cloud service and participative intrusion protection system (IPS) capable of analyzing the behavior of systems and providing a customized response to attacks. The tool acts as a community, sharing attack intelligence and fighting cyber criminals together. In this way, corporations can rely on data from the entire community to protect their servers, and not just on information obtained from their enterprise.

Information can come from syslogs, CloudTrail events, security information and event management (SIEM) systems, and other sources (e.g., from firewalls or the event viewer of Windows servers). Community members can access the details of the analyzed data and build their own intrusion detection systems (IDSs). The process of sending and receiving information can also be fully automated. After the initial setup, the system is autonomous. You can check the cloud service web console to discover whether your servers have been attacked and whether you need to take any action.

The software used in a CrowdSec network runs locally, but it can access community data offline, which means the software agent at the local data center can quickly identify unfriendly IP addresses drawn from community information. If your installation discovers new, unfriendly IP addresses itself, it in turn can upload that data to the cloud. After verification, these new addresses are published in the community.

Agent-Based Flexible Use

Corporations do not need to replace their entire security setup when they start using CrowdSec. Because the functionality resides in the cloud, you don't even have to operate your own servers. You just need to install agents on the individual servers. CrowdSec's fields of application can be broken down into different scenarios (e.g., the exploitation of the Log4j vulnerability).

Adding your own scenarios is no problem. Organizations can decide for themselves which potential attacks they want to defend against through CrowdSec and what information of their own they want to contribute to the community's common fight. The scenarios are often defined as YAML files and can be easily integrated into your environment. CrowdSec also works with honeypots to attract attackers. The reputation databases created in the process are also available to the general public.

Crowd security tools have notably been successful in defending against the Log4j vulnerability. Many applications and server operating systems contain undocumented components from the Java library. As a result, almost all networks are at risk. Because of the huge volume of data available for analysis, CrowdSec detects where exploits occur, and if other members of the community are using the same product, the exploit probably exists there, too.

Installing the Agent on Linux and Windows

Installing CrowdSec is a three-step process: (1) Set up the web console by creating an account with the provider (free of charge). (2) Install the agent on the servers you want to include and connect the servers to the console through the agent. (3) Use "bouncers" to prevent attacks actively, wherein the system simply blocks certain IP addresses.

Typically, you can use the package manager to install CrowdSec on Linux. On Debian systems, use the commands:

curl -s
https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt-get update
sudo apt-get install crowdsec

CrowdSec's agent is lightweight open source software that detects peers with aggressive behavior to prevent them accessing your systems. Although the Linux client is more mature, you can connect Windows servers to CrowdSec with an agent available on GitHub [2]. After downloading the MSI file, which is about 40MB in size, you can proceed to install the agent on Windows. The installation doesn't require any configuration steps and can be easily automated.

CrowdSec relies on collections to defend against threats. The install wizard automatically applies a collection for Windows servers to the systems. The installer also drops the matching system service into place on the Windows device. Servers connected in this way can be managed from https://app.crowdsec.net on the web console.

Configuring CrowdSec

Unlike Linux, CrowdSec on Windows does not yet support automatic configuration at install time. Some work is required after installing the agent. The default configuration intercepts brute force attacks against the remote desktop protocol (RDP), server message block (SMB) protocol, or any type of remote authentication that Windows uses, which already offers a modicum of protection. Whenever the CrowdSec service is updated or customized on Windows, you need to restart the service. You can do this in PowerShell by typing:

restart-service crowdsec

The required files and functions are placed in the Windows C:\Programs\CrowdSec directory. The agent's executable (crowdsec.exe) and command-line (cscli.exe) files also reside there. The various configuration files are stored in the config directory, and CrowdSec's internal logfiles are stored in the logs folder.

More advanced configuration relies on the cscli.exe command (Figure 1). The installation wizard also includes the agent executables in the Windows path, which means you can run the commands from any location in PowerShell, in Windows Terminal, or from the command prompt.

Figure 1: CrowdSec is managed on a server with the cscli tool, available on both Linux and Windows servers.

In the same way, you install different collections on a Windows server (Figure 2). To do this, run the command:

cscli collections install crowdsecurity/windows
Figure 2: On Windows, you first need to configure CrowdSec with the cscli.exe file after installing the agent.

Another collection for protecting SQL servers is installed with:

cscli collections install crowdsecurity/mssql

The collection detects attack attempts on the authentication of SQL servers. To monitor SQL servers you now need to edit the C:\ProgramData\CrowdSec\config\acquis.yaml file:

source: wineventlog
event_channel: Application
event_ids:
   - 18456
event_level: information
"label":
   type: eventlog

A separate collection is available for protecting Internet Information Services (IIS)-based web servers:

cscli collections install crowdsecurity/iis

Again, you need to edit a file – in this case, C:\ProgramData\CrowdSec\config\acquis.yaml:

use_time_machine: true
filenames:
   - C:\\inetpub\\logs\\LogFiles\\*\\*.log
"label":
   type: iis

To include the IIS event viewer entries from Windows in CrowdSec, use:

source: wineventlog
event_channel:
   Microsoft-IIS-Logging/Logs
event_ids:
   - 6200
event_level: information
"label":
   type: iis

Windows firewall monitoring can be enabled by typing:

cscli collections install crowdsecurity/windows-firewall

Here, too, you need to make a few changes to the YAML file mentioned earlier:

filenames:
   - C:\\Windows\\System32\\LogFiles\\Firewall\\pfirewall.log
"label":
   type: windows-firewall

After adding these collections for Windows, CrowdSec offers the following protections:

  • RDP/SMB: brute force detection
  • IIS: HTTP attacks
  • SQL Server: brute force detection
  • Windows Firewall: network scan detection

The Windows collections mainly analyze Windows logfiles and various scenarios for protection against password attacks. After installing CrowdSec on a server and integrating the desired collections, you need to register each server as an instance – more about that later. You can then use the web interface for administration. Typing

cscli collections list

accesses the settings on the current server.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Building a defense against DDoS attacks
    Targeted attacks such as distributed denial of service, with thousands of computers attacking your servers until one of them caves in, cannot be prevented, but they can be effectively mitigated.
  • MobaXterm: Unix for Windows

    MobaXterm, a portable X server for Windows, bundles built-in Unix/Posix tools into a single portable EXE file, letting you use a Linux command line and tools on the Windows desktop.

  • Intrusion Detection with OSSEC
    The OSSEC free intrusion detection and host-based intrusion prevention system detects and fixes security problems in real time at the operating system level with functions such as log analysis, file integrity checks, Windows registry monitoring, and rootkit detection. It can be deployed virtually anywhere and supports the Linux, Windows, and macOS platforms.
  • Windows Server 2016 for small servers
    Small businesses often do not need the full-blown version of Windows Server 2016. If the application scenarios are manageable, the cheaper Essentials version is the ideal solution; however, it does come with a number of restrictions.
  • New Exploit Bypasses Windows AppLocker
comments powered by Disqus