Explore The Next Frontier in Cyber Threats and Defense Evolution!

Download ebook

CrowdSec

CrowdSec Blog
advanced application security with the crowdsec waf

Implementing the CrowdSec WAF for Advanced Web Application Security

This is a translation of the original article published in Italian on Marvin Pascale’s Blog.

Web application security is a critical concern for system administrators and developers, especially as cyber threats continue to evolve in complexity and sophistication. 

The CrowdSec AppSec Component is an advanced, collaborative solution for mitigating web-based attacks, transforming the CrowdSec Security Engine from a classic IDPS to a full-fledged Web Application Firewall (WAF)

The AppSc Component extends the CrowdSec framework to provide proactive protection against threats such as SQL injection (SQLi), Cross-Site Scripting (XSS), Local File Inclusion (LFI), Remote Code Execution (RCE), and other common vulnerabilities.

In this article, I wanted to provide you with an easy get-started guide on how to integrate and configure the AppSec Component with Nginx on Debian 12, using the dedicated Remediation Component for filtering and blocking malicious requests.

If you want to learn more about the CrowdSec WAF and its benefits over other traditional WAF solutions, I recommend you read this article: 3 Reasons to Handle Your Application Security with CrowdSec WAF.

Installing the CrowdSec Security Engine and the AppSec Component

Without any further ado, let’s dive right into the actual tutorial.

First, ensure that the Security Engine is installed and running.


curl -s https://install.crowdsec.net | sh
apt install crowdsec -y

And verify that the service is active.


systemctl status crowdsec

Once confirmed, proceed with the installation of the AppSec Component.

Installing the AppSec Component

Download and activate the necessary rule collections for virtual patching and application security.


cscli collections install crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
systemctl reload crowdsec

You can find the full list of AppSec configurations and rules inside the CrowdSec Hub.

Configuring the AppSec Component

Create the configuration directory.


mkdir -p /etc/crowdsec/acquis.d/

Within this directory, create the file /etc/crowdsec/acquis.d/appsec.yaml with the following content:


appsec_config: crowdsecurity/appsec-default
labels:
  type: appsec
listen_addr: 127.0.0.1:7422
source: appsec

This configuration sets up the AppSec Component to listen on 127.0.0.1:7422.

Apply the changes by restarting the service.


systemctl restart crowdsec

Integrating with Nginx

If you are not that familiar with the CrowdSec concepts yet, the Remediation Components (previously known as bouncers) are responsible for enforcing blocking decisions. An extensive catalog of Remediation Components is available on the CrowdSec Hub that can fit almost every scenario imaginable! 

For our tutorial here, I will install the Nginx Remediation Component with the following commands:


apt install nginx lua5.1 libnginx-mod-http-lua luarocks gettext-base lua-cjson -y
apt install crowdsec-nginx-bouncer -y

If the installation is successful, ensure that the API key is correctly configured. If missing, generate one manually.


cscli bouncers add nginx

Update the Remediation Component configuration file /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf with the following parameters:


API_URL=127.0.0.1:8080
API_KEY=
BOUNCING_ON_TYPE=all
FALLBACK_REMEDIATION=ban
MODE=stream
REQUEST_TIMEOUT=1000
APPSEC_URL=http://127.0.0.1:7422
APPSEC_FAILURE_ACTION=passthrough
APPSEC_CONNECT_TIMEOUT=100
APPSEC_SEND_TIMEOUT=100
APPSEC_PROCESS_TIMEOUT=1000
ALWAYS_SEND_TO_APPSEC=false
SSL_VERIFY=true

After configuring the Remediation Component, restart Nginx to apply the changes.


systemctl restart nginx

Verifying protection

To validate the configuration, simulate an attack by requesting a sensitive file.


curl -I http://[SERVER_IP]/.env

Then, check the Security Engine metrics to ensure the request was detected and blocked.


cscli metrics show appsec

Here’s the output you should expect to see:


╭───────────────────────────────────────╮
│ Appsec Metrics                        │
├─────────────────┬───────────┬─────────┤
│ Appsec Engine   │ Processed │ Blocked │
├─────────────────┼───────────┼─────────┤
│ 127.0.0.1:7422/ │ 1         │ 1       │
╰─────────────────┴───────────┴─────────╯

If you see that suspicious requests are intercepted and blocked, the AppSec Component is successfully deployed and actively protecting your web application in real time.

Wrapping up

Integrating the CrowdSec AppSec Component with Nginx to use your Security Engine as a WAF provides dynamic and proactive protection against modern web threats, leveraging a collaborative security model to stay ahead of attackers.

With virtual patching and adaptable rule sets, the CrowdSec WAF offers efficient, scalable, and constantly updated security for web applications, ensuring resilience against evolving attack vectors with minimal performance impact.

WRITTEN BY

You may also like

how to improve ecommerce security and reduce operational costs
Guest Post

How to Improve Ecommerce Security and Reduce Operational Costs

In this article, we explore methods on how to improve ecommerce security, combat bots, block bad traffic, and cut your overall operational costs.

Building a Network for Small Businesses Part 3: Attack Scenarios
Guest Post

Building a Network for Small Businesses Part 3: Attack Scenarios

In part 3 of this series, Péter walks you through implementing and testing attack scenarios to protect networks for small businesses.

Building a Network for Small Businesses Part 2: Running Configurations
Guest Post

Building a Network for Small Businesses Part 2: Running Configurations

In part 2 of this series, Peter dives into running configurations on the firewall, with explanations of the design decisions made for each service.