I've written before about Crowdsec but for one reason and another had let my initial experiments drift. Until last week. I noticed they had a new release out and thought it might be time to bring things up to date.
0.3.5 to 1.1.1
Not as simple as it could have been, but along the way I learnt a lot and probably ended up with things closer to how I would like them as a result.
However, if you're in this position, don't do it the way I did. Just to wipe things and start over. Seriously.
Whitelist
One of the 02-enrich parsers is whitelists.yaml.
name: crowdsecurity/whitelists
description: "Whitelist events from private ipv4 addresses"
whitelist:
reason: "private ipv4/ipv6 ip/ranges"
ip:
- "127.0.0.1"
- "::1"
cidr:
- "192.168.0.0/16"
- "10.0.0.0/8"
- "172.16.0.0/12"
# expression:
# - "'foo.com' in evt.Meta.source_ip.reverse" This is all good and fine, but there is something missing!
After a few minor issues with blocked addresses I realised that I needed to add the local addresses for the server.
cscli
This is really worth spending some time looking at. Lots of usefulness.
It's worth noting that the metrics don't get reset on a reload, only a restart. This means if you are experimenting with different parsers and scenarios then until you restart you may see stale data.
One useful feature is being able to review what you actually have installed, using the list command to the various elements.
$ cscli parsers list
--------------------------------------------------------
NAME 📦 STATUS VERSION
--------------------------------------------------------
crowdsecurity/apache2-logs ✔️ enabled 0.5
crowdsecurity/dateparse-enrich ✔️ enabled 0.1
crowdsecurity/geoip-enrich ✔️ enabled 0.2
crowdsecurity/http-logs ✔️ enabled 0.6
crowdsecurity/whitelists ⚠️ enabled,tainted ?
crowdsecurity/sshd-logs ✔️ enabled 0.6
crowdsecurity/syslog-logs ⚠️ enabled,tainted ?
--------------------------------------------------------(Modified output)
However, when the status indicates "update-available" I have never managed to get it to update. Hopefully this is still a work in progress :-)
Parsing
One of the hardest things to figure out can be what's going on with the parsing. When enabling the dovecot collection from the Crowdsec Hub I rapidly discovered that everyone logging in to check their mail was getting banned! The culprit turned out to be a difference in the logfile entries on my system to what the filter expected, but it wasn't immediately obvious.
I wrote a small app that uses as much of the crowdsec infrastructure as it can but tries to simply show what parsing is being done and hence give you clues to fix issues. The app (cs_parser_test) is available on github. Suggestions for improvements welcome!
Developers
Throughout my usage of Crowdsec I've been impressed by how responsive and welcoming the development team have been. They genuinely care about the product and the service. Suggestions for changes are welcomed and considered rather than simply being rebuffed as can be the case.