Crowdsec can ban IP’s after watching your logs much like fail2ban. It has default “scenarios” that you can install and use to cover a wide variety of probing.

But beyond that, it can pull down a list of active trouble IP’s that are probing sites across the world, so it gives you a chance of blocking prolific offenders before they reach you.

I thought it’s scenario for determining wordpress hacking was harder to adapt than fail2ban. I think the fail2ban use of regex quite friendly.

I don’t know how common it is for you to actually get hit by one of the crowdsec IP’s.

My own fail2ban rules based mainly around stopping wordpress probing currently has a banned list of IPs. Looking to see if any would have been blocked by crowdsec:

nft list ruleset|egrep '(52.169.141.34|52.169.141.1|52.178.162.139|161.35.183.56|185.177.72.111|154.47.20.220|185.226.196.23|185.226.196.24|185.226.196.25|185.226.196.22|104.45.84.119|52.169.186.151|<strong>20.171.207.35</strong>|43.198.31.36|23.102.51.72)                                                                                                                                                                                  

One of those IP’s is would have been blocked by crowdsec.

<strong>20.171.207.35</strong> timeout 6d21h59m51s expires 6d18h21m47s181ms, 20.171.207.36 timeout 6d21h59m51s expires 6d18h21m47s182

Looking at the whole week, a longer list of banned IP’s, there are 4 still active in the crowdsec list:

                             20.171.207.35 timeout 6d21h59m51s expires 6d18h2m20s37ms, 20.171.207.36 timeout 6d21h59m51s expires 6d18h2m20s39ms,
                             103.81.194.70 timeout 4d9h44m56s expires 4d3h22m44s979ms, 103.82.24.141 timeout 5d16h44m56s expires 5d10h22m44s965ms,
                             139.99.69.160 timeout 6d7h44m56s expires 6d1h22m44s970ms, 139.99.112.1 timeout 6d22h44m56s expires 6d16h22m44s974ms,
                             182.70.254.153 timeout 4d23h59m51s expires 4d20h2m20s42ms, 182.71.75.106 timeout 6d21h44m56s expires 6d15h22m44s953m

I can’t say as I notice any performance hit. It doesn’t seem to interfere with firewalld or iptables if you run crowdsec. The list is quite long 9300 right now and its growing.

To install:

curl -s https://install.crowdsec.net | sudo sh
sudo dnf install -y crowdsec
sudo systemctl enable --now crowdsec
sudo journalctl -u crowdsec -f

Install the “bouncer” which is the firewall. I use firewalld so we are to choose nftables:

sudo dnf install -y crowdsec-firewall-bouncer-nftables
sudo systemctl enable --now crowdsec-firewall-bouncer

There is a wide variety of collections and scenarios you can use:

sudo cscli collections install crowdsecurity/linux
sudo cscli scenarios list

It has a long list of prolific active IP’s to block which you can see with nft:

   nft list ruleset
   cscli decisions add --ip 1.2.3.4 --reason "test block"
   nft list ruleset | grep 1.2.3.4