Integrate CrowdSec with NGINX

NGINX is a webserver and a reverse proxy. It’s one of the most popular on the internet because it is fast and can handle loads of request with minimal resources. CrowdSec will offer an additional security layer on top of you existing security solutions by leveraging on the community. CrowdSec is an open-source and collabrative IPS. It can serve as an alternative for Fail2Ban. In this post we will go over the steps to integrate CrowdSec with NGINX to improve your security.

Installing CrowdSec with NGINX

I will assume you already have NGINX installed. Installing CrowdSec is easy. For all the major Linux distribution it is two steps to install. For the full installation guide check out the CrowdSec website. Begin with installing the CrowdSec agent on your Linux server. When you have installed the agent we need to install the CrowdSec Bouncer for NGINX. The Bouncer will make sure CrowdSec integrates with NGINX and passes the correct information to the blocklist.

Using the cscli command

CrowdSec can be managed on the cli with the cscli command. I will explain a couple of the most used ones.

Starting with the command to show the configuration:

tizu@nginx01:~$ sudo cscli config show
Global:
   - Configuration Folder   : /etc/crowdsec
   - Data Folder            : /var/lib/crowdsec/data
   - Hub Folder             : /etc/crowdsec/hub
   - Simulation File        : /etc/crowdsec/simulation.yaml
   - Log Folder             : /var/log/
   - Log level              : info
   - Log Media              : file
Crowdsec:
  - Acquisition File        : /etc/crowdsec/acquis.yaml
  - Parsers routines        : 1
cscli:
  - Output                  : human
  - Hub Branch              :
  - Hub Folder              : /etc/crowdsec/hub
Local API Server:
  - Listen URL              : 127.0.0.1:8080
  - Profile File            : /etc/crowdsec/profiles.yaml
  - Trusted IPs:
      - 127.0.0.1
      - ::1
  - Database:
      - Type                : sqlite
      - Path                : /var/lib/crowdsec/data/crowdsec.db
      - Flush age           : 7d
      - Flush size          : 5000

To see all the scenarios CrowdSec will check we will need to run the command below:

tizu@nginx01:~$ sudo cscli scenarios list
SCENARIOS
----------------------------------------------------------------------------------------------------------------------------------------
 NAME                                              ? STATUS   VERSION  LOCAL PATH
----------------------------------------------------------------------------------------------------------------------------------------
 crowdsecurity/apache_log4j2_cve-2021-44228        ✔️  enabled  0.4      /etc/crowdsec/scenarios/apache_log4j2_cve-2021-44228.yaml
 crowdsecurity/f5-big-ip-cve-2020-5902             ✔️  enabled  0.1      /etc/crowdsec/scenarios/f5-big-ip-cve-2020-5902.yaml
 crowdsecurity/fortinet-cve-2018-13379             ✔️  enabled  0.2      /etc/crowdsec/scenarios/fortinet-cve-2018-13379.yaml
 crowdsecurity/grafana-cve-2021-43798              ✔️  enabled  0.1      /etc/crowdsec/scenarios/grafana-cve-2021-43798.yaml
 crowdsecurity/http-backdoors-attempts             ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-backdoors-attempts.yaml
 crowdsecurity/http-bad-user-agent                 ✔️  enabled  0.7      /etc/crowdsec/scenarios/http-bad-user-agent.yaml
 crowdsecurity/http-crawl-non_statics              ✔️  enabled  0.3      /etc/crowdsec/scenarios/http-crawl-non_statics.yaml
 crowdsecurity/http-cve-2021-41773                 ✔️  enabled  0.1      /etc/crowdsec/scenarios/http-cve-2021-41773.yaml
 crowdsecurity/http-cve-2021-42013                 ✔️  enabled  0.1      /etc/crowdsec/scenarios/http-cve-2021-42013.yaml
 crowdsecurity/http-generic-bf                     ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-generic-bf.yaml
 crowdsecurity/http-open-proxy                     ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-open-proxy.yaml
 crowdsecurity/http-path-traversal-probing         ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-path-traversal-probing.yaml
 crowdsecurity/http-probing                        ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-probing.yaml
 crowdsecurity/http-sensitive-files                ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-sensitive-files.yaml
 crowdsecurity/http-sqli-probing                   ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-sqli-probing.yaml
 crowdsecurity/http-xss-probing                    ✔️  enabled  0.2      /etc/crowdsec/scenarios/http-xss-probing.yaml
 crowdsecurity/jira_cve-2021-26086                 ✔️  enabled  0.1      /etc/crowdsec/scenarios/jira_cve-2021-26086.yaml
 crowdsecurity/pulse-secure-sslvpn-cve-2019-11510  ✔️  enabled  0.2      /etc/crowdsec/scenarios/pulse-secure-sslvpn-cve-2019-11510.yaml
 crowdsecurity/ssh-bf                              ✔️  enabled  0.1      /etc/crowdsec/scenarios/ssh-bf.yaml
 crowdsecurity/ssh-slow-bf                         ✔️  enabled  0.2      /etc/crowdsec/scenarios/ssh-slow-bf.yaml
 crowdsecurity/thinkphp-cve-2018-20062             ✔️  enabled  0.3      /etc/crowdsec/scenarios/thinkphp-cve-2018-20062.yaml
 crowdsecurity/vmware-vcenter-vmsa-2021-0027       ✔️  enabled  0.1      /etc/crowdsec/scenarios/vmware-vcenter-vmsa-2021-0027.yaml
 ltsich/http-w00tw00t                              ✔️  enabled  0.1      /etc/crowdsec/scenarios/http-w00tw00t.yaml
----------------------------------------------------------------------------------------------------------------------------------------

And one of the most important commands is to check which decisions CrowdSec has made based on the scenarios and configuration:

tizu@nginx01:~$ sudo cscli decisions list
No active decisions

More information and options for cscli can be found with the cscli command:

tizu@nginx01:~$ cscli
cscli is the main command to interact with your crowdsec service, scenarios & db.
It is meant to allow you to manage bans, parsers/scenarios/etc, api and generally manage you crowdsec setup.

Usage:
  cscli [command]

Available Commands:
  alerts        Manage alerts
  bouncers      Manage bouncers [requires local API]
  capi          Manage interaction with Central API (CAPI)
  collections   Manage collections from hub
  completion    Generate completion script
  config        Allows to view current config
  console       Manage interaction with Crowdsec console (https://app.crowdsec.net)
  dashboard     Manage your metabase dashboard container [requires local API]
  decisions     Manage decisions
  explain       Explain log pipeline
  help          Help about any command
  hub           Manage Hub
  hubtest       Run functional tests on hub configurations
  lapi          Manage interaction with Local API (LAPI)
  machines      Manage local API machines [requires local API]
  metrics       Display crowdsec prometheus metrics.
  parsers       Install/Remove/Upgrade/Inspect parser(s) from hub
  postoverflows Install/Remove/Upgrade/Inspect postoverflow(s) from hub
  scenarios     Install/Remove/Upgrade/Inspect scenario(s) from hub
  simulation    Manage simulation status of scenarios
  version       Display version and exit.

Flags:
  -c, --config string   path to crowdsec config file (default "/etc/crowdsec/config.yaml")
  -o, --output string   Output format : human, json, raw.
      --debug           Set logging to debug.
      --info            Set logging to info.
      --warning         Set logging to warning.
      --error           Set logging to error.
      --trace           Set logging to trace.
  -h, --help            help for cscli

Use "cscli [command] --help" for more information about a command.

Conclusion

I hope this post will give you an insight on how to integrate CrowdSec with NGINX. As you can see with the commands above the proces is simple and easy to follow. Security is becoming more important than ever these days. CrowdSec will improve on this. Above all always keep your server and NGINX up-to-date and patched. Also give my other post about integrating CrowdSec with WordPress a read.