Crowdsec Observations

[ruzamai]

Just putting my observations here after 3 years I guess of using Crowdsec across various platforms.

I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway. And there's constant pressure to upsell.
The observability into IP addresses is great.
However, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

I'm certain it's useful if you don't want to spend in depth time configuring firewalls, and then it makes sense.

In my case it's needless overhead, and I'm removing it from all my infrastructure, including Opnsense.

Interested to hear what others think.

Edit - Crowdsec's only practical use is for dashboard insights, and on the free tier those can be exhausted for a month in just minutes, while your servers provide free attack intel for the Crowdsec network, that you can't use yourself unless you upgrade your account for a ridiculous subscription charge.
On one server this month Crowdsec claimed it had blocked nearly 20k attacks, all of which however were already blocked by the firewall. So Crowdsec is just claiming normal noise as prevented attacks. The "prevented attacks" on this network were mostly against an ipv4 network with no open ports, so blocked by default, with a small number against an ipv6 network with only port 443 open.

If I'm missing something here please explain it to me!

Samuel

[JamesFrisch]

I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

Same, but is that even the use case of Crowdsec here? Crowdsec blocked many port scanners for me on OPNsense. Sure, these scanners would not have done much, since the ports blocked. But the same IP is now blocked for other attacks.
Way more active is my Crowdsec on NGINX. This is where all the CVE and wordpress admin/admin stuff happens.

And there's constant pressure to upsell.

Never noticed that, but probably also because for me this is just a fire up and forget. I won't dig into it. Only time I went into it, was a false positive when someone synced 10k new files in Nextcloud.

However, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

For me, the none existing support for IPv6 from fail2ban made me look into Crowdsec. Blocking a single IPv6 instead of a a /48 makes no sense IMHO. I was too lazy to set it up later on, but I think at least it would be possible.

that you can't use yourself unless you upgrade your account for a ridiculous subscription charge.

AFAIK you can have 3 lists active at the same time. Fine be me.
I don't think it does much. But I also don't think it costs much. And I like the basic idea behind it.

[sopex]

Not every user has the same needs...

Crowdsec is very useful, for example, on VPSs that need to be publicly accessible and get millions of hits per day.

In a firewall context, there shouldn't be an out -> in connection allowed either way. But its very useful on in -> out connections when you cannot trust all devices on your network.

The interface can be a bit overwhelming and feel like they try to upsell you, which they are... But its also honest, for example, I have a server I don't pay premium sub for, I have around 1M detections per month, and they claim a subscription would reduce it by 7%, which is a logical percentage.