A behavior-based security engine…
CrowdSec is a behavior & reputation-based security engine, designed to protect any exposed resource on the Internet, servers, containers, VMs, IoT objects, etc.
Installation is quick and wizard-assisted. The software is currently in a production-grade state, and runs in many places, including hosting companies.
The agent parses logs from various data sources and applies heuristic scenarii to identify aggressive behavior and protect you against most attack classes. Cyber threats like credential stuffing, web or port scans, credentials brute-force (ssh / FTP / remote desktop / telnet), and many others are easy to defeat with CrowdSec. Written in Golang, the Agent uses an advanced grammar to allows complex or subtle treatments. The choice of Golang will allow us to port it to other platforms like Windows or MacOS.
… building a global IP reputation engine
The real endgame is to harness the power of the Crowd to have each other’s back.
While your agent is blocking aggressive IP, it can also share them with the global network. The community then gets fed with your spottings and you also benefit from the community ones in return. The goal is to create the most accurate and complete IP reputation database. Together we create a real-time IP reputation system that benefits all of our community members. So far, it gathers and maintains a fresh (less than 72 hours) list of 100 000 malevolent IPs addresses.
The consensus database (which stores aggressive IPs) includes a native anti-false-positive and anti-poisoning system. API oriented from day 1, our goal is to make it usable anywhere (infra, code, app, framework, libs, etc.). Last but not least, it has also been designed to be GDPR compliant and privacy respectful.
Born in the Cloud, thought for the Cloud
To adapt to modern architectures, CrowdSec uses a decoupled approach “detect here, remedy there”. For example, if it detects an attack directed toward your database, it could remediate it on your firewall. To date, Netfilter (with an Ipset), Cloudflare, Nginx & WordPress are supported. We work on new ones like Captcha, MFA, throttling, limiting access to some folders or features, etc.
If you decide to write Datasource connectors, log parsers, scenarios, you can share them on the community hub. The scenario grammar (YAML) is very versatile and allows for a lot of creativity. ie: If someone is hammering a webpage that takes a lot of CPU to generate, you can throttle. If an IP is port scanning, web scanning, and brute-forcing, you could consider it’s a targeted attack and not an opportunistic one and apply different remediation.
Fully Open-Source& Free
CrowdSec, the behavior & reputation-based security engine, is based on an MIT license and is open to contributions.
Don’t hesitate to reach out to us through our Website, GitHub, or interact directly with the team on our Gitter, we’ll be glad to help.