Convert Figma logo to code with AI

crowdsecurity logocrowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.

8,919
462
8,919
188

Top Related Projects

11,985

Daemon to ban hosts that cause multiple authentication errors

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.

Quick Overview

CrowdSec is an open-source and collaborative security engine designed to protect servers, services, containers, and applications from malicious activities. It analyzes logs and generates security decisions using a behavior-based IP reputation engine, leveraging the power of the crowd to create a real-time global IP reputation database.

Pros

  • Community-driven approach for better threat detection and mitigation
  • Lightweight and easy to deploy across various environments
  • Supports multiple services and platforms out of the box
  • Extensible through scenarios, parsers, and bouncers

Cons

  • Requires log sources to function effectively
  • May generate false positives in certain scenarios
  • Learning curve for creating custom scenarios and parsers
  • Limited effectiveness against sophisticated attacks that don't rely on IP-based patterns

Getting Started

To get started with CrowdSec, follow these steps:

  1. Install CrowdSec:
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt-get install crowdsec
  1. Enable and start the CrowdSec service:
sudo systemctl enable crowdsec
sudo systemctl start crowdsec
  1. Check the status and logs:
sudo cscli metrics
sudo cscli decisions list
sudo tail -f /var/log/crowdsec.log
  1. Install a bouncer (e.g., firewall-bouncer):
sudo apt-get install crowdsec-firewall-bouncer-iptables
  1. Configure the bouncer and restart services:
sudo systemctl enable crowdsec-firewall-bouncer
sudo systemctl start crowdsec-firewall-bouncer
sudo systemctl restart crowdsec

For more detailed instructions and advanced configurations, refer to the official CrowdSec documentation.

Competitor Comparisons

11,985

Daemon to ban hosts that cause multiple authentication errors

Pros of Fail2ban

  • Lightweight and easy to set up
  • Extensive configuration options for custom rules
  • Well-established with a large user base and community support

Cons of Fail2ban

  • Limited to log-based detection
  • Lacks centralized management for multiple servers
  • No built-in threat intelligence sharing

Code Comparison

Fail2ban (Python):

class Jail(JailThread):
    def __init__(self, name, backend):
        super(Jail, self).__init__(name)
        self.__db = None
        self.__filter = None
        self.__actions = []

CrowdSec (Go):

type Acquisition struct {
    Filename string   `yaml:"filename"`
    Labels   []string `yaml:"labels"`
    Mode     string   `yaml:"mode"`
    Format   string   `yaml:"format"`
}

CrowdSec offers a more modern approach to intrusion prevention, focusing on collaborative security and centralized management. It provides real-time threat intelligence sharing and a wider range of detection methods beyond log analysis. However, Fail2ban remains a solid choice for simpler setups and users who prefer fine-grained control over rules and actions. CrowdSec's code structure reflects its modular design and support for various data sources, while Fail2ban's code emphasizes its flexibility in defining jails and actions.

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

Pros of OSSEC-HIDS

  • More mature project with a longer history and larger user base
  • Offers file integrity monitoring and rootkit detection
  • Supports a wider range of operating systems, including legacy systems

Cons of OSSEC-HIDS

  • Less frequent updates and slower development cycle
  • More complex setup and configuration process
  • Steeper learning curve for new users

Code Comparison

OSSEC-HIDS (C):

void OS_CleanMSG(char *msg)
{
    char *tmp_str;
    char *valid_str;
    int size;
    tmp_str = msg;
    valid_str = msg;
    size = strlen(msg);

CrowdSec (Go):

func (c *APIClient) GetDecisions(filter *Decision) ([]Decision, error) {
	decisions := []Decision{}
	params := url.Values{}
	if filter != nil {
		params = filter.ToURLParams()
	}

Both projects use different programming languages, with OSSEC-HIDS primarily written in C and CrowdSec in Go. This affects performance, maintainability, and ease of contribution. OSSEC-HIDS's C codebase may offer better performance but can be more challenging to maintain, while CrowdSec's Go code is more modern and potentially easier to work with for many developers.

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.

Pros of ModSecurity

  • Mature and widely adopted Web Application Firewall (WAF)
  • Extensive rule set with OWASP Core Rule Set (CRS)
  • Integrates well with popular web servers like Apache and Nginx

Cons of ModSecurity

  • Can be complex to configure and maintain
  • May introduce performance overhead, especially with large rule sets
  • Requires manual rule updates and tuning

Code Comparison

ModSecurity (example rule):

SecRule REQUEST_HEADERS:User-Agent "@contains bad-bot" \
    "id:1000,\
    phase:1,\
    deny,\
    status:403,\
    msg:'Bad bot detected'"

CrowdSec (example scenario):

type: leaky
name: bad-bot-detection
description: Detect and block bad bots
filter: evt.Meta.log_type == 'access-log' && evt.Parsed.user_agent contains 'bad-bot'
leakspeed: 10s
capacity: 5
blackhole: 1m
labels:
  service: http

CrowdSec focuses on collaborative security and uses a different approach to detect and mitigate threats. It's designed to be more user-friendly and community-driven, with automatic updates and a simpler configuration process. However, ModSecurity offers more granular control and a broader set of pre-existing rules, making it suitable for organizations with specific security requirements and the resources to manage a complex WAF setup.

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.

Pros of Suricata

  • More mature and established project with a larger community
  • Extensive rule set and support for complex detection scenarios
  • High-performance packet processing and multi-threaded architecture

Cons of Suricata

  • Steeper learning curve and more complex configuration
  • Higher resource consumption, especially for high-speed networks
  • Requires more manual tuning and optimization for optimal performance

Code Comparison

Suricata rule example:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Potential SQL Injection"; content:"SELECT"; nocase; http_uri; sid:1000001; rev:1;)

CrowdSec scenario example:

type: leaky
name: sql_injection
description: Detect SQL injection attempts
filter: evt.ParsedLine.program == 'nginx'
leakspeed: 10s
capacity: 5
groupby: evt.Meta.source_ip
blackhole: 1m

Both projects offer powerful security capabilities, but Suricata focuses on deep packet inspection and intrusion detection, while CrowdSec emphasizes collaborative threat intelligence and easier deployment. Suricata provides more granular control over detection rules, while CrowdSec offers a more user-friendly approach to threat mitigation.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

CrowdSec




Go Reference

:computer: Console (WebApp) :books: Documentation :diamond_shape_with_a_dot_inside: Configuration Hub :speech_balloon: Discourse (Forum) :speech_balloon: Discord (Live Chat)

:dancer: This is a community-driven project, we need your feedback.

<TL;DR>

CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), it uses Grok patterns to parse logs and YAML scenarios to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM-based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read below for more.

2 mins install

Installing it through the Package system of your OS is the easiest way to proceed. Otherwise, you can install it from source.

From package (Debian)

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
sudo apt-get update
sudo apt-get install crowdsec

From package (rhel/centos/amazon linux)

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.rpm.sh | sudo bash
sudo yum install crowdsec

From package (FreeBSD)

sudo pkg update
sudo pkg install crowdsec

From source

wget https://github.com/crowdsecurity/crowdsec/releases/latest/download/crowdsec-release.tgz
tar xzvf crowdsec-release.tgz
cd crowdsec-v* && sudo ./wizard.sh -i

:information_source: About the CrowdSec project

Crowdsec is an open-source, lightweight software, detecting peers with aggressive behaviors to prevent them from accessing your systems. Its user-friendly design and assistance offer a low technical barrier of entry and nevertheless a high security gain.

The architecture is as follows :

CrowdSec

Once an unwanted behavior is detected, deal with it through a bouncer. The aggressive IP, scenario triggered and timestamp are sent for curation, to avoid poisoning & false positives. (This can be disabled). If verified, this IP is then redistributed to all CrowdSec users running the same scenario.

Outnumbering hackers all together

By sharing the threat they faced, all users are protecting each-others (hence the name Crowd-Security). Crowdsec is designed for modern infrastructures, with its "Detect Here, Remedy There" approach, letting you analyze logs coming from several sources in one place and block threats at various levels (applicative, system, infrastructural) of your stack.

CrowdSec ships by default with scenarios (brute force, port scan, web scan, etc.) adapted for most contexts, but you can easily extend it by picking more of them from the HUB. It is also easy to adapt an existing one or create one yourself.

:point_right: What it is not

CrowdSec is not a SIEM, storing your logs (neither locally nor remotely). Your data are analyzed locally and forgotten.

Signals sent to the curation platform are limited to the very strict minimum: IP, Scenario, Timestamp. They are only used to allow the system to spot new rogue IPs, and rule out false positives or poisoning attempts.

:arrow_down: Install it !

Crowdsec is available for various platforms :

Or look directly at installation documentation for other methods and platforms.

:tada: Key benefits

Fast assisted installation, no technical barrier

Initial configuration is automated, providing functional out-of-the-box setup

Out of the box detection

Baseline detection is effective out-of-the-box, no fine-tuning required (click to expand)

Easy bouncer deployment

It's trivial to add bouncers to enforce decisions of crowdsec (click to expand)

Easy dashboard access

It's easy to deploy a metabase interface to view your data simply with cscli (click to expand)

Hot & Cold logs

Process cold logs, for forensic, tests and chasing false positives & false negatives (click to expand)

📦 About this repository

This repository contains the code for the two main components of crowdsec :

  • crowdsec : the daemon a-la-fail2ban that can read, parse, enrich and apply heuristics to logs. This is the component in charge of "detecting" the attacks
  • cscli : the cli tool mainly used to interact with crowdsec : ban/unban/view current bans, enable/disable parsers and scenarios.

Contributing

If you wish to contribute to the core of crowdsec, you are welcome to open a PR in this repository.

If you wish to add a new parser, scenario or collection, please open a PR in the hub repository.

If you wish to contribute to the documentation, please open a PR in the documentation repository.