Crowdsec Observations

Started by ruzamai, Today at 03:09:49 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 03:09:49 AM Last Edit: Today at 04:47:27 AM by ruzamai
Just putting my observations here after 3 years I guess of using Crowdsec across various platforms.

I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway. And there's constant pressure to upsell.
The observability into IP addresses is great.
However, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

I'm certain it's useful if you don't want to spend in depth time configuring firewalls, and then it makes sense.

In my case it's needless overhead, and I'm removing it from all my infrastructure, including Opnsense.

Interested to hear what others think.

Edit - Crowdsec's only practical use is for dashboard insights, and on the free tier those can be exhausted for a month in just minutes, while your servers provide free attack intel for the Crowdsec network, that you can't use yourself unless you upgrade your account for a ridiculous subscription charge.
On one server this month Crowdsec claimed it had blocked nearly 20k attacks, all of which however were already blocked by the firewall. So Crowdsec is just claiming normal noise as prevented attacks. The "prevented attacks" on this network were mostly against an ipv4 network with no open ports, so blocked by default, with a small number against an ipv6 network with only port 443 open.

If I'm missing something here please explain it to me!

Samuel
Today at 08:31:11 AM #1
QuoteI've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

Same, but is that even the use case of Crowdsec here? Crowdsec blocked many port scanners for me on OPNsense. Sure, these scanners would not have done much, since the ports blocked. But the same IP is now blocked for other attacks.
Way more active is my Crowdsec on NGINX. This is where all the CVE and wordpress admin/admin stuff happens.

QuoteAnd there's constant pressure to upsell.

Never noticed that, but probably also because for me this is just a fire up and forget. I won't dig into it. Only time I went into it, was a false positive when someone synced 10k new files in Nextcloud.

QuoteHowever, it doesn't seem to be necessary other than as a scare sell to replace Fail2Ban, which I don't use either because I don't need it - because of the afore mentioned firewall rules.

For me, the none existing support for IPv6 from fail2ban made me look into Crowdsec. Blocking a single IPv6 instead of a a /48 makes no sense IMHO. I was too lazy to set it up later on, but I think at least it would be possible.

Quotethat you can't use yourself unless you upgrade your account for a ridiculous subscription charge.

AFAIK you can have 3 lists active at the same time. Fine be me.
I don't think it does much. But I also don't think it costs much. And I like the basic idea behind it.
Today at 11:04:02 AM #2
Not every user has the same needs...

Crowdsec is very useful, for example, on VPSs that need to be publicly accessible and get millions of hits per day.

In a firewall context, there shouldn't be an out -> in connection allowed either way. But its very useful on in -> out connections when you cannot trust all devices on your network.

The interface can be a bit overwhelming and feel like they try to upsell you, which they are... But its also honest, for example, I have a server I don't pay premium sub for, I have around 1M detections per month, and they claim a subscription would reduce it by 7%, which is a logical percentage.
Today at 01:32:03 PM #3
For me I find it still useful for exposed applications at L7. I have some public-consumed services behind haproxy on OPNSense. I see many hits there attempting to use exploits that crowdsec appears to identify and stop at the ssl handshake failed attempt level or some other probing scenarios.
I'm keeping it despite as you say the now fairly noisy upselling, and that they seem to not improve the functionality of the plugin for the user.
Today at 03:02:36 PM #4
Hi there, I'm allowing myself just a few observations:

> [...] There's constant pressure to upsell.

On the FOSS product, there is zero upsell. The security engines, scenarios, virtual patches, and OAWSP CRS ruleset are all 100% free.
One place you may see an upsell is in the SaaS console's free tier. The reason is that this product is not free, not for you or for us, since we store the attacks your servers are receiving. There is a free tier, which is entirely optional for the use of CrowdSec as Homelab users. For professionals, if you need supervision, alerts, provisioning, QoL, etc., this is where the SaaS product is useful and where you get upsell CTAs.

[...] I've noticed that Crowdsec has never blocked anything that my firewall rules don't block anyway.

It's then likely that you use only the IDS module (the one reading logs), with a few scenarios, and probably not exposed over the Internet. Because usually, Firewalls don't filter some ports that need to be opened (like HTTP or vpn, sometimes SSH, etc.) and those are scanned several thousand times a day, which is where CrowdSec WAF & IDS are helpful. Also, maybe check the SaaS console to see the health of your instance and whether you have log parsing, the scenario installed, etc. The logic is dynamic blocking based on behavior, rather than static filtering via firewall rules.

[...] Crowdsec claimed it had blocked nearly 20k attacks, all of which however were already blocked by the firewall

Normally, if a packet is dropped by your firewall, the related request should never reach the security engine for treatment.
CrowdSec Bouncer installs an IPset on your Linux firewall, and your firewall drops it, making it seem like it's your firewall dropping, but in fact, it's CrowdSec populating an IPset that your firewall is dropping.


Bests,

Philippe.
Today at 04:38:29 PM #5
Just a small correction, it's a FreeBSD based firewall, and Crowdsec populates a "pf table" in it (which is kinda the same as ipset). Some applications like dnsmasq also call it ipset, but when compiled for FreeBSD they also populate a "pf table".
Hardware:
DEC740
Today at 04:47:30 PM #6 Last Edit: Today at 04:57:36 PM by philippe_crowdsec
yup, sorry, OpenSense, obviously my bad, but the observation remains correct.
The firewall is dropping the table CrowdSec is populating, hence the feeling the firewall is doing the job all alone :-)

@ruzamai: Can you check how many times the rule that drops this table has been triggered?
Today at 07:00:33 PM #7
I have seen what your talking about in past 3-4 years off and on useage of crowdsec. For home use i like the idea of it but has a bar that must be reach interms of understanding to install it. Anyways the biggest issues i have found with it first is the table it uses starts at like 60k but after few days or week it drops to 8k. I have tried fresh installs and same thing. Secondly  when i have adjusted the default ban from 4hrs to say 48 hrs it keeps defaulting back to 4. Third i have found some ip's dont get added to it list  few days after  they stopped being logged by opnsense like it delayed or somereason.   
Print
Go Up Pages1
User actions