Add support for crowdsec

[StarkZarn]

Summary

I think it would modernize and increase the security of the stack to replace fail2ban with crowdsec. It's and open source replacement that provides crowdsourced threat intelligence and more log parsing support.

Motivation

This would provide additional security, richer data, and stay ahead of the ever-changing security curve.

Additional context

Crowdsec's homepage is https://crowdsec.net/ Github: https://github.com/crowdsecurity/crowdsec/

[klausagnoletti]

I am head of community at CrowdSec. I think it's great that you want integration with CrowdSec :-)

We would love to help out as much as we can.

Please come to our Discord community to discuss this further. Also please elaborate a bit on how it would make sense to integrate as we don't really know that much about mailcow (yet! :-).

[DerLinkman]

Hey :)

Your product sounds cool! But as i´m not the main developer or operator of this project i can´t decide that on my own how and where to implement.

We´ll keep you up to date :)

[vacumet]

I'm writing a blog post how to make this possible (crowdsec installed on the host and reading the logs from nginx, postfix and soon dovecot). The only thing stopping me from reading the dovecot-logs are somehow related to the tty: yes parameter on the docker container. The issue is reported at the crowdsec github. After that bug is squashed i will finalize the blogpost at https://blog.vacum.se :)

[andryyy]

Hey, to begin with: we don't use "Fail2ban" but our own interpretation of it. Yes, I see it is a bit confusing. :) Fail2ban would have been too huge for our use case so we simply wrote something similar/more tiny to read a Redis stream of logs for patterns and run actions on hits.

CrowdSec looks very nice, I will check it out for myself, too. I think it is a tool too powerful to "just attach" to mailcow for people to carry with them and forget they actually have it. It is a tool you should from time to time care about and check some cli commands here and there.

There should be a guide how to protect mailcow with CrowdSec (and at that point thanks to @vacumet ! :)). Perhaps we can tune mailcow at some points to make it easier for CrowdSec to work with mailcow.

Easiest seems to be to read Dockers stdout stream, while that will only work as long as an admin did not setup another Docker log driver.

Or, another approach: Setup journald as log driver for Docker (yeah, not good either) and feed CrowdSec via journald and a filter:

{
  "ipv6":true,
  "fixed-cidr-v6":"fd00:dead:beef:c0::/80",
  "experimental":true,
  "ip6tables":true,
  "log-driver": "journald"
}

crowdsec -type syslog -dsn journalctl://filters=CONTAINER_NAME=CONTAINER_NAME=mailcowdockerized_nginx-mailcow_1&filters=CONTAINER_NAME=CONTAINER_NAME=mailcowdockerized_postfix-mailcow_1&filters=CONTAINER_NAME=mailcowdockerized_dovecot-mailcow_1

It's something.

[vacumet]

Thank you @andryyy I will try that on my setup. I try not to modify my mailcow setup as local modifications often can cause problems when doing upgrades :)

[vacumet]

The bugfix in crowdsec is done and will be available in a future version: https://github.com/crowdsecurity/crowdsec/pull/1422/files No need to modify mailcow. Blog post will be released when the new version of crowdsec is released

[andryyy]

Nice!

[StarkZarn]

The bugfix in crowdsec is done and will be available in a future version: https://github.com/crowdsecurity/crowdsec/pull/1422/files No need to modify mailcow. Blog post will be released when the new version of crowdsec is released

Looks like the last release fixed this. All my logs are being parsed now. :+1:

[daygle]

@vacumet Thanks so much for creating that blog about mailcow and crowdsec. I just wanted to reach out to you as I am experiencing differing behaviour when running/setting up.

cscli parsers inspect crowdsecurity/nginx-logs I only see nginx in the list.

That said when starting I see the other start and appear to be running.

Any suggestions?

[daygle]

Oh hang on, looking further by running 'cscli parsers inspect crowdsecurity/syslog-logs' I see the below:-

@vacumet maybe this is correct? We might need to update the blog?

[williamdes]

I just made CrowdSec work yesterday using https://github.com/docker-mailserver/docker-mailserver The mail.log file has dovecot and postfix log so that's enough

See docker-compose: https://github.com/datacenters-network/mails/blob/24a3e3df7f471a90e319b62748c309272735f16c/docker-compose.yml#L261-L284

[daygle]

Thanks @williamdes .

@andryyy and @vacumet are you able to suggest the recommended way to configure mailcow and CrowdSec - @williamdes way is much different to what was documented on the blog.

[williamdes]

Thanks @williamdes .

@andryyy and @vacumet are you able to suggest the recommended way to configure mailcow and CrowdSec - @williamdes way is much different to what was documented on the blog.

And it's very easy, just provide the log file to the CrowdSec instance and

cscli collections install crowdsec/postfix
cscli collections install crowdsec/dovecot

I also mount some custom scenarios and parsers (that I will probably upstream): https://github.com/datacenters-network/mails/tree/24a3e3df7f471a90e319b62748c309272735f16c/crowdsec

[daygle]

@williamdes are you able to document the steps from start to finish? This will help myself and others.

[williamdes]

@williamdes are you able to document the steps from start to finish? This will help myself and others.

For sure here is my blog post for pfsense https://blog.williamdes.eu/Infrastructure/tutorials/install-crowdsec-and-bouncer-on-pfsense/

I will consider writing a blog post on this for docker mailserver Does someone have a docker compose example of this project that works?

[VermiumSifell]

I think this can be implemented aswell as netfilter (which I personally think should be replaced with Fail2ban, since it's more widely used) @DerLinkman

[andryyy]

"Because it is widely used" does not mean it is a drop-in replacement. The nf implementation isn’t any package at all but a simple as heck implementation of a ban mechanism that is controllable via and integrated into the UI.

It would also mean to carry another third party application for something that is so simple.

No...

[riwin]

I think its too simple...scripts are getting better and better and learn to avoid getting banned...i dont get any machine banned since they tune their timing to get around that...i think mailcow needs a much more complex mechanism to ban hosts.

[calvinthefreak]

Maybe would be a good Idea, so it would stop such shit here:

And no, my Mailserver is only used by me and my brother for Personal use, so I am not sure, but it's very infrequently used from 3rd parties (receiving mails)

[williamdes]

It can stop all attacks that are:

• repeating on the same ip/network
• provide you a list to use on your firewall to block all already know bad actors https://blog.williamdes.eu/Infrastructure/tutorials/install-crowdsec-and-bouncer-on-pfsense/
• About what I just said, other people built such lists. See https://iplists.firehol.org/
• I built such lists:
  • https://github.com/datacenters-network/security/blob/main/bad-ips.txt
  • https://github.com/datacenters-network/security/blob/main/bad-networks.txt

Until now I found no tool that manages to block attacks from changing IPs that are not already well known to do attacks

[Kofl]

I am using crowdsec since its first release and love it. It also works fine with mailcow as outlined here. But I also must agree with @andryyy that it increases the overall complexity of the stack. A note that crowdsec as solution for mailcow is available in the documentation and link here would be great (without any liability or support)

[andryyy]

It is indeed still a very cool solution for spam fighting. :)

[williamdes]

It is indeed still a very cool solution for spam fighting. :)

It's not technically for spam but indeed it could be if you have some log of received spams by IP That's actually an interesting idea to test CrowdSec only parses log files

[thematrixdev]

@vacumet I have read your blog and Googled this thread. You have mentioned in the blog that Crowdsec did not read Dovecot logs and awaiting to be fixed. And in this thread you mentioned it was fixed. Running sudo cscli parsers inspect crowdsecurity/nginx-logs on my server, only nginx is shown:

type: parsers
stage: s01-parse
name: crowdsecurity/nginx-logs
filename: nginx-logs.yaml
description: Parse nginx access and error logs
author: crowdsecurity
belongs_to_collections:
- crowdsecurity/nginx
remote_path: parsers/s01-parse/crowdsecurity/nginx-logs.yaml
version: "1.4"
local_path: /etc/crowdsec/parsers/s01-parse/nginx-logs.yaml
localversion: "1.4"
localhash: ffd447fc906aa86bc3fa4c352d0d0829074c999d9f5257c6a20728c58a237e3a
installed: true
downloaded: true
uptodate: true
tainted: false
local: false

Current metrics : 

 - (Parser) crowdsecurity/nginx-logs:
╭──────────────────────────────────────────┬──────┬────────┬──────────╮
│                 Parsers                  │ Hits │ Parsed │ Unparsed │
├──────────────────────────────────────────┼──────┼────────┼──────────┤
│ docker:mailcowdockerized-nginx-mailcow-1 │ 2077 │ 2045   │ 32       │
╰──────────────────────────────────────────┴──────┴────────┴──────────╯

And I am still getting tons of suspicious access:

So it seems to be not working correctly? Is there any update after your first writing of your blog?

Thanks.

[martinjgrunwald]

@thematrixdev I am getting requests from exactly the same IP addresses. And none of this is caught by crowdsec 😕

[semaf]

I am head of community at CrowdSec. I think it's great that you want integration with CrowdSec :-)

We would love to help out as much as we can.

Please come to our Discord community to discuss this further. Also please elaborate a bit on how it would make sense to integrate as we don't really know that much about mailcow (yet! :-).

How did the guys of crowdsec managed to jump from a free plan to $2,500 a month :) https://www.crowdsec.net/pricing

[Kofl]

How did the guys of crowdsec managed to jump from a free plan to $2,500 a month :)

Luckly you can also run in locally in your own docker stack - probably they are mainly billing for premium blocklists and their Enterprise SaaS console