CrowdSec | Install with Traefik Bouncer, Authelia, Dashboard

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys and welcome back to another ipro corp  video thanks for coming back and checking out   the channel today we hope we have an exciting  topic for you that we've been working on   in the background recently we were approached  by some of the developers over at crowdsec   if you haven't heard of crowdsec there's  a bit of buzz around it at the moment so   you may have already heard about it but if  you haven't crowdsec is a free open source   and collaborative ips so intrusion prevention  system it analyzes behaviors responds to attacks   and shares signals across the community so we're  super excited to show you this video today a   big thank you goes to some of the developers  over at crowdsec for approaching us to do this   video thank you very much for choosing to work  with us and a big massive thank you of course   to hawks our admin over in the ibracorp discord  he has basically written up this guide today so   i present it to you on his behalf thank you very  much hawks for your contribution to our community   so today we're going to show you installing and  using crowdsec on top of that we're going to throw   in some bonuses which is the traffic bouncer  with the orthelia and vault warden collections   so this ties in really well with our previous  videos on traffic on othelia and on vault warden   that we've already covered in great detail  so if you're interested in setting up those   be sure to check our videos out on those subjects  on our channel so if you want to know more about   crowdsec how to get it going how to get it  set up with traffic orthelia and vault warden   then this is the video for you without  further ado let's get stuck into it alright guys thanks very much for popping in  like i said and today we're looking at crowdsec   now i'm on their main website crowdsec.net and  yeah recently we were approached by the team   over at crowdsec to take a look and investigate  and present a video to our community members and   our fans to see what they think of the product  now it's probably a little bit unfair to call   a product it's not something you buy it's free  and open source and it's community driven which   is something that's really really good for the  open source community and abroad so if i just   go through the website real quick outnumbering  cybercriminals all together that's their motto   now what it allows you to do is set up your  own intrusion detection system apply behavior   scenarios to identify cyber threats so first  it will it will pass logs and it will acquire   that data from any source so system logs cloud  trails etc will then automate the security so   you can define the type of remediation you want  to apply and where so do you want it to just   instantly block them redirect them whatever the  case might be you get to leverage the community's   ip block list so basically we get to share and  benefit from a crowd-sourced and curated cyber   threat intelligence system now of course we have  dedicated cyber security teams and organizations   that do this on a daily basis and so they provide  information based on either their products or to   help the community out in general but what makes  this different is that it's community driven   rather than product driven or business driven so  it means that it can be a ever evolving and living   organism in such a way that allows people  to contribute and benefit from the project   all the time as i said it's open source and  participative it's designed to run seamlessly on   vms bare metal servers containers or to be called  directly from your code with their api so that   means that basically you have many different ways  that you can deploy crowdsec and many different   ways you can have it in your existing stacks  perhaps your server at home even safe to say   a business organization that wants to leverage  that protection gives you collaborative security   it's stateless and decoupled which is great high  performance very easy to use hopefully by the end   of this video you will say the same multi-layer  and ipv6 ready it's observable so dashboards are   great steering tools and crowdsec is no exception  it's instrumented with metabase and prometheus to   help you make smarter investments of both time  and money and better defend yourself it's also   got compliance reporting so as i said iso 9001 for  example you want to meet your iso requirements you   can do so and best of all it's privacy focus so  we're gdpr compliant meaning they take privacy   seriously so at the moment if we come down you  can see where we can use it and this gives us a   good rundown of where they're at at the moment and  where they plan to be so operating systems we've   got linux and freebsd and that is an interesting  one because we're then talking about things like   pfsense mac os windows and open wrt if you're  using those operating systems they are coming soon   but i highly suggest you still watch this video  because there's going to be a lot of information   that will carry over in terms of how it works  and how to implement it the services that they   currently offer iptables nf tables nginx apache  caddy and pf as i said pfsense that's coming soon   languages we've got wordpress php and js you've  got go symphony python and arduino coming soon   platforms we're talking about docker aws google  cloud and cloudflare envoy traffic and azure   coming soon we're going to be showing you the  traffic bouncer so guys look a lot of information   there plenty of stuff that will benefit you  to have a read through and make sure you fully   understand what this organization is all about we  also have listed this in our documentation that's   right we have done a document for this video as  well and you'll find it over on docs.ibricorp.io   i'll put the link down in description below as  well so we have a lot more information in there   and all the instructions that i show you today are  in there and we'll be able to click and paste the   commands as we've written them to make it easier  for you to get started so with that introduction   why don't we get started with an installation and  just show you how this all runs all right guys so   we're here on our ubuntu server and pretty much  anywhere that you're going to be running linux   you can follow along with this and if you have to  customize it for your particular operating system   please go ahead and do that but the commands we've  provided should help most people get going as is   this also assumes a certain number of things like  where you have your docker containers app data   stored and things like that so you may have to  modify the commands to match your file and folder   structure where it's different otherwise you can  again just follow it as is so right now make sure   we're signed in as the user that you typically  use for your server and copy the first command   which is going to create the crowdsec shared log  folder let's paste that in and you can see here   what we're saying is make the directory var log  crowdsec we're going to change the ownership to   the current user and i want you to apply it to  that new folder that we just created all right   we've put our sudo password in the next thing  we're going to do is create the app data folder   now we're using docker and all of our docker  containers live in a folder but just paste this   called opt or opt slash app data in your scenario  you may have opt the app so you may not even need   app data depends on your setup in our case for  the purpose of this video we're using opt forward   slash appdata forward slash crowdsec so what we're  going to do then is create our updated directory   now so we're creating that there under updater  hit enter and we have the folder created if you   don't have updater already in there then obviously  backspace it up until that point create that first   then add the crowdsec folder the next thing we  want to do is create our docker compose so let's   paste the command in and we're saying we're going  to create a docker compose yml we're going to edit   it with nano choose any editor you prefer if you  want to use code server following our code server   video obviously you can do that as well so let's  hit enter and we have an empty docker compost file   ready to go if you're following our written  documentation with this video we have provided   the template for you you can just click and paste  like so let's have a look at what it's doing   the compost file obviously pulls down the crowd  set container from their repository it internally   exposes port 8080. it assigns a pgid assuming  your pgid is 1000 by default it should be 1000   anyway and then it attaches these volumes we have  opt updater slash crowdsec slash data we then   have opt slash updater crowdsec which maps to etc  crowdsec and like i said at the start if you don't   have crowdsick in this particular folder path just  adapt it to what suits you these ones however you   shouldn't need to change so you can leave those  ones as they are just leave them as they are   and then continue down we have a restart and less  stopped parameter in there which is great and then   we've attached it to our internal docker network  our custom docker network which we've called proxy   so if you're using a custom docker network which  we always recommend set that here and with that   set control o hit enter and then control x now  what we want to do is navigate to that folder   so let's go to that folder now we're inside  the folder where crowdsack is so then what we   want to do is fire up that docker compose file we  created let's paste that in sudo docker compose up   hyphen d now if you're using compost version  two we don't need the hyphen so we can take   that out and then hit enter and as you can see the  container is now pulling down which is fantastic   so give that a minute to start up and if we just  type in docker ps always forget the sudo let's go   sudo docker ps and we can see all of our  containers running so let's have a look for it   and we can see crowdsec at the top there it's  running on port 8080 which is exposed internally   and i'm just going to run it again and we'll  just make sure it's stayed up so it's been up   for 25 seconds that's already a good sign and  if we look at the logs here for crowdsec we can   see that it's doing quite a bit it's updating  itself it's grabbing all the new information   anything that's been updated on geo ips white  lists etc and now it's running up to date   so you've essentially now installed crowdsec  but we want to make use of it so how does   that work so what we essentially need to do is  install a bouncer let's clear this screen now   and what we want to do is install the traffic  bouncer we use traffic here and we've shown you   how to use traffic as well so we probably assume  you've got traffic going if you don't obviously   like i said they do support nginx and nginx proxy  manager so that will help you if you're using that   as a reverse proxy as well now the aim here is  to implement a crowdsec bouncer for the router   traffic to block malicious ip to our services  so for this it leverages traffic version 2   forward auth middleware and queries crowdsec with  client ips if the client ip is on the banned list   it will get a http code 403 response otherwise the  request will continue as usual and so just to show   you what i mean this is in our documentation that  you will hopefully be reading alongside the video   if you want that extra help and it gives you  a nice image here so the flow of information   comes into traffic traffic sends the forward off  to crowdsec crowdsec replies with a decision it's   all good then it continues as normal then we have  explanations on passes so the passers take log   formats and break them into readable information  for the crowdsec app we'll be using the traffic   parser to take the traffic access logs and pass  that information over to the crowdsec app to make   the decisions bouncers on the other hand react to  the decision made by crowdsex so in this case the   traffic bouncer will take the decision made by  crowdsec and either allow or deny the traffic   going through traffic crowdtech on its own will  just make the decision to ban ips it will do this   by connecting back to the mothership to get the  information required to make the decisions locally   and that's what we were saying about it being a  community managed initiative so it can reach out   update what the ips are that it should be banning  and come back to you and the perfect scenario here   is a brute force attack that's going on you can  choose which scenarios you would like to check   the traffic against in this traffic collection  will be using the typical http behaviors so we've   run that command that's in our docs here to add  the traffic bouncer as you can see above and it's   given us an api key now it's critically important  that we keep that api key secure don't show it off   like i am here obviously i will be changing it  after this video but you need to note this down   it will only give it to you once and you won't be  able to retrieve it so copy it somewhere safe i've   just highlighted it which copies it through the  clipboard and i've just pasted it in a notepad   for the moment until we move on so now what we  want to do is add the api and the collection   so how do we do that we need to edit the  compost file that we were just in so if i go to   sudo nano and then we go to dockercompose.yml we  can essentially take the information that we've   given you already and you just add it in here so  if i come down under the crowdsec for services   give it a gap and paste in the following which  is in our docs it gives us the crowdsec traffic   bouncer it's going to ask for the api key and then  the agent host which is where crowdsec is running   and that's correct because we haven't changed  it from above which as you can see here is 8080.   so take that api key that you've just copied from  the command earlier and we need to add it in here   there we go we have our api key we  follow it down we can see it depends on   sex so obviously crowdstick has to run  first that's all we've changed we control o   hit enter and then control x then we want to  map the log files so take the command we've   given you here which is going to open up a  nano for crowdsec and create a aqueous.yml   now if you like you can take everything  out of it and put in what we've provided in   our docs now what does that give us the file  name which is referring to the traffic logs   the label which is traffic and then a file  name for auth.log and it's a type of syslog   control o enter again and control x so now we  want to enable logging with traffic now to do that   we type in this command so that we can open  up the traffic yml now in my case traffic   doesn't live in app data it just lives in opt  so we hit that and it takes us to our traffic   file i'll scroll down to the bottom and we add  the access log command that we've given you here   and if you scroll up we will find the  middleware section which you can see under http   and we basically want to tell traffic that  we want to use crowdsec as a middleware so   let's paste this in and you'll see crowdsec  hyphen bouncer at file i'm actually going to   drop it at the bottom here and you see we have a  duplicate actually of these so we'll take that out   and we have crowdsec hyphen bouncer at  file now control o and control x again   and then open up your file config so the  dynamic config that you have for traffic   now you'll understand most of this terminology  if you've watched our traffic guide it's really   important that you guys check that out  because that is obviously the foundation   of what we're doing here so what we want to  do is edit that dynamic file now for traffic   hit enter and under middlewares you can see we've  got auth and then forward auth and then we have   gzip so underneath that i'm just going to make  a space and we're just going to paste crowdsec   bouncer as you can see here and basically it's  telling us to forward that all through the bouncer   ctrl o again control x and we added the file  we now want to edit the docker compose for   traffic so what we'll do is backspace this  take it to where our traffic compost lives   and all we've done is add the volume here as  you can see that's in our documentation as well   underneath the volume section so we're mapping  that volume for the logs for crowd sec control   o control x to get back out again and now we  pretty much just want to restart traffic and we   want to restart crowdsec so what we do is run  this command to go to the location where that   docker compose lives and then execute the docker  compose up again i'm using version two so we'll   take the high for now and hit enter and basically  that's going to recreate our traffic container   once that's done we'll do the same for crowdsec  so using that command to find the containers   docker compose yml and then we relaunch it again  once again i'm using version two so we do that   now if you guys do have version one i haven't  done it on this server yet but if you are using   uh did have version one and then went to version  two you can actually just install um a tool that   will automatically forward commands that were for  version one onto version two for you automatically   i just haven't done it on this server  yet so we've done traffic and we've done   the crowdset containers they've restarted  with all the new stuff that we just added   what we'll do now is quickly check the logs and  straight away one of the first things you're going   to see if you're looking here is it's performed  to check localhost crowdsec sshbf by ip this it's   applying a four hour ban on that ip address so  it's already working for us and helping protect   us without us even really doing anything we pretty  much set it up buy and forget and it gets to work   for us now as promised guys we're going to give  you the two extra bonuses here which is orthelia   and vault warden now that's pretty much as simple  as adding the collections so back in your docker   compose for crowdsec which i'm already in the  folder but if you're not so what we're going   to do in this folder for crowdsec again is edit  that docker compose and we go in as sudo enter and   we're back in the file so we have the crowdset  traffic bouncer and that's working great what   we want to do then is add our orthelia collection  and so to do that under environment you've got the   pgid drop a line right underneath that and paste  in what's in our documentation which gives you   collections it then gives you this collection here  so we've got crowdsec security traffic crowdsec   http cve and then la presidente orthelia so it  gives us those three collections worth noting   that i didn't actually show you before that this  was part of the traffic step as well so we fought   for traffic if you're not doing this for other you  would already have up to this point entered and   now all we've added is the la presidente orthelia  section so we've added this collection here   so that's my bad i did miss that earlier make sure  you have these collections in here for the traffic   part of things so in fact i don't even think it  was using traffic yet but now we've added orthelia   and the same goes for vault warden so i told  you we would show you vault warden as well   pretty straightforward we now add the vault  warden collection to the end of it so if you   just want to go to the end hit a space and then  in a documentation we've given you the repo for   it so you just add that in there so now we've  got vault warden protected with it as well ctrl o   enter and control x then we want to add orthelia  to the acquisition.yml so go back to that file   and in here we want to add that in so underneath  the syslog section we paste that in there and that   gives us the ophelia logs now again same thing for  vault warden if you want to add the vault warden   one go ahead and do that now if you're not using  vault warden you don't need to add this i'm just   showing you for reference with that done again we  save and exit and then we want to enable logging   to that file again so we're basically repeating  that steps that we did right at start for traffic   so we go to the orthelia folder where you  have other living in my case it lives here   after some hunting around my ophelia lives here  so just find wherever your ophelia lives obviously   and under the logs section drop to underneath that  and add the following make sure it matches what   we've got in our docs if you want to um otherwise  customize it as you prefer so with the logs   the level i've got set is debug i just said  that but you can also have info in there   format we're telling it to do though is json and  we want it to store it in this location hit enter   and then exit now in the same folder as above we  want to edit the docker compose file so hit that   and under the volumes we paste this path taking  us back to crowdsec of course control and exit   now at this point we can recreate the containers  for orthelia and crowdsec but we'll go through the   last steps for vault warden so that we can be on  the same page and do it all at once now i'm not   using vault warden on this particular server so  i'm going to show you the command but basically   just adapt it to your own needs you want to go to  your docker compost file just like all the other   steps and we want to add a couple of fields so  just make sure under your environment section that   it looks like this basically under your volume  section it looks like this so again we're mapping   to that crowd sec area there and once you've  saved all that we restart the containers so   with the exception of vault warden since i'm not  using it we're going to be doing it for ophelia   and for crowdsec so there's my orthelia path and  the docker compost command and we wait for that to   recreate and the same for crowdsec so now they've  both been restarted we should be right now let's   have a quick look at the logs and that's starting  to look pretty good so we can see orthelia   is running the orthelia checks are running the  vault warden checks are running as well we don't   actually have volt water running at the moment  so i'll be surprised if that's doing anything   and there you go guys as you can see through the  logs it's looking pretty good and crowdsec is now   working hard to protect us from all these  dangerous sources to be sure the detected   behaviors that it can pick up is applicative ddos  drive by download resource abuse credentials brute   forcing php-based armageddon port scans web scans  credential stuffing bot scraping and targeted   attacks that's a lot of stuff that normally you  would find in an enterprise firewall feature list   that we're getting for free and is crowdsourced  alright guys so the last thing i'm going to   show you is also registering our crowdsec instance  online and what this is going to do is allow us to   have a dashboard which obviously everybody loves  a good dashboard so let me show you how to do that   real quick and now we're here on app.groutsec.net  and what we're going to do is subscribe all right   and now that we've subscribed we've signed in and  we're greeted with this message on the main page   which is to enroll ourselves into the crowd  sec terminal now what we want to do is run   this command however because we're running in  docker it's going to look a little bit different   so all you need to do is take this part here which  has the code that we need to enroll ourselves   and copy that and what we want to do is add  ourselves to the docker user group that'll   allow us to run docker commands without having to  have sudo in front of it so we can paste that in   2d user mod iphone ag docker and then the user  which is us then type in new group docker okay so   we've run our command now and we've customized it  a little bit from what we saw in the dashboard so   we've got docker xx crowdsec csli console enroll  and then the code there we can see it's processed   it and then it asks us to restart crowdsec  easy-peasy we just paste docker restart crowdsec   and that should be done now come back to your  dashboard and you'll see that it gives us   the approval request to join the dashboard once  you do that basically go ahead and accept it   now that has been accepted we can pretty much  see everything we need in the dashboard what's   going on what kind of alerts we might have  what's running what bounces we have so as you   can see we've got our traffic bouncer there as  well and that gives you the dashboard basically   to manage it and you can access this remotely  as well so it's not hosted locally it's hosted   with them and then you can log in and manage  everything you need to so pretty handy little   tip there definitely recommend you guys set that  up so guys i hope you enjoyed this llama video   covering crowdsec it will definitely protect  you now using traffic and orthelia cover as well   on top of that we've given you the vault warden  collection too big thank you to the community for   their suggestions for new videos if you feel  like suggesting a video jump in our discord   let us know and let us know in the comments  below what you think of crowdsec a big thank   you also to the crowdsec team for approaching  us once again we really appreciate that and a   massive thank you one last time to hawks for  the great guide we'd also like to thank our   community member and ibra corp team member momes  for all his work working with hawks to get this   out there we really appreciate it thank you very  much everyone for working together on this one   if you like what we're doing here guys be sure to  support us by liking and subscribing on the video   or heading over to our website and subscribing  as a member which helps us financially to keep   all of the systems running to keep giving you  great content and improving our quality thanks   very much we hope you enjoyed this video and we  can't wait to see you in the next hyprecorp video you
Info
Channel: IBRACORP
Views: 28,310
Rating: undefined out of 5
Keywords: install crowdsec traefik authelia, crowdsec traefik, crowdsec authelia, crowdsec tutorial, ibracorp, ibraco, ibra corp, crowdsec, crowdsec docker, crowdsec install, crowdsec review, crowdsec setup, crowdsec vs fail2ban, ibracorp traefik, ibracorp crowdsec, technotim, crowd sec, security, ids, ips, prevent hackers, open source, traefik, self hosting, homelab, bouncers, parsers, crowdsource, secops, fail2ban alternative, cyber security, vaultwarden, crowdsec dashboard, crowdsec console
Id: dgQvvMhbn8I
Channel Id: undefined
Length: 24min 38sec (1478 seconds)
Published: Wed Apr 06 2022
Related Videos
Keep Hackers Out with Crowdsec Now!
Jim's Garage
8.7K
Authelia | The Ultimate Guide To Install and Configure (2022)
IBRACORP
78K
Secure Self Hosted with Authentik | Traefik & NGINX Proxy Manager
IBRACORP
46K
Quick and Easy Local SSL Certificates for Your Homelab!
Wolfgang's Channel
546K
Open Source & Collaborative Security with CrowdSec and Traefik - CrowdSec & Traefik Tutorial
Techno Tim
76K
Installing Teleport + Traefik (Letsencrypt TLS certs)
Christian Lempa
35K
Traefik v2.6+ | How to Install and Why You Should (plus Authelia, Traefik Pilot)
IBRACORP
81K
Single Sign On With OAuth2.0 - Authentik Is AWESOME!
Jim's Garage
20K
Traefik vs. Nginx performance benchmark
Anton Putra
30K
CrowdSec: Open Source Collaborative Community Security
Lawrence Systems
22K
Authentik - open source, self hosted authentication system with OIDC, SAML, and more...
Awesome Open Source
37K
CrowdSec Console First Look - A Free and Awesome Security Dashboard for Linux Servers
Learn Linux TV
23K
Boosting your Linux Server Security with CrowdSec
Learn Linux TV
17K
Authentik: How to Install with Docker and Why You Should
IBRACORP
46K
Nginx Proxy Manager - ACCESS LIST protection for internal services
Christian Lempa
37K
Setup Crowdsec with Nginx Proxy Manager - Part 1
#geek2gether
3K
Authelia on Proxmox - 2FA SSO with Nextcloud, Proxmox, Portainer Gitea OpenID Connect Single Sign On
OneMarcFifty
17K
you need this FREE CyberSecurity tool
NetworkChuck
1M
How to use Cloudflare Tunnel in your Homelab (even with Traefik)
Christian Lempa
118K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.