I've been using CrowdSec for a few weeks now and it's pretty good, if occasionally a little rough round the edges. I particularly like the console which gives nice visualisations and stats on attack types, countries, ASNs, targets and so on. Dual running with fail2ban, CrowdSec didn't miss any of the usual SSH brute force attempts (in fact it seems to pick up more, out of the box) and the shared community blocklist (currently 11k IPs) is a killer feature.

I haven't turned off fail2ban entirely only because CrowdSec doesn't yet have collections for exim and sendmail - if nobody else adds them I might contribute them myself when time permits. However there's-out-of-the-box setup for lots of other common server apps. The installer does a reasonable job of detecting what's running and configuring it for you on first install, and you can install more collections with a single command.

It's worth remembering to update collections from the hub regularly as new attack detections are periodically added. That's just a couple of commands with cscli, the provided CLI client, which is the main way of seeing what it's doing and configuring it. I've made a few manual tweaks to the config (YAML) to match my setup (log file locations, and ignoring my own IPs for safety) and that's it.

#CrowdSec #fail2ban #sysadmin

CrowdSec, the open-source & collaborative IPS

CrowdSec is an open-source and collaborative IPS leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. Let's make the Internet safer, together.

CrowdSec - The open-source & collaborative IPS

The quantity of pre-detected IPs which are identified as aggressive & dangerous has increased dramatically as CrowdSec continues to be put into use by more and more individuals and organisations.

CrowdSec is OpenSource, free and also offers professional services for organisations which feel they need to pay in order for OpenSource to be OK to use.

Collaborative Security

"Our strength comes from our cybersecurity community that is burning cybercriminals’ anonymity. By sharing IP addresses that aggressed you, you help us curate and redistribute a qualified IP blocklist to protect everyone."

https://crowdsec.net/

#security #privacy #WordPress #Drupal #Internet #OpenSource #CrowdSec #server #protection #Fail2Ban

CrowdSec, the open-source & collaborative IPS

CrowdSec is an open-source and collaborative IPS leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. Let's make the Internet safer, together.

I have a #question about #fail2ban, #YunoHost and #SSH, of course running on a #Linux host.

I get this diagnosis mail daily (or more frequent) with failed login attempts via SSH (see message below), I think it is not unusual to have many failed login attempts, I checked fail2ban is running. On other servers I get one failed login per second, I don't run fail2ban on these (as I don't give a fuck, hackers can just switch through #tor circuits to get not banned).

So I also run some #Tor exit and the SSH login attempt with wrong user/password is the most common abuse complaints I get there. (Note: Please do not send out abuse complaints for this or filter out Tor Exits, there is blacklists that contain all Exits. It is just your ticket system talking to my ticket system offering to block access to your servers IP, which would not help to solve your problem anyway)

So what do I do about the failed logins, why is Yunohosts threshold so low that it complains about that?

Should I switch to a not standard port? Login by SSH is only allowed key based, so guessing the password would not work.

What do I do?

Message:

[WARNING] There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.