Integrations

/
/
CrowdSec integration with ispmanager 6

CrowdSec integration with ispmanager 6

CrowdSec is a modern open-source security system with principles similar to a "corporate firewall." It analyzes logs, detects suspicious activity (e.g., bruteforce, port scanning, DDoS), and automatically applies solutions to block or restrict access to attacker IP addresses.

Install CrowdSec on a server with the ispmanager control panel:

curl -s https://install.crowdsec.net | sudo sh
apt install crowdsec

By default, CrowdSec uses port 8080. Go to the /etc/crowdsec/config.yaml and /etc/crowdsec/local_api_credentials.yaml configuration files to change it to any available port, e.g 8070.

In the /etc/crowdsec/config.yaml file, change the following line:

api:
 server:
   listen_uri: 127.0.0.1:8070

In the /etc/crowdsec/local_api_credentials.yaml file, change the following line:

url: http://127.0.0.1:8070

You can also specify IP addresses as exceptions in the /etc/crowdsec/parsers/s02-enrich/whitelists.yaml file.

Add the service to autorun and start it:

systemctl enable --now crowdsec
systemctl status crowdsec

Check the Iptables version on the server:

iptables -V

Install the Bouncer blocking engine:

  • If nf_tables was mentioned in the iptables version apt install crowdsec-firewall-bouncer-nftables
  • If nf_tables was not mentioned in the iptables version apt install crowdsec-firewall-bouncer-iptables

Check the service status after installation:

systemctl status crowdsec-firewall-bouncer

Next, create a collection of panel logs at /etc/crowdsec/acquis.d/setup.ispmanager.yaml and specify the following contents for the file:

filenames:
  - /usr/local/mgr5/var/ispmgr.auth.log
  - /usr/local/mgr5/var/core.auth.log
  - /var/www/httpd-logs/*.log  
labels:
  type: syslog
  service: ispmanager

Resrart the CrowdSec service:

systemctl status crowdsec

Register with Crowdsec, go to Security Engines Engines, click Enroll command, copy the command to connect the server to the SaaS CrowdSec Console and restart the service:

cscli console enroll %TOKEN%
systemctl restart crowdsec

After connecting the server, confirm the connection request in your CrowdSec account.

Next, in CrowdSec, subscribe to three free blacklists in the Blocklists Featured section:

  • Firehol BotScout
  • Firehol greensnow.co
  • OTX Georgs Honeypot

Server notifications will be available at https://app.crowdsec.net/alerts

Telegram notifications configuration

To enable notifications in Telegram, you first need to configure the Telegram bot.

In the /etc/crowdsec/profiles.yaml file, uncomment the lines containing the notifications and http_default parameters, replace the contents of the /etc/crowdsec/notifications/http.yaml file with the following:

type: http         # Don't change
name: http_default # Must match the registered plugin in the profile

# One of "trace", "debug", "info", "warn", "error", "off"
log_level: info

# group_wait:         # Time to wait collecting alerts before relaying a message to this plugin, eg "30s"
# group_threshold:    # Amount of alerts that triggers a message before <group_wait> has expired, eg "10"
# max_retry:          # Number of attempts to relay messages to plugins in case of error
# timeout:            # Time to wait for response from the plugin before considering the attempt a failure, eg "10s"

#-------------------------
# plugin-specific options

# The following template receives a list of models.Alert objects
# The output goes in the http request body

format: |
  {
   "chat_id": "-%ID_ЧАТА_TELEGRAM%", 
   "text": "
     {{range . -}}  
     {{$alert := . -}}  
     {{range .Decisions -}}
     {{.Value}} will get {{.Type}} for next {{.Duration}} for triggering {{.Scenario}}.
     {{end -}}
     {{end -}}
   ",
   "reply_markup": {
      "inline_keyboard": [
          {{ $arrLength := len . -}}
          {{ range $i, $value := . -}}
          {{ $V := $value.Source.Value -}}
          [
              {
                  "text": "See {{ $V }} on shodan.io",
                  "url": "https://www.shodan.io/host/{{ $V -}}"
              },
              {
                  "text": "See {{ $V }} on crowdsec.net",
                  "url": "https://app.crowdsec.net/cti/{{ $V -}}"
              }
          ]{{if lt $i ( sub $arrLength 1) }},{{end }}
      {{end -}}
      ]
  }

url: https://api.telegram.org/bot%ID_БОТА_TELEGRAM%/sendMessage

method: POST
headers:
  Content-Type: "application/json"

Restart the service after making the changes:

systemctl status crowdsec

You can check the status of notification plugins with the following command:

cscli notifications list

To test whether notifications work correctly, block the dummy IP address and then remove it from the list:

cscli decisions add --ip 4.3.2.1 --duration 1h
cscli decisions delete --ip 4.3.2.1

Helpful commands

List of commands for working with CrowdSec:

  • List of blocked IP addresses cscli decisions list
  • Block an IP address for a specific time cscli decisions add --ip %IP-ADDRESS% --duration %TIME%
  • Remove an IP address from the blocked list cscli decisions delete --ip %IP-ADDRESS%
  • List of logs processed by CrowdSec cscli metrics show acquisition
  • Detailed information about CrowdSec operations cscli metrics

In this article