Messages

Let's take a real life scenario.

On ipv6 only, port 443, I have a Drupal website. This website is behind Opnsense at network level, firewalld at server level, then an application firewall built in Nginx.

At the network level Opnsense firewall I have open source blocklists that rarely block anything anyway not already blocked but give me insight and interesting logs.

The network firewall also blocks all ASNs of known scanners, from a dynamic list.

Server level - firewalld, 443 open tcp/udp.

Application firewall:

All HTTP/0.9/1.0/1.1 queries blocked. If you speak HTTP/2 I am your friend.

All WordPress query strings and paths blocked. All unsavoury user agents blocked.

What can Crowdsec now offer me?

@dan786: Don't hesitate to discuss those points on our discourse.

The tables populated by CrowdSec are entirely dynamic. <TL/DR> It contains the IP your local machine blocks and a part of what the other in the network are blocking. The 1st step is really about checking your "stack health" in the SaaS console (or using the Claude Skill we published) to see that everything is properly configured.

The default 4h ban is meant to avoid a lengthy ban, since any IP caught locally will have its ban refreshed if needed, and if it is globally aggressive, it'll be added to a global blocklist (reputation vs. behavior).

CrowdSec now runs on hundreds of thousands of servers and we are confident the software is stable, behaving as intended, but this doesn't mean we can't have an OpenSense integration issue. So step 1: stack health or check the config with a Claude + the crowdsec skill. If it's cleared, please raise a bug and we'll investigate.

Also - are you seriously suggesting I use Claude to prove you wrong or right? I craft my rules manually, have never needed AI as a crutch.
It's pretty hard to take you seriously when you suggest this.

Samuel

Hi there, I'm allowing myself just a few observations:

> [...] There's constant pressure to upsell.

On the FOSS product, there is zero upsell. The security engines, scenarios, virtual patches, and OAWSP CRS ruleset are all 100% free.
One place you may see an upsell is in the SaaS console's free tier. The reason is that this product is not free, not for you or for us, since we store the attacks your servers are receiving. There is a free tier, which is entirely optional for the use of CrowdSec as Homelab users. For professionals, if you need supervision, alerts, provisioning, QoL, etc., this is where the SaaS product is useful and where you get upsell CTAs.

[...] I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

It's then likely that you use only the IDS module (the one reading logs), with a few scenarios, and probably not exposed over the Internet. Because usually, Firewalls don't filter some ports that need to be opened (like HTTP or vpn, sometimes SSH, etc.) and those are scanned several thousand times a day, which is where CrowdSec WAF & IDS are helpful. Also, maybe check the SaaS console to see the health of your instance and whether you have log parsing, the scenario installed, etc. The logic is dynamic blocking based on behavior, rather than static filtering via firewall rules.

[...] Crowdsec claimed it had blocked nearly 20k attacks, all of which however were already blocked by the firewall

Normally, if a packet is dropped by your firewall, the related request should never reach the security engine for treatment.
CrowdSec Bouncer installs an IPset on your Linux firewall, and your firewall drops it, making it seem like it's your firewall dropping, but in fact, it's CrowdSec populating an IPset that your firewall is dropping.


Bests,

Philippe.

Fully open to the internet - forgot to mention.

S

@dan786: Don't hesitate to discuss those points on our discourse.

The tables populated by CrowdSec are entirely dynamic. <TL/DR> It contains the IP your local machine blocks and a part of what the other in the network are blocking. The 1st step is really about checking your "stack health" in the SaaS console (or using the Claude Skill we published) to see that everything is properly configured.

The default 4h ban is meant to avoid a lengthy ban, since any IP caught locally will have its ban refreshed if needed, and if it is globally aggressive, it'll be added to a global blocklist (reputation vs. behavior).

CrowdSec now runs on hundreds of thousands of servers and we are confident the software is stable, behaving as intended, but this doesn't mean we can't have an OpenSense integration issue. So step 1: stack health or check the config with a Claude + the crowdsec skill. If it's cleared, please raise a bug and we'll investigate.

I'm not disputing it's stable Philippe - I'm saying it's completely unnecessary with proper use of the firewall and rules. It's good for people who don't want to address either, and massively oversold.
S

I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

Same, but is that even the use case of Crowdsec here? Crowdsec blocked many port scanners for me on OPNsense. Sure, these scanners would not have done much, since the ports blocked. But the same IP is now blocked for other attacks.
Way more active is my Crowdsec on NGINX. This is where all the CVE and wordpress admin/admin stuff happens.

And there's constant pressure to upsell.

Never noticed that, but probably also because for me this is just a fire up and forget. I won't dig into it. Only time I went into it, was a false positive when someone synced 10k new files in Nextcloud.

However, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

For me, the none existing support for IPv6 from fail2ban made me look into Crowdsec. Blocking a single IPv6 instead of a a /48 makes no sense IMHO. I was too lazy to set it up later on, but I think at least it would be possible.

that you can't use yourself unless you upgrade your account for a ridiculous subscription charge.

AFAIK you can have 3 lists active at the same time. Fine be me.
I don't think it does much. But I also don't think it costs much. And I like the basic idea behind it.

Sorry to add yet more!
Back to the firewall, all firewalls at however many levels:
Rate limiting.
I can see - for me - the only valid application is when an allowed ip on an allowed port hammers my application, and Crowdsec jerks into action before firewall rules pick it up. My point is you can replace Crowdsec efficiently with better rules.
Crowdsec is great if you can't spend that time.

I've also had regular problems with Crowdsec blocking network addresses, even if whitelisted. It's transient, varies between updates.

I don't hate Crowdsec, I've used it for years. I just don't think it is necessary.

Not every user has the same needs...

Crowdsec is very useful, for example, on VPSs that need to be publicly accessible and get millions of hits per day.

In a firewall context, there shouldn't be an out -> in connection allowed either way. But its very useful on in -> out connections when you cannot trust all devices on your network.

The interface can be a bit overwhelming and feel like they try to upsell you, which they are... But its also honest, for example, I have a server I don't pay premium sub for, I have around 1M detections per month, and they claim a subscription would reduce it by 7%, which is a logical percentage.

KR

S

I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

Same, but is that even the use case of Crowdsec here? Crowdsec blocked many port scanners for me on OPNsense. Sure, these scanners would not have done much, since the ports blocked. But the same IP is now blocked for other attacks.
Way more active is my Crowdsec on NGINX. This is where all the CVE and wordpress admin/admin stuff happens.

And there's constant pressure to upsell.

Never noticed that, but probably also because for me this is just a fire up and forget. I won't dig into it. Only time I went into it, was a false positive when someone synced 10k new files in Nextcloud.

However, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

For me, the none existing support for IPv6 from fail2ban made me look into Crowdsec. Blocking a single IPv6 instead of a a /48 makes no sense IMHO. I was too lazy to set it up later on, but I think at least it would be possible.

that you can't use yourself unless you upgrade your account for a ridiculous subscription charge.

AFAIK you can have 3 lists active at the same time. Fine be me.
I don't think it does much. But I also don't think it costs much. And I like the basic idea behind it.

James - I block port scanning hard, at the firewall. I block far more than Crowdsec does.

I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

Same, but is that even the use case of Crowdsec here? Crowdsec blocked many port scanners for me on OPNsense. Sure, these scanners would not have done much, since the ports blocked. But the same IP is now blocked for other attacks.
Way more active is my Crowdsec on NGINX. This is where all the CVE and wordpress admin/admin stuff happens.

And there's constant pressure to upsell.

Never noticed that, but probably also because for me this is just a fire up and forget. I won't dig into it. Only time I went into it, was a false positive when someone synced 10k new files in Nextcloud.

However, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

For me, the none existing support for IPv6 from fail2ban made me look into Crowdsec. Blocking a single IPv6 instead of a a /48 makes no sense IMHO. I was too lazy to set it up later on, but I think at least it would be possible.

that you can't use yourself unless you upgrade your account for a ridiculous subscription charge.

AFAIK you can have 3 lists active at the same time. Fine be me.
I don't think it does much. But I also don't think it costs much. And I like the basic idea behind it.

Sorry to add yet more!
Back to the firewall, all firewalls at however many levels:
Rate limiting.
I can see - for me - the only valid application is when an allowed ip on an allowed port hammers my application, and Crowdsec jerks into action before firewall rules pick it up. My point is you can replace Crowdsec efficiently with better rules.
Crowdsec is great if you can't spend that time.

I've also had regular problems with Crowdsec blocking network addresses, even if whitelisted. It's transient, varies between updates.

I don't hate Crowdsec, I've used it for years. I just don't think it is necessary.

KR

S

I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

Same, but is that even the use case of Crowdsec here? Crowdsec blocked many port scanners for me on OPNsense. Sure, these scanners would not have done much, since the ports blocked. But the same IP is now blocked for other attacks.
Way more active is my Crowdsec on NGINX. This is where all the CVE and wordpress admin/admin stuff happens.

And there's constant pressure to upsell.

Never noticed that, but probably also because for me this is just a fire up and forget. I won't dig into it. Only time I went into it, was a false positive when someone synced 10k new files in Nextcloud.

However, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

For me, the none existing support for IPv6 from fail2ban made me look into Crowdsec. Blocking a single IPv6 instead of a a /48 makes no sense IMHO. I was too lazy to set it up later on, but I think at least it would be possible.

that you can't use yourself unless you upgrade your account for a ridiculous subscription charge.

AFAIK you can have 3 lists active at the same time. Fine be me.
I don't think it does much. But I also don't think it costs much. And I like the basic idea behind it.

I stopped using Crowdsec on Nginx because it's way too buggy. Instead I craft an individual 'firewall' for each application using Nginx rules, after anything gets past my network and server firewalls.

Like this:
Opnsense/Oracle at network level, depending on the network > server firewall > application level with Nginx rules

I use geo blocking to cut the noise where appropriate. I'm in NZ, and if I have an app that should only be accessed locally, I geoblock all else

I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

Same, but is that even the use case of Crowdsec here? Crowdsec blocked many port scanners for me on OPNsense. Sure, these scanners would not have done much, since the ports blocked. But the same IP is now blocked for other attacks.
Way more active is my Crowdsec on NGINX. This is where all the CVE and wordpress admin/admin stuff happens.

And there's constant pressure to upsell.

Never noticed that, but probably also because for me this is just a fire up and forget. I won't dig into it. Only time I went into it, was a false positive when someone synced 10k new files in Nextcloud.

However, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

For me, the none existing support for IPv6 from fail2ban made me look into Crowdsec. Blocking a single IPv6 instead of a a /48 makes no sense IMHO. I was too lazy to set it up later on, but I think at least it would be possible.

that you can't use yourself unless you upgrade your account for a ridiculous subscription charge.

AFAIK you can have 3 lists active at the same time. Fine be me.
I don't think it does much. But I also don't think it costs much. And I like the basic idea behind it.

Also I hadn't realised about ipv6 on fail2ban - thanks for mentioning it. All my networks are now ipv6 first, with v4 only added if needed.

KR

S

I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

Same, but is that even the use case of Crowdsec here? Crowdsec blocked many port scanners for me on OPNsense. Sure, these scanners would not have done much, since the ports blocked. But the same IP is now blocked for other attacks.
Way more active is my Crowdsec on NGINX. This is where all the CVE and wordpress admin/admin stuff happens.

And there's constant pressure to upsell.

Never noticed that, but probably also because for me this is just a fire up and forget. I won't dig into it. Only time I went into it, was a false positive when someone synced 10k new files in Nextcloud.

However, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

For me, the none existing support for IPv6 from fail2ban made me look into Crowdsec. Blocking a single IPv6 instead of a a /48 makes no sense IMHO. I was too lazy to set it up later on, but I think at least it would be possible.

that you can't use yourself unless you upgrade your account for a ridiculous subscription charge.

AFAIK you can have 3 lists active at the same time. Fine be me.
I don't think it does much. But I also don't think it costs much. And I like the basic idea behind it.

All good points. I subscribe to a number of live open source blacklists to provide either blocking if I've missed the miscreants in my firewall rules, or to compare what I'm blocking and they're not. Crowdsec provides less than this without subscribing.

Hi there, I'm allowing myself just a few observations:

> [...] There's constant pressure to upsell.

On the FOSS product, there is zero upsell. The security engines, scenarios, virtual patches, and OAWSP CRS ruleset are all 100% free.
One place you may see an upsell is in the SaaS console's free tier. The reason is that this product is not free, not for you or for us, since we store the attacks your servers are receiving. There is a free tier, which is entirely optional for the use of CrowdSec as Homelab users. For professionals, if you need supervision, alerts, provisioning, QoL, etc., this is where the SaaS product is useful and where you get upsell CTAs.

[...] I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

It's then likely that you use only the IDS module (the one reading logs), with a few scenarios, and probably not exposed over the Internet. Because usually, Firewalls don't filter some ports that need to be opened (like HTTP or vpn, sometimes SSH, etc.) and those are scanned several thousand times a day, which is where CrowdSec WAF & IDS are helpful. Also, maybe check the SaaS console to see the health of your instance and whether you have log parsing, the scenario installed, etc. The logic is dynamic blocking based on behavior, rather than static filtering via firewall rules.

[...] Crowdsec claimed it had blocked nearly 20k attacks, all of which however were already blocked by the firewall

Normally, if a packet is dropped by your firewall, the related request should never reach the security engine for treatment.
CrowdSec Bouncer installs an IPset on your Linux firewall, and your firewall drops it, making it seem like it's your firewall dropping, but in fact, it's CrowdSec populating an IPset that your firewall is dropping.


Bests,

Philippe.

Hi Philippe - thanks for your reply.
Crowdsec inserts its rules before all other rules. I'm running the full IDS, so it actually limits insight into firewall effectiveness unless I turn it off. Connected to the console, upsell pressure is constant, and functionality is severely limited without a subscription. My data and insights however, are free to Crowdsec.

Kind Regards,

Samuel

Just putting my observations here after 3 years I guess of using Crowdsec across various platforms.

I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway. And there's constant pressure to upsell.
The observability into IP addresses is great.
However, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

I'm certain it's useful if you don't want to spend in depth time configuring firewalls, and then it makes sense.

In my case it's needless overhead, and I'm removing it from all my infrastructure, including Opnsense.

Interested to hear what others think.

Edit - Crowdsec's only practical use is for dashboard insights, and on the free tier those can be exhausted for a month in just minutes, while your servers provide free attack intel for the Crowdsec network, that you can't use yourself unless you upgrade your account for a ridiculous subscription charge.
On one server this month Crowdsec claimed it had blocked nearly 20k attacks, all of which however were already blocked by the firewall. So Crowdsec is just claiming normal noise as prevented attacks. The "prevented attacks" on this network were mostly against an ipv4 network with no open ports, so blocked by default, with a small number against an ipv6 network with only port 443 open.

If I'm missing something here please explain it to me!

Samuel

Patrick -

Indeed IPv6 issues with the servers (Linux). I'm still working on it but it involves:
several sysctl settings to allow SLAAC
per interface settings in Network Manager.

When I've got it working properly I'll explain it here in another comment - might be useful for someone else.

Samvel

Patrick -

It doesn't work. When I set a static IPv6 on an interface, everything under it loses IPv6 connectivity, can't even ping. I know it should be simple but there's something wrong I can't figure out. If I leave the LAN interface for example as tracking, I can ping that interface, externally. If I set it static within my allocation, it can't be found, no route. RAD - I've tried each option. I can ping6 any static IPv6 from within the interface/network.

As you've seen above, I'm trying to do do what I can easily do with IPv4 and NAT/Port forward. Which would be:
https://domain1.example.com > 123.456.789.012 > 10.0.0.1

However on this network I'm IPv6 only - and even 'nattish' domain1.example.com > 1234:5678::1 > ULA fd:1 doesn't work

I'm not criticizing - there's really, little information. Frustrated, and sure that I'm missing something simple and fundamental.

I do know that I can't ping any IPv6 address I set as static.

I'm suspecting there's also some sysctl settings I need to figure out on my servers (Linux)

Hi Bart & thanks.
Patrick - thank you too. Was just about to post and saw your reply.

You mean just open up 443 for the entire DMZ instead of trying to fiddle with rules to allow 443 per ip address? I'll give it a shot.

So 1234:5678::1/64 VIP allocation on the DMZ & disable DHCP server
1234:5678::2/128 interface
fe80::213:3bff:fee3:27bf GW
then 1234:5678::3/128 etc static IP's for the server?

I really struggle with IPv6

Hi all -

I've been unable to figure this out, or find a previous thread that explains what I'm trying to do - I'd be glad of suggestions on how to make this work.
I have a public static IPv6 /56.
I have multiple web/app servers on the DMZ zone, each with TLS termination. The DMZ is IPv6 only. It looks like this:

https://server1.example.com > 1234::1 > DMZ > server1
https://server2.example.com > 1234::2 > DMZ > server2
https://server3.example.com > 1234::3 > DMZ > server3
Port 443 tcp/udp only for each address

I realize I can add VIP's, then point domain names to those, but don't understand how to forward from there to the actual servers in the DMZ. Could this be done with static ULA on the servers in the DMZ? e.g. Domain > VIP > DMZ > Static ULA?

I realize this can be done with Nginx/HAProxy on Opnsense, but a couple reasons I don't want that (I've used Nginx for this before:
Nginx: my configs are extremely complicated, and various settings I use are not in the Opnsense Nginx UI, meaning I had to do a lot of manual config via the terminal. It's messy, and fragile.
HAProxy: No UDP

As an interim measure I'm using Cloudflare tunnels, until I can figure it out.

Thanks!

Samvel