search

joglomedia / LEMPer

LEMPer Stack is terminal-based LEMP / LNMP ( Linux, Nginx, MariaDB, PostgreSQL, MongoDB, Redis, Memcache, PHP, Secure FTP ) auto installer and virtual host manager for Debian & Ubuntu cloud or virtual server (vps) and on-premise (bare metal).
https://lemper.cloud/
GNU General Public License v3.0
207 stars 56 forks source link

[NFR] Add CrowdSec as a "Modern" alternative to Fail2ban #119

Open joglomedia opened 2 years ago

joglomedia commented 2 years ago

Describe the Issue / Bug Add CrowdSec as replacement alternative to Fail2ban for intrusion detection system

https://crowdsec.net/

Installing CrowdSec

https://doc.crowdsec.net/docs/getting_started/install_crowdsec

joglomedia commented 2 years ago

Sample installation:

https://opensource.com/article/21/1/crowdsec-rest-api

joglomedia commented 9 months ago

Enable SQLite WAL

insert the following line in /etc/crowdsec/config.yaml, section db_config:

use_wal: true

Then restart Crowdsec using systemctl restart crowdsec.

https://discourse.crowdsec.net/t/warning-sqlite-without-wal-and-cannot-update-community-blocklist/1042/2

joglomedia commented 9 months ago

Exclude / whitelist known ISP (ex Indihome)

sudo cscli collections install crowdsecurity/whitelist-good-actors
sudo cscli parsers install crowdsecurity/geoip-enrich
sudo cscli postoverflows install crowdsecurity/rdns

Create new config file

sudo nano /etc/crowdsec/postoverflows/s01-whitelist/isp_indihome_whitelists.yaml

Add below

name: lemper/isp_indihome_whitelists
description: "Whitelist events from known ISP ipv4 addresses"
whitelist:
  reason: "Known ISP ipv4 ranges AS7713 (PT Telekomunikasi Indonesia)"
  expression:
   - evt.Enriched.ASNNumber == "7713"
   - evt.Enriched.ASNNumber == "AS7713"

evt.Enriched.ASNNumber evt.Enriched.ASNOrg