CrowdSec: an open source collaborative cybersecurity project for Linux

CrowdSec it's a new security project designed to protect servers, services, containers or virtual machines exposed on the Internet with a server-side agent. Was inspired by Fail2Ban and it is intended to be a collaborative and modernized version of that intrusion prevention framework.

In a way, he is a descendant of Fail2Ban, a project that was born sixteen years ago. However, offers a more modern collaborative approach and its own technical foundations to respond to modern contexts.

crowdsec, written in Golang, it is a security automation engine, which is based on both the behavior and the reputation of IP addresses.

The software detects behavior locally, manages threats, and also collaborates globally with your network of users by sharing detected IP addresses.

This allows everyone to preventively block them. The goal is to build a huge IP reputation database and ensure free use of it by those involved in enriching it.

How does CrowdSec work?

Crowdsec is a modular and pluggable framework, it includes a large variety of well-known popular scenarios, users can choose from which scenarios they want to protect themselves, as well as easily add new custom ones to better suit their environment.

The goal is to implement the software in as many environments as possible.  Its fast execution, its compatibility with containers, its ease of use in cloud environments as well as its ability to run in UNIX, macOS or Windows ecosystems: all this allows us to address the entire market.

Behavior analysis engine

It is the first layer of protection. Use the YAML-defined scenario to correlate the events They enter a leaky reservoir and draw a signal if the reservoir overflows. You can then apply the answer of your choice with bouncers.

Reputation engine

The reputation engine is a very simple principle, but difficult to configure. Basically each of the CrowdSec installations can benefit from an IP blacklist organized, distributed by our central API. If you are using LAMP, you don't need IP addresses that attack other technical stacks like Windows, for example.

This database is fed by all CrowdSec instances, whose signals are filtered and processed centrally by our API. False positives and theft attempts by hackers are a real problem, hence the need to process the signals that emerge from CrowdSec facilities.

We think we have a pretty solid recipe for doing this, which we call consensus. This involves various techniques, such as checking signals from other trusted members, our own network of decoys (honeypots), Canary lists (a white list of IP addresses), etc.

Our goal is to distribute only 100% reliable lists. Also, identifying who is dangerous and when is highly dependent on a specific context and time period. For example, an IP address that was deemed clean yesterday can be compromised today and administrators can clean it the next day. An IP address that SSH looks for is not dangerous for your TSE, etc.

Display

The includes a lightweight, local display system based on Metabase. CrowdSec too is equipped with Prometheus, to provide observability and alert capabilities.

The reputation engine currently has more than 103.000 "consensus" IP addresses (that have passed the poisoning and anti-false positive tests).

To date, the members of the community come from more than fifty countries spread over six continents.

While the software currently looks like a fixed Fail2Ban, the goal is to harness the power of the crowd to create a highly accurate IP reputation database. When CrowdSec bounces a specific IP, the triggered scenario and timestamp are sent to our API to be verified and integrated into the global consensus for bad IPs.

CrowdSec is free and open source (under an MIT license), with the source code available on GitHub. It is currently available for Linux, with ports to macOS and Windows on the roadmap

Source: https://doc.crowdsec.net/