Skip to content

hueske-digital/crowdsec

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
acquis.d
acquis.d
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
setup-alpine.sh
setup-alpine.sh
 
 

Repository files navigation

CrowdSec Setup für Alpine Linux

CrowdSec Setup mit Community-Blocklists und SSH Log-Analyse.

Architektur

┌─────────────────────────────────────────────────────────────┐
│  Alpine Linux Host                                          │
│                                                             │
│  ┌────────────────────┐       ┌──────────────────────────┐  │
│  │  Docker Container  │       │  Host Service            │  │
│  │                    │       │                          │  │
│  │  CrowdSec Engine   │◄──────│  cs-firewall-bouncer     │  │
│  │  (API + Blocklists │       │  (nftables)              │  │
│  │   + Log-Analyse)   │       └────────────┬─────────────┘  │
│  └─────────┬──────────┘                    │                │
│            │                               ▼                │
│   /var/log/messages ──────►     nftables Firewall           │
│   (SSH Logs)                    DROP böse IPs               │
└─────────────────────────────────────────────────────────────┘

Was wird geblockt?

  • IPs von Community-Blocklists (~15.000 bekannte Angreifer)
  • IPs die SSH Brute-Force auf deinen Server machen (lokale Erkennung)

Installation

1. Dateien auf den Server kopieren

scp -r docker-compose.yml acquis.d setup-alpine.sh user@server:/opt/crowdsec/

2. Setup-Script ausführen

cd /opt/crowdsec
chmod +x setup-alpine.sh
doas ./setup-alpine.sh

3. Container starten

docker compose up -d

4. Bei CrowdSec Console registrieren

  1. Account erstellen auf https://app.crowdsec.net
  2. Security Engines -> Add -> Enrollment Key kopieren
  3. Engine registrieren:
docker compose exec app cscli console enroll DEIN_ENROLLMENT_KEY
docker compose restart app
  1. Im Dashboard die Engine bestätigen (Accept)
  2. Unter "Blocklists" die gewünschten Listen abonnieren

5. Bouncer API Key generieren

docker compose exec app cscli bouncers add firewall-bouncer -o raw

6. API Key eintragen

vi /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
# api_url: http://127.0.0.1:1337/
# api_key: HIER_DEN_KEY_EINTRAGEN

7. Bouncer starten

rc-service cs-firewall-bouncer start

Überprüfung

# Bouncer verbunden?
docker compose exec app cscli bouncers list

# Decisions/IPs geladen?
docker compose exec app cscli metrics show decisions

# Lokale Alerts (SSH Brute-Force etc.)
docker compose exec app cscli alerts list

# nftables Regeln aktiv?
nft list ruleset | grep -A5 crowdsec

# Geblockte IPs anzeigen
nft list set ip crowdsec crowdsec-blacklists-CAPI | head -50

Wartung

# Bouncer Status
rc-service cs-firewall-bouncer status

# Bouncer Logs
tail -f /var/log/crowdsec-firewall-bouncer.log

# Container Logs
docker compose logs -f app

# Manuelle IP bannen
docker compose exec app cscli decisions add --ip 1.2.3.4 --reason "manual ban"

# Ban entfernen
docker compose exec app cscli decisions delete --ip 1.2.3.4

Dateien

crowdsec/
├── docker-compose.yml    # CrowdSec Container
├── acquis.d/
│   └── syslog.yaml       # Log-Quellen Konfiguration
├── setup-alpine.sh       # Host Setup Script
└── README.md

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages