Introducing Crowdsec: a Modernized, Collaborative Massively Multiplayer Firewall (linuxsecurity.com) 66
Slashdot reader b-dayyy writes: CrowdSec is a massively multiplayer firewall designed to protect Linux servers, services, containers, or virtual machines exposed on the Internet with a server-side agent. It was inspired by Fail2Ban and aims to be a modernized, collaborative version of that intrusion-prevention tool.
CrowdSec is free and open-source (under an MIT License), with the source code available on GitHub. It uses a behavior analysis system to qualify whether someone is trying to hack you, based on your logs. If your agent detects such aggression, the offending IP is then dealt with and sent for curation. If this signal passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to 'immunize' them against this IP.
The goal is to leverage the power of the crowd to create a real-time IP reputation database. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner you feel appropriate. Ultimately, CrowdSec leverages the power of the community to create an extremely accurate IP reputation system that benefits all its users.
It was clear to the founders that Open Source was going to be one of the main pillars of CrowdSec. The project's founders have been working on open-source projects for decades — they didn't just jump on the train. Rather, they are strong Open Source believers. They believe that the crowd is key to the mass hacking plague we are experiencing, and that Open Source is the best lever to create a community and have people contribute their knowledge to the project, ultimately make it better and more secure.
The solution recently turned 1.x, introducing a major architectural change: the introduction of a local REST API.
CrowdSec is free and open-source (under an MIT License), with the source code available on GitHub. It uses a behavior analysis system to qualify whether someone is trying to hack you, based on your logs. If your agent detects such aggression, the offending IP is then dealt with and sent for curation. If this signal passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to 'immunize' them against this IP.
The goal is to leverage the power of the crowd to create a real-time IP reputation database. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner you feel appropriate. Ultimately, CrowdSec leverages the power of the community to create an extremely accurate IP reputation system that benefits all its users.
It was clear to the founders that Open Source was going to be one of the main pillars of CrowdSec. The project's founders have been working on open-source projects for decades — they didn't just jump on the train. Rather, they are strong Open Source believers. They believe that the crowd is key to the mass hacking plague we are experiencing, and that Open Source is the best lever to create a community and have people contribute their knowledge to the project, ultimately make it better and more secure.
The solution recently turned 1.x, introducing a major architectural change: the introduction of a local REST API.
Problem #1 (Score:5, Insightful)
Why do I trust the other people contributing?
Re: (Score:2)
Bingo.
While you can then lay on other layers of security (mutual trust scoring of contributors by other contributors and the public), all of those are generally trivially game-able.
Why do you trust Wikipedia? (Score:3)
Answer is the same : provided users are numerous enough, liars will be eliminated. Quickly.
Or, just go buy a paper encyclopedia (if there are some left)
OK, it's not wikipedia at all (Score:2)
Now, I see they have a central private curator system. So, actually I won't install...
Re: Why do you trust Wikipedia? (Score:3)
Well they could use blockchain to verify trust. No body can game blockchain. /S
Re: (Score:2)
Re: Why do you trust Wikipedia? (Score:4, Funny)
...not the mention the "/S" attack.
Re: (Score:2)
Nope. That would just mean this system is useless against more targeted attacks. Quite frankly, I am not worried about some nil-whit running some script.
The fundamental difference is that anybody can verify an article in Wikipedia, but nobody except the target (and the attacker) can know what attacks were run against a target. Maybe you should get that paper-copy, the online version has clearly failed to give you even a basic understanding of things.
Re:Why do you trust Wikipedia? (Score:4, Insightful)
I don't trust Wikipedia at all. I might use it sometimes to look up some actor, but that's because Google brings WP up before IMDB a lot of the time and I'm probably not very worried if the information is wrong. If for some reason I do need the answer to be correct then I scroll past the WP results.
Re: (Score:2)
Um, you use Google to bring up Wikipedia?
What's wrong with bookmarking Wikipedia and going there directly?
Same for IMDB?
Re: (Score:2)
Um, you use Google to bring up Wikipedia?
What's wrong with bookmarking Wikipedia and going there directly?
Because I don't want to go to WP.
Same for IMDB?
I don't look IMDB up very often, but yeah, I could.
Re: (Score:2)
Or you could, you know, use Wikipedia how it's intended instead of ignoring it. Like, opening the article and checking the reference for the data you're interested in, to see that it match and that you trust the source.
If the search engines just returned the source instead of the WP page then I would go straight there. I have to anyway to see if there was actually a good reason to use the source. WP is a completely redundant waste of electricity.
Re: Why do you trust Wikipedia? (Score:1)
Oh yoi sweet privileged child.
Wikipedia is exacrly.proof why thos doesn't work.
Wikipedia has stopped being editable by anyone for a long time now. Because it dosn't work, and never did. We just settled to the particular delusion/belief that the masses agree with the most, regardless of the actual "truth". (Like anyone there even knows the basics of philosophy behind the scientific method...)
But since not even the blind masses could agree, they just went back to ye olde hierarchy again. With those with the b
Re: (Score:2)
Wikipedia has stopped being editable by anyone for a long time now.
[ citation needed ]
Re: (Score:2)
Perhaps you could point out where on this page is an edit button: https://en.wikipedia.org/wiki/... [wikipedia.org]
I could cite others but that's the very first page I checked and it suffices.
Re: (Score:2)
Perhaps you could point out where on this page is an edit button: https://en.wikipedia.org/wiki/ [wikipedia.org]...
I could cite others but that's the very first page I checked and it suffices.
Yes, your sample size of one is assuredly representative of the entire class.
"I can't drive on one road, so clearly I must not be able to drive on any road!"
Here's a page you can edit (linked from your example ad absurdum): https://en.wikipedia.org/wiki/... [wikipedia.org]
Have at it and edit to your heart's content!
Re: (Score:2)
Did you post this using an operating system written completely by yourself?
Re: (Score:2)
Did you post this using an operating system written completely by yourself?
The difference is that the OS is not dynamically changing under me. Well, that's one of the differences.
Re: (Score:2)
OS is not dynamically changing under me
Huh? You must be using some very sophisticated ROM.
Re: Problem #1 (Score:1)
No, I use one written by a subset of people that displayed their trustworthiness beforehand and don't just let any moron in. And if I need software that is partially written by morons, or I got no choice, like with Firefox, I patch the hell oit of this motherfucker.
I also only enable stuff in my kernel, that comes from sane non-evil people, given past exprience. (Linus is mostly trustworthy to me.)
Re: (Score:2)
Why do I trust the other people contributing?
Why not? Is *everyone* out to get you?
Re: Problem #1 (Score:1)
No, but most people are just completely unqualified, and you know yourself how smart the "average person" is.
You're like if I didn't want my pilot to be straight the mental ward and you went "WHY DO YOU HATE DISABLED PEOPLE!!?".
PROTIP: It does not imply hate or thinking they are evil. Just that they are unqualified.
Re: (Score:2)
No, but most people are just completely unqualified, and you know yourself how smart the "average person" is.
Your ignorance is showing again. Studies have time and time again proven that if you put large groups of qualified people together they eventually converge at something approximating the correct answer.
You're like if I didn't want my pilot to be straight the mental ward and you went "WHY DO YOU HATE DISABLED PEOPLE!!?".
I'm not sure what language you think you wrote that in, but I've seen a more coherent sentence written by an AI script on a computer. Honestly I tried. I really put effort in. I have now read that 6 times and I still have no fucking idea what you were trying to say, though I've taken 3 guesses and none of the
Re: (Score:2)
Re: Problem #1 (Score:1)
Oh, and, have fun when this digital mob will label you an evildoer for no reason. Because with your mindset, shown in your comment, we wil be shocked, shocked I tell ya, when that happens.
Re: Problem #1 (Score:2)
Re: (Score:2)
Why do I trust the other people contributing?
That was pretty much my first thought. Get a few servers (virtualized is enough) make them think some IP is behaving badly and you have an instant "ban anybody" system.
Re: Problem #1 (Score:1)
Hell, I'd just poison the database with a DDOS of "contributions".
Same reason Wikipedia hasn't been "anyone can edit" for a long time, and is back to a centralized hierarchy again, just like what they did seek to replace. Because it doesn't work. Bit some people apparently uaven't gotten the memo yet. (Or are deluded, or lying, because they are in a privileged position and don't see that.)
Re: (Score:2)
Exactly. "Everybody can contribute" does not work. (Side-note: Makes some recent Code-of-Conduct movements look pretty damn stupid.) It may be a relatively small number of fuckups that poison everything, but they are always there and they always think _they_ have truth and honor and decency on their side, when nothing like that is the case. Either keep these people out or see whatever you created burn down in flames or rot until nothing of any value is left.
Re: (Score:1)
Why do I trust the other people contributing?
The answer is because you are doing reputation weighting completely wrong.
Not trusting a single source completely is the entire reason for assigning a weight to that source.
Only when all the weights from all of your sources exceed a threshold would you want to "trust" the aggregate and take action, yet even then the trust required is nothing more than "something abnormal is going on"
This is also why the action to take is left completely up to you.
Obviously, as with any project first getting started, there a
Re: (Score:1)
will not work for ISP natted ip's and flex IP's (Score:2)
will not work for ISP netted ip's and flex IP's that can lead to ban's of real users.
Re: (Score:2)
will not work for ISP netted ip's and flex IP's that can lead to ban's of real users.
The local greengrocer's called and as'ked if you could give your apos'trophes' back
Re: (Score:3)
That's my concern too - IPs don't necessarily map to bad actors, or at least the certainly of the mapping degrades with time. This might be ok for personal or corporate networks but I don't see it working well for public services.
Comment removed (Score:4, Insightful)
Re: (Score:2)
As opposed to actual, serial abusers, who use those same services to protect against correct attribution of their attacks?
Re:not going to go well (Score:5, Informative)
Re: (Score:2)
linked website is shit (Score:2)
So is this like fail2ban (Score:2)
except actually accumulating a bunch of peoples experiences, and "curating" the results?
I think on my (currently dead server) I had a ton of blocks for ssh and web stuff. I just added some iptables blocks for China, Russia and Brazil, and moved my external ssh port to something "not port 22" and noticed a massive drop in attempts.
Re: (Score:3)
> and moved my external ssh port to something "not port 22" and noticed a massive drop in attempts.
Don't forget to leave an instance of endlessh [github.com] on port 22 to throw a wrench in the economics of the scanners.
Re: (Score:2)
> and moved my external ssh port to something "not port 22" and noticed a massive drop in attempts.
Don't forget to leave an instance of endlessh [github.com] on port 22 to throw a wrench in the economics of the scanners.
Just like keeping telemarketers on the line for as long as you can to help save others. Thanks
Wise crowds. (Score:2)
So basically relying on the hypothesis that crowds are wiser than individuals. Good thing no one has tested it.
Re: Wise crowds. (Score:1)
Unpopular observation (not to be confused with a belief):
A democracy is an idiocracy by definition.
Local machine only? (Score:2)
If installed on a router (perhaps running some flavor of DD-WRT), it seems CrowdSec can support only the router itself, and not any attached systems.
Is this correct? Or am I misreading/misunderstanding CrowdSec's level of functionality?
Why not Rust instead of Go? (Score:2)
There is a developing preference to avoid languages like Go and C/C++ for apps in the security pipeline, with Rust rapidly becoming ascendant in this area.
My prior employer started porting selected C++ code having ongoing security issues (as reported by customers and fuzz testing) to Rust, and the finished port essentially eliminated the maintenance churn on that code, despite their minimal organizational experience with Rust. They still use Rust tactically, with no near-term overall strategy for it to rep
The trust problem (Score:2)
I wouldn't trust crowdsourced data to actually block anything. But it could be useful to tweak thresholds. For example, let's say my normal rules allow 10 bad password attempts on SMTP AUTH before banning an IP. It might be useful to lower this to 3 if the crowdsourced data says the offending IP is likely a bad actor.
Personal 50 cent army (Score:1)
You know this will get adapted and abused by someone to make their own Xitler styled great firewall.
Literal Idiocracy. (Score:1)
Yeah, like I'm gonna leave my firewalling to the dumbest common denominator of a majority vote of of ye average morons...
Here's why this is a stupid idea: (Score:2)
The goal is to leverage the power of the crowd to create a real-time IP reputation database.
Sure. And the criminals, scammers, and foreign nationals working in the interests of their own countrys' government will work like the damned to bias that 'crowdsourcing' to ensure that their compromised sites are listed as 'safe'.
Re: Here's why this is a stupid idea: (Score:2)
Re: (Score:2)
Dynamic IP (Score:1)
Re: Dynamic IP (Score:2)
Some answers (Score:3, Informative)
Re: (Score:2)
Very interesting idea. I have no idea how it will play out, but I look forward to inspecting the FAQ.
Re: (Score:1)