What is CrowdSec and how does it work?

CrowdSec is an open-source and crowd-powered software enabling you to detect & block attacks. While sharing with its user community, you contribute to improve its efficiency and make the Internet safer.

The solution

allows you to detect attacks and respond at all required levels (detect where your logs are, block at CDN or application level)
is easy to install and maintain with no technical requirement. The installer even comes with a wizard duh!
is designed to be integrated with other solutions and components (ie. use CrowdSec to read your mod_security logs and automatically block attackers at your CDN level)

is about sharing : meta-data about the attack/attacker you detect is sent to a central API, and malevolent IPs are shared with all users.
is a lightweight : it runs standalone, doesn’t require much ram or CPU
can work with cold logs: you can run it on “cold” logs and see what could have happened
comes with out of the box dashboards, because we know visualisation is key

Collaborative

Decentralized as of day 1, not affected by Covid crisis.

Open-source

We created several Open source products before

Dynamic

Reputation engine and real time analysis

Secure

Our previous cybersecurity corp was sold in 2016 for tens of millions

01

CrowdSec service

CrowdSec is the open-source and lightweight service that runs in the background, processes logs and keeps track of attacks.

02

CLI

Cscli is the command line interface for humans, it allows you to view, add or remove bans as well as to install, find or update attack scenarios and parsers.

03

Bouncers

Bouncers are part of the CrowdSec full stack integration, they block malevolent traffic, and can be deployed anywhere in your infra / stack.

Downloading and installing the software

How to get started with CrowdSec?

Crowdsec’s main goal is to crunch logs to detect threats. You will find below an introduction to the concepts that are frequently used within the documentation.

Acquisition

Acquistion configuration defines which streams of information CrowdSec is going to process.

It can be files but also any kind of stream, such as a kafka topic or a cloudtrail.

The acquisition configuration always contains a stream (i.e. a file to tail) and a tag (i.e. “these are in syslog format”; “these are non-syslog nginx logs”).

Parsers

For logs to be exploited and analyzed, they need to be parsed and normalized, and this is where parsers are used. In most cases, you should be able to find the relevant parsers on our CrowdSec Hub.

Usually, a parser has a specific scope. For example, if you are using nginx, you will probably want to use the crowdsecurity/nginx-logs which allows your CrowdSec setup to parse nginx’s access and error logs.

You can also write your own one!

Enrichers

Enrichment is the action of adding extra context to an event based on the information we already have, so a better decision can be made later on. In most cases, you should be able to find the relevant enrichers on our CrowdSec Hub.

The most common type of enrichment would be geoip-enrichment of an event (adding information such as: origin country, origin AS and origin IP range to an event).

Once again, you should be able to find the ones you’re looking for on the CrowdSec Hub!

Scenarii

Our ready-to-use scenario database allows you to qualify a specific event (usually an attack). In most cases, you should be able to find the relevant scenarios on our CrowdSec Hub.

While not going into details, a scenario often evolves due to different main triggers. More details can be found here.

You can also write your own one!

Collections

To make your life easier, “collections” are available, which are just a bundle of parsers and scenarios. In this way, if you want to cover basic use-cases of “nginx” for instance, you can just install the crowdsecurity/nginx collection that is composed of crowdsecurity/nginx-logs parser, as well as generic http scenarios such as crowdsecurity/base-http-scenarios.

Again, these can be found on the CrowdSec Hub!

How to install the software?

First, click here to install CrowdSec’s latest version.

tar xvzf crowdsec-release.tgz

cd crowdsec-v0.X.X



WIZARD

A wizard is provided to help you deploy CrowdSec and cscli.

sudo ./wizard.sh -i



BINARY INSTALL

Deploy valid/empty CrowdSec configuration files and binaries.

sudo ./wizard.sh --bininstall



FROM SOURCE

Git clone it https://github.com/crowdsecurity/crowdsec

cd crowdsec && make build

Getting started

CrowdSec Tour

Finding configurations

As stated, Crowdsec efficiency is growing through installed parsers and scenarios. Please take a look at the CrowdSec Hub to find the most relevant ones!





List installed configurations

List installed parsers/scenarios/collections/enrichers. On the machine where you installed CrowdSec, type cscli list to see deployed configurations. This list shows the parsers, scenarios and/or collections that you deployed.

List existing bans

After having installed CrowdSec, type cscli ban list to see existing bans. If you just deployed it, the list might be empty, but don't worry, it simply means you haven't been attacked...yet!





Monitor on-going activity (prometheus)

Displayed metrics are extracted from CrowdSec Prometheus. Key indicators are grouped by scope: buckets, acquisition, parsers.

Monitor on-going activity (log files)

The /var/log/crowdsec.log file will tell you what is going on and when an IP is blocked.
Check CrowdSec monitoring for more!



Our commitment

We’re constantly refining our product

Best Security Tool

2019

Award 2019

Station F Selection

2020

Award 2020

JEI

2020

Award 2020

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor n reprehenderit in voluptate velit esse.