NGINX is a webserver and a reverse proxy. It’s one of the most popular on the internet because it is fast and can handle loads of request with minimal resources. CrowdSec will offer an additional security layer on top of you existing security solutions by leveraging on the community. CrowdSec is an open-source and collabrative IPS. It can serve as an alternative for Fail2Ban. In this post we will go over the steps to integrate CrowdSec with NGINX to improve your security.
Installing CrowdSec with NGINX
I will assume you already have NGINX installed. Installing CrowdSec is easy. For all the major Linux distribution it is two steps to install. For the full installation guide check out the CrowdSec website. Begin with installing the CrowdSec agent on your Linux server. When you have installed the agent we need to install the CrowdSec Bouncer for NGINX. The Bouncer will make sure CrowdSec integrates with NGINX and passes the correct information to the blocklist.
Using the cscli command
CrowdSec can be managed on the cli with the cscli command. I will explain a couple of the most used ones.
Starting with the command to show the configuration:
tizu@nginx01:~$ sudo cscli config show
Global:
- Configuration Folder : /etc/crowdsec
- Data Folder : /var/lib/crowdsec/data
- Hub Folder : /etc/crowdsec/hub
- Simulation File : /etc/crowdsec/simulation.yaml
- Log Folder : /var/log/
- Log level : info
- Log Media : file
Crowdsec:
- Acquisition File : /etc/crowdsec/acquis.yaml
- Parsers routines : 1
cscli:
- Output : human
- Hub Branch :
- Hub Folder : /etc/crowdsec/hub
Local API Server:
- Listen URL : 127.0.0.1:8080
- Profile File : /etc/crowdsec/profiles.yaml
- Trusted IPs:
- 127.0.0.1
- ::1
- Database:
- Type : sqlite
- Path : /var/lib/crowdsec/data/crowdsec.db
- Flush age : 7d
- Flush size : 5000To see all the scenarios CrowdSec will check we will need to run the command below:
tizu@nginx01:~$ sudo cscli scenarios list
SCENARIOS
----------------------------------------------------------------------------------------------------------------------------------------
NAME ? STATUS VERSION LOCAL PATH
----------------------------------------------------------------------------------------------------------------------------------------
crowdsecurity/apache_log4j2_cve-2021-44228 ✔️ enabled 0.4 /etc/crowdsec/scenarios/apache_log4j2_cve-2021-44228.yaml
crowdsecurity/f5-big-ip-cve-2020-5902 ✔️ enabled 0.1 /etc/crowdsec/scenarios/f5-big-ip-cve-2020-5902.yaml
crowdsecurity/fortinet-cve-2018-13379 ✔️ enabled 0.2 /etc/crowdsec/scenarios/fortinet-cve-2018-13379.yaml
crowdsecurity/grafana-cve-2021-43798 ✔️ enabled 0.1 /etc/crowdsec/scenarios/grafana-cve-2021-43798.yaml
crowdsecurity/http-backdoors-attempts ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-backdoors-attempts.yaml
crowdsecurity/http-bad-user-agent ✔️ enabled 0.7 /etc/crowdsec/scenarios/http-bad-user-agent.yaml
crowdsecurity/http-crawl-non_statics ✔️ enabled 0.3 /etc/crowdsec/scenarios/http-crawl-non_statics.yaml
crowdsecurity/http-cve-2021-41773 ✔️ enabled 0.1 /etc/crowdsec/scenarios/http-cve-2021-41773.yaml
crowdsecurity/http-cve-2021-42013 ✔️ enabled 0.1 /etc/crowdsec/scenarios/http-cve-2021-42013.yaml
crowdsecurity/http-generic-bf ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-generic-bf.yaml
crowdsecurity/http-open-proxy ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-open-proxy.yaml
crowdsecurity/http-path-traversal-probing ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-path-traversal-probing.yaml
crowdsecurity/http-probing ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-probing.yaml
crowdsecurity/http-sensitive-files ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-sensitive-files.yaml
crowdsecurity/http-sqli-probing ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-sqli-probing.yaml
crowdsecurity/http-xss-probing ✔️ enabled 0.2 /etc/crowdsec/scenarios/http-xss-probing.yaml
crowdsecurity/jira_cve-2021-26086 ✔️ enabled 0.1 /etc/crowdsec/scenarios/jira_cve-2021-26086.yaml
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 ✔️ enabled 0.2 /etc/crowdsec/scenarios/pulse-secure-sslvpn-cve-2019-11510.yaml
crowdsecurity/ssh-bf ✔️ enabled 0.1 /etc/crowdsec/scenarios/ssh-bf.yaml
crowdsecurity/ssh-slow-bf ✔️ enabled 0.2 /etc/crowdsec/scenarios/ssh-slow-bf.yaml
crowdsecurity/thinkphp-cve-2018-20062 ✔️ enabled 0.3 /etc/crowdsec/scenarios/thinkphp-cve-2018-20062.yaml
crowdsecurity/vmware-vcenter-vmsa-2021-0027 ✔️ enabled 0.1 /etc/crowdsec/scenarios/vmware-vcenter-vmsa-2021-0027.yaml
ltsich/http-w00tw00t ✔️ enabled 0.1 /etc/crowdsec/scenarios/http-w00tw00t.yaml
----------------------------------------------------------------------------------------------------------------------------------------And one of the most important commands is to check which decisions CrowdSec has made based on the scenarios and configuration:
tizu@nginx01:~$ sudo cscli decisions list
No active decisionsMore information and options for cscli can be found with the cscli command:
tizu@nginx01:~$ cscli
cscli is the main command to interact with your crowdsec service, scenarios & db.
It is meant to allow you to manage bans, parsers/scenarios/etc, api and generally manage you crowdsec setup.
Usage:
cscli [command]
Available Commands:
alerts Manage alerts
bouncers Manage bouncers [requires local API]
capi Manage interaction with Central API (CAPI)
collections Manage collections from hub
completion Generate completion script
config Allows to view current config
console Manage interaction with Crowdsec console (https://app.crowdsec.net)
dashboard Manage your metabase dashboard container [requires local API]
decisions Manage decisions
explain Explain log pipeline
help Help about any command
hub Manage Hub
hubtest Run functional tests on hub configurations
lapi Manage interaction with Local API (LAPI)
machines Manage local API machines [requires local API]
metrics Display crowdsec prometheus metrics.
parsers Install/Remove/Upgrade/Inspect parser(s) from hub
postoverflows Install/Remove/Upgrade/Inspect postoverflow(s) from hub
scenarios Install/Remove/Upgrade/Inspect scenario(s) from hub
simulation Manage simulation status of scenarios
version Display version and exit.
Flags:
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config.yaml")
-o, --output string Output format : human, json, raw.
--debug Set logging to debug.
--info Set logging to info.
--warning Set logging to warning.
--error Set logging to error.
--trace Set logging to trace.
-h, --help help for cscli
Use "cscli [command] --help" for more information about a command.Conclusion
I hope this post will give you an insight on how to integrate CrowdSec with NGINX. As you can see with the commands above the proces is simple and easy to follow. Security is becoming more important than ever these days. CrowdSec will improve on this. Above all always keep your server and NGINX up-to-date and patched. Also give my other post about integrating CrowdSec with WordPress a read.
