Boosting your Linux Server Security with CrowdSec

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello again everyone and welcome back to learn linux tv in today's video we're going to take another look at crowdsec now i've already done a video about crowdtech and it wasn't even that long ago but i wanted to do a more in-depth video because i've been using it for a little while now and i've learned a little bit more about it and i felt like i could actually give you guys a more in-depth look at crowdsec itself so that's what i'm going to do in today's video now if you haven't seen my previous video you might not know what crowdsec is and that would be a shame because crowdsec is really awesome otherwise why else would i do a video about it especially a second video about it crowdsec aims to help protect your linux servers but it does it a little bit differently than other solutions actually it's quite a bit different than other solutions because it takes into account what's going on in the wild and it uses that knowledge to help protect your servers because well knowledge is power more specifically when you install crowdsec it's going to download a block list of known bad actor ips so that way your server is protected against those ips right from the beginning and having a block list is very awesome because well you're protected against known threats that's really cool but that's not even the main thing the main thing is that it takes advantage of knowledge in general for example if a crowdsac user is having their server attacked by a specific ip then that information is sent upstream so all the other users of crowdsec are also aware that that attack happened and where it came from so if one user is being attacked then all the users of crowdsec are aware of that attack where it came from and it builds the intelligence that it's going to use to help protect your servers so what i'm going to do in today's video is show you guys two scenarios where i'm going to show you crowdsec being installed how it works and how it protects you in those two scenarios and by the end of this video you're going to have a great understanding of how crowdsec works how you install it what the various components are the command line syntax and things like that it's going to be awesome so without any further hesitation let's dive right in so here in my laptop i have this sample web server that i've set up for this video all it has is the icon for this channel and then some sample text right here welcome to the sample nginx site now this webpage isn't all that interesting but it should be good enough to serve as an example now this particular web server is public facing it's directly accessible from the internet and that makes sense because this is a web server and we want people to access our web server otherwise what's the point however anything that is able to reach the public internet can be well reached by the public internet and that's the problem that's why we need something like crowdsec so we can help protect this server so what i'm going to do is switch over to a terminal which i have right here and what i'm going to do is just use ssh and then i'll paste in the ip address so nothing too unusual here i'm just going to attempt to ssh into that server so i'll accept the fingerprint and now i'm in as you can see i'm able to log into my web server so i do have access to it so i've just disconnected and we're going to play through the scenario so what i'm going to do now is just pretend like i'm not supposed to be able to access the server it is my server i have full control over it but i'm going to play the role of someone who isn't supposed to have access to it i'm going to try to gain access to it and we're going to see how krautsec responds now as of right now crowdsec is not installed on that server so if i was to try to ssh in again and i'll just type the wrong password and again and again permission denied well that's fine i'll just keep trying and i just canceled out you get the point the thing is if there's nothing stopping somebody from trying to guess the password they could just keep trying and trying and trying and trying and eventually they might even get into the server that's not what we want now what i'm going to do is ssh into that server and i will actually type in the correct password this time so let's go ahead and check out the log files and see what's exactly happening because i set the server up yesterday it's been available on the public internet for a while so other than my attempts to access the server there should be attempts from other ips as well so what i'll do is go into var log we have various log files there and the names of each log file will be different from one distribution to another but at least in the case of debian and ubuntu we have this log file right here the off log that's the one that we're going to be looking at so i'm going to cut out the contents and i do need access to sudo or some sort of root privileges to view this file that makes sense because there's very sensitive information inside the authorization log let's see what's inside and there's a lot of output here as a matter of fact if i pipe this into the wc command for a word count and i use the dash l option for the number of lines we have 13 000 lines inside that file so it's definitely not a small file so right away we can actually see some information about my attempts at accessing the server if i scroll up a bit we can actually see that there's quite a few different attempts here and these aren't all me i promise we have some people trying to log in as root as you can see here somebody's trying to log in with a user named master you can see that right there so there's definitely a lot of people that are trying to get into this server we see this username here i mean people are trying to get in and this is common when you have a server that is open and available to the public internet people are going to try to get into it so what i'm going to do right now just clear the screen go back to my home directory so what i'll do next is i'll go ahead and install crowdsec and this part of the video is going to be essentially the same as the first video so i'll consider this somewhat of a review but what i'm going to do is install crowdsec like i mentioned and we're going to see exactly how that differentiates what's going on or how crowdsec responds to what's going on that'll help you understand exactly how to set it up so what i'm going to do is paste in the very first command it's a longer command so of course if i attempt to type it out i'm going to make a mistake i'll paste it in right here and here's the command in the description below this video i'll have a link to the blog article for this video so if you want to copy and paste the commands you could do that that way you don't have to worry about pausing the video and writing this all down all the commands will be there so you can copy and paste the commands from there if you want to follow along with me but what this first command is going to do is install the repository so i'll press enter it detected my distribution as ubuntu which is true it's installing the required packages and it's done and all this does is set up the repository crowdsec is not installed but we do have access to it now so what i can do is type sudo apt install and then crowdsac and if you're running a different distribution i'll have a link in the blog article for the documentation for crowdset so that way if you are not using a debian or ubuntu-based distro you'll still be able to get it installed but at least here on ubuntu i have the repository and i can run this command right here to install the package let's go ahead and do it and now it's installed the next thing we should do is check and make sure that it's actually running but not only that we need to make sure that it's enabled as well so what i'll do is run sudo and then systemctl we need to check the status and we want to check the status of crowdsec and as you can see it's running and it's also enabled as well so if that's not the case for whatever reason what you could do is run this sudo systemctl and then enable dash dash now and then the name of the service which of course is crowdsac so what this command will do for us is it'll make sure that crowdsec is enabled that's why we're using this enable keyword right here and dash dash now what that does is it makes it take effect right now meaning if it's not running right now it'll start it right now and then going forward after we enable crowdsec it's going to start with the server every time we reboot it now in my end i don't have to run this command because as you just saw it was already running and it was automatically enabled as well so on my end this command right here is completely unnecessary so next what i'm going to do is i'm going to actually clear the log file for crowdsec just because i don't want there to be like a bunch of information in there i just want to see the specific information that pertains to this specific attempt of course something else could try to get in but clearing out the log file is probably a good idea so what i'll do is run the truncate command with sudo privileges i'll set the size to zero and the file that i want to set to zero is slash var log and it's crowdsec.log so now the log file should be completely zeroed out and what i'm going to do is do a tail follow on that log file which is now empty and we should see the attempt right here when i go to try ssh so at this point what i'm going to do is attempt to brute force into the server again just like i did before i'm going to fail the password the difference this time is that crowdsec is now installed and i want to show you guys exactly how it's going to respond to that all right so now that i'm following the crowdset log i'll switch over here to my other tab so let's go ahead and try to ssh so i'll press enter i'm just going to try over and over again make sure i get its attention and take a look at this we have some information in the krotzek log file as you can see right here where it shows my ip address is trying to get into the server it's noticing all of my attempts and it's actually recommending a four-hour ban on my ip address as you can see right here so crowdset clearly noticed the problem and the reason why i took multiple attempts is because krautsec uses a leaky bucket system so it's not going to ban right away there's different settings and things like that for how it actually responds to things like this but i tried ssh over and over again and it definitely noticed and it's recommending a four-hour ban so that's a good sign so in the output of the crowdsec log it mentioned that there's going to be a four hour ban so what's going to happen when i try to ssh into the server again let's find out so i'll just repeat the ssh command from before now try the same thing again so as you can see i'm still able to get a password prompt if i was blocked i wouldn't even get a password prompt so that means i'm not blocked and that makes sense actually that's by design because right here it's showing a 4-hour ban but it's recommending a 4-hour ban it's not actually banning me but what we're seeing here is that crowdsec did notice the attempt is paying attention to it and the takeaway is that crowdsec doesn't actually block anything the job of crowdsec is to notice that something is happening it's actually the job of a bouncer to take action and since we haven't installed a bouncer then well nothing's going to happen i could try all day long to get into the server and since there's no bouncer installed there's actually nothing stopping me from trying to log into the server again and again and again and if i'm determined enough i might actually guess the password i might get into the server but that's not what we want we don't want someone to be able to try over and over and over again to get into our server we want something done about it so what i'm going to do right now is show you guys the process of installing a bouncer so what i'm going to do right now is install the package for the bouncer and this is going to use the same crowdsec repository that we've already set up so all i should have to do is run sudo apt install and then the name of the bouncer package and the name of the package in my case that's appropriate for this server is krautsec firewall bouncer iptables now there's an alternate version as well that utilizes nf tables some distributions have switched over to nf tables in my case ubuntu 2004 is still using ip tables so this is appropriate for me if you are using a more bleeding edge distribution that's already switched to nf tables check your documentation to find out you'll have to install the nf tables version of the same package but what i'm going to do is just make sure that this is installed so i'll press enter and it's installing and there it is so the next thing that we should do is check and make sure that it's actually running and what we could do is run the systemctl status command to check that but i already know it's running and the reason why i know that is because i lost my ability to type i'm pressing a bunch of buttons and nothing's showing up and the reason for that is because the bouncer has already taken action so my ssh session right now is completely frozen and useless i can't type any commands at all whatsoever and any minute now it's going to time me out and the reason for this is because the crowdsec bouncer that i've installed noticed that krautsec itself has noticed attacks coming from a specific ip mine and it went ahead and automatically blocked me because crowdsex bouncer is going to look at krautsec itself so the bouncer is going to see the history and block my ip so at this point i can't access the server anymore i'm out of the server so it looks like it's doing its job so what can we do about this what if i accidentally locked myself out because i typed the password incorrectly too many times even though i'm a legitimate user it's my server and it actually is how exactly would i regain access to the server well there's at least two ways by default like i mentioned earlier the ban is for four hours i could wait four hours and then after that i should be able to access the server again but i don't want to wait that long i have a video to record i want to show you guys some other things so i want to unban my ip because i need access to the server and also as an aside it's not just ssh that's being blocked right now if i was to go back to my web browser and this is still showing my session from earlier in the video i'm going to refresh this page and it's just going to keep trying it's not going to be able to connect even though it was ssh that i used to try to break into the server it blocked my ip completely it doesn't matter if i'm trying to ssh into the server or if i'm trying to access the web page that you see right here it's timing out you can see this little dot moving right here it's just not able to access the server back in the terminal what i'm going to do is ssh into another server and i'm going to use that server to ssh into the web server and on ban my ip so what i'll do is just use ssh yet again and the ip address for the other server that i've set up is 172.105.10.128. and now i'm into the server and this server is actually for the second scenario that i'll be showing you guys but for now what i'm going to do like i mentioned is use this server to go around and connect to the original web server to unban my ip so i'll use ssh yet again and now i'm into the web server so let's take a quick look at the command line syntax for how we can determine what decisions were made and how to reverse a decision and reversing the decision to block my ip is exactly how i'm going to regain access so we'll use sudo because we need access to the command line for crowdsack and the command to manage crowdsec is cscli or crowdsec cli and what we want to do is take a look at decisions and we want to get a list of decisions now the output is misaligned here and that's just because i have the font size cranked all the way up but we can see the information that we need to see we can see the ip address right here that was blocked which is mine so that makes sense that's why i can't access the server anymore and we also have an id number right here so what i'm going to do is use that id number to unban my ip essentially to reverse that decision so we're going to use the delete keyword and we want to delete a specific id and the id that we want to delete is this one right here 7 1 0 i'll press enter and it's telling me that the decision was deleted and now when we check the decisions list it's telling us that there's no active decisions at the moment so if i didn't know any better i would say that i should be able to access the server again so let's see if i can and my session is still frozen from when i was blocked before so what i'm going to do is just open up another tab and let's try to use ssh to get back into the web server so that was 172.1 and now i'm getting a password prompt that's a good sign and i'm in in fact it's telling me that i have a problem loading this page but that was from the previous attempt and as you can see it's timed out but now it works and that's because i unbanned my ip by deleting the decision to ban my ip so that's a quick look at how you would unban an ip if for some reason you needed to reverse a decision that's pretty cool so what we're going to do now is switch over to another scenario this one is a little bit more involved than the previous one so i'm going to type the ip address up here for the server that i need to access and actually i have a fully qualified domain name for this server and it's located at blog.learnlinux so i'll press enter and we have this wordpress site now as you can see it's an empty wordpress site there's nothing important here whatsoever but we're going to assume that it is an important blog maybe this is our company's blog we want to make sure that people are able to access this so if it were to go down that's a problem but it's even worse if it gets compromised so we definitely want to install crowdsec on this server right here so i'm going to do that and then i'm going to show you what's different with a wordpress installation there's a specific bouncer that we need to install and i'll show you exactly how to install it so this is going to be fun back in my terminal i will disconnect from the web server and what i'll do now is connect to the wordpress server as well close this tab right here because that one's frozen anyway and since i have a fully qualified domain name for that blog i could just type blog.learnlinux.cloud rather than try to remember the ip address and now i'm in so what i'm going to do right now is just repeat the process of installing crowdsec on the blog server and this process will not be any different than the previous one it's the same process for installing crowdsec on the blog server as well there are some things that are different and i'll let you know what those things are when we get to that point but for right now i'm just going to rerun those installation commands and then we'll go to the next stage so we have the bouncer installed and it's enabled and there's nothing unique about this situation so far so how does the situation change with wordpress when compared to a normal web server so what i'm going to do is go back to the web browser and here's the blog site right here and i'll go to the special url to get the login prompt for wordpress which is right here so i'll type in the username and now i'm logged into the wordpress console for this particular website now what i want to do is go here to plugins we want to install a plugin and then inside the search box i'm going to type crowdsec and here it is so what it's going to do is that this plugin is going to facilitate communication between the api for crowdsec and wordpress itself so that way if wordpress sees some activity that's not so great it's able to let crowdsec know and crowdset can trigger the bouncer to take action so we're going to install this plugin and now we're going to activate it and it's almost ready to go we now have a crowdsex section right here on the left-hand side and what we're going to do is put in the information for the api to ensure that the add-on is able to communicate with crowdsec so we're going to copy this right here the api server by default is listening on port 8080. as an aside if you have an app that is already using port 8080 you'll have to change the port number to something else in crowdsec or in that application i'm not going to go over that just want to make sure you guys are aware of that and next what we have to do is type in the api key for the bouncer but how do we actually get the api key well it couldn't be easier because crowdsec is giving us the command literally it's giving us the command right here so we don't even have to look it up that's pretty cool so i'll start the command with sudo and then i'll paste in the command that was shown there in the settings page for crowdsec so we're going to create a new bouncer we're going to call it wordpress bouncer and if this works it should actually give us an api key so i'll press enter and it did exactly that so this api key you want to make sure that you don't allow anyone else to see it if anyone else is able to see it then you can't trust it the api key will only be shown a single time as soon as i close this terminal window i have no way of retrieving the api key so what you want to do is record this api key in a very safe and secure location again don't let anyone else see it this is private information and everyone is going to get their own api key so we have the api key right here just make sure that it's copied into my clipboard and what we're going to do is go back here to wordpress and we'll paste it right here for the bouncer api key so now that i have everything set up here another thing that you might want to consider is disabling this option right here if this is turned on then crowdsec is not going to look at your logins to the wordpress admin section and you probably do want it to monitor that i mean that is something that people try to do so i recommend turning this off and that should be fine now you can play around with the bouncing levels if you'd like to and there's descriptions here but we've created the api key we pasted it in here we also typed in the api url so everything should be good to go i'll just click save changes and now wordpress should be protected as well so as you can see you could use crowdsec in multiple different scenarios wordpress is just one of many but anyway as far as wordpress is concerned the settings that i've set up right here should be good enough so we now have wordpress protected by crowdsack so as you can see crowdsec is very easy to set up in the first scenario we protected a server against an ssh brute force attack and in the second scenario i showed you guys how to install the wordpress bouncer that required the api key that we've created we pasted that into the settings we configured it and we should be good to go on that as well so as you can see crowdsec is very flexible it has various different bouncers that you can install to protect different things which is really cool that makes it easy to protect your server now of course crowdsec is just one layer of security it's not something that you can depend on by itself and that's true regardless of what the technology is security is like an onion there's multiple layers and crowdsec definitely gives us a really awesome layer to benefit from and i highly recommend that you make it part of your security toolbox let me know what you think of it in the comments down below i look forward to hearing what you guys have to say and as always i will see you in the next video i have some really cool things coming up so i will see you next time thanks for watching [Music] you

Info

Channel: LearnLinuxTV

Views: 6,379

Rating: undefined out of 5

Keywords: Linux, Tutorial, Howto, open-source, crowdsec, security, linux security, linux server, intrusion, intrusion prevention system, ips, web server, vps, cloud server, server security, linux web server, secure linux server, secure web server, secure ubuntu, secure linux, cloud hosting, securing linux servers, linux server hardening, cyber security, home web server, personal web server, linux server security, it security, network security, cyber attack, data security, security solution

Id: WXHQY90Ms-g

Channel Id: undefined

Length: 26min 47sec (1607 seconds)

Published: Wed Nov 24 2021