Introducing Crowdsec: a Modernized, Collaborative Massively Multiplayer Firewall

Slashdot reader b-dayyy writes: CrowdSec is a massively multiplayer firewall designed to protect Linux servers, services, containers, or virtual machines exposed on the Internet with a server-side agent. It was inspired by Fail2Ban and aims to be a modernized, collaborative version of that intrusion-prevention tool.

CrowdSec is free and open-source (under an MIT License), with the source code available on GitHub. It uses a behavior analysis system to qualify whether someone is trying to hack you, based on your logs. If your agent detects such aggression, the offending IP is then dealt with and sent for curation. If this signal passes the curation process, the IP is then redistributed to all users sharing a similar technological profile to 'immunize' them against this IP.

The goal is to leverage the power of the crowd to create a real-time IP reputation database. As for the IP that aggressed your machine, you can choose to remedy the threat in any manner you feel appropriate. Ultimately, CrowdSec leverages the power of the community to create an extremely accurate IP reputation system that benefits all its users.

It was clear to the founders that Open Source was going to be one of the main pillars of CrowdSec. The project's founders have been working on open-source projects for decades — they didn't just jump on the train. Rather, they are strong Open Source believers. They believe that the crowd is key to the mass hacking plague we are experiencing, and that Open Source is the best lever to create a community and have people contribute their knowledge to the project, ultimately make it better and more secure.

The solution recently turned 1.x, introducing a major architectural change: the introduction of a local REST API.

Problem #1

[nagora]

Why do I trust the other people contributing?

Re:

[shankarunni]

Bingo.

While you can then lay on other layers of security (mutual trust scoring of contributors by other contributors and the public), all of those are generally trivially game-able.

Why do you trust Wikipedia?

[Herve5]

Answer is the same : provided users are numerous enough, liars will be eliminated. Quickly.
Or, just go buy a paper encyclopedia (if there are some left)

OK, it's not wikipedia at all

[Herve5]

Now, I see they have a central private curator system. So, actually I won't install...

Re: Why do you trust Wikipedia?

[peragrin]

Well they could use blockchain to verify trust. No body can game blockchain. /S

Re:

[thoriumbr]

Ever heard of 51% attack? Or Sybil attack?

Re: Why do you trust Wikipedia?

[sysrammer]

...not the mention the "/S" attack.

Re:

[gweihir]

Nope. That would just mean this system is useless against more targeted attacks. Quite frankly, I am not worried about some nil-whit running some script.

The fundamental difference is that anybody can verify an article in Wikipedia, but nobody except the target (and the attacker) can know what attacks were run against a target. Maybe you should get that paper-copy, the online version has clearly failed to give you even a basic understanding of things.

Re:Why do you trust Wikipedia?

[nagora]

I don't trust Wikipedia at all. I might use it sometimes to look up some actor, but that's because Google brings WP up before IMDB a lot of the time and I'm probably not very worried if the information is wrong. If for some reason I do need the answer to be correct then I scroll past the WP results.

Re:

[OolimPhon]

Um, you use Google to bring up Wikipedia?

What's wrong with bookmarking Wikipedia and going there directly?

Same for IMDB?

Re:

[nagora]

Um, you use Google to bring up Wikipedia?

What's wrong with bookmarking Wikipedia and going there directly?

Because I don't want to go to WP.

Same for IMDB?

I don't look IMDB up very often, but yeah, I could.

Re:

[nagora]

Or you could, you know, use Wikipedia how it's intended instead of ignoring it. Like, opening the article and checking the reference for the data you're interested in, to see that it match and that you trust the source.

If the search engines just returned the source instead of the WP page then I would go straight there. I have to anyway to see if there was actually a good reason to use the source. WP is a completely redundant waste of electricity.

Re: Why do you trust Wikipedia?

[BAReFO0t]

Oh yoi sweet privileged child.

Wikipedia is exacrly.proof why thos doesn't work.

Wikipedia has stopped being editable by anyone for a long time now. Because it dosn't work, and never did. We just settled to the particular delusion/belief that the masses agree with the most, regardless of the actual "truth". (Like anyone there even knows the basics of philosophy behind the scientific method...)
But since not even the blind masses could agree, they just went back to ye olde hierarchy again. With those with the b

Re:

[Forty Two Tenfold]

Wikipedia has stopped being editable by anyone for a long time now.

[ citation needed ]

Re:

[Cederic]

Perhaps you could point out where on this page is an edit button: https://en.wikipedia.org/wiki/... [wikipedia.org]

I could cite others but that's the very first page I checked and it suffices.

Re:

[Mattcelt]

Perhaps you could point out where on this page is an edit button: https://en.wikipedia.org/wiki/ [wikipedia.org]...

I could cite others but that's the very first page I checked and it suffices.

Yes, your sample size of one is assuredly representative of the entire class.

"I can't drive on one road, so clearly I must not be able to drive on any road!"

Here's a page you can edit (linked from your example ad absurdum): https://en.wikipedia.org/wiki/... [wikipedia.org]

Have at it and edit to your heart's content!

Re:

[ArchieBunker]

Did you post this using an operating system written completely by yourself?

Re:

[nagora]

Did you post this using an operating system written completely by yourself?

The difference is that the OS is not dynamically changing under me. Well, that's one of the differences.

Re:

[Forty Two Tenfold]

OS is not dynamically changing under me

Huh? You must be using some very sophisticated ROM.

Re: Problem #1

[BAReFO0t]

No, I use one written by a subset of people that displayed their trustworthiness beforehand and don't just let any moron in. And if I need software that is partially written by morons, or I got no choice, like with Firefox, I patch the hell oit of this motherfucker.

I also only enable stuff in my kernel, that comes from sane non-evil people, given past exprience. (Linus is mostly trustworthy to me.)

Re:

[thegarbz]

Why do I trust the other people contributing?

Why not? Is *everyone* out to get you?

Re: Problem #1

[BAReFO0t]

No, but most people are just completely unqualified, and you know yourself how smart the "average person" is.

You're like if I didn't want my pilot to be straight the mental ward and you went "WHY DO YOU HATE DISABLED PEOPLE!!?".

PROTIP: It does not imply hate or thinking they are evil. Just that they are unqualified.

Re:

[thegarbz]

No, but most people are just completely unqualified, and you know yourself how smart the "average person" is.

Your ignorance is showing again. Studies have time and time again proven that if you put large groups of qualified people together they eventually converge at something approximating the correct answer.

You're like if I didn't want my pilot to be straight the mental ward and you went "WHY DO YOU HATE DISABLED PEOPLE!!?".

I'm not sure what language you think you wrote that in, but I've seen a more coherent sentence written by an AI script on a computer. Honestly I tried. I really put effort in. I have now read that 6 times and I still have no fucking idea what you were trying to say, though I've taken 3 guesses and none of the

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Problem #1

[BAReFO0t]

Oh, and, have fun when this digital mob will label you an evildoer for no reason. Because with your mindset, shown in your comment, we wil be shocked, shocked I tell ya, when that happens.

Re: Problem #1

[aRTeeNLCH]

How many bad apples does it need? Even without any bad intentions,... What if some state actor just wants the people to be shielded from content or connections they shouldn't have? For their own good, naturally.

Re:

[gweihir]

Why do I trust the other people contributing?

That was pretty much my first thought. Get a few servers (virtualized is enough) make them think some IP is behaving badly and you have an instant "ban anybody" system.

Re: Problem #1

[BAReFO0t]

Hell, I'd just poison the database with a DDOS of "contributions".

Same reason Wikipedia hasn't been "anyone can edit" for a long time, and is back to a centralized hierarchy again, just like what they did seek to replace. Because it doesn't work. Bit some people apparently uaven't gotten the memo yet. (Or are deluded, or lying, because they are in a privileged position and don't see that.)

Re:

[gweihir]

Exactly. "Everybody can contribute" does not work. (Side-note: Makes some recent Code-of-Conduct movements look pretty damn stupid.) It may be a relatively small number of fuckups that poison everything, but they are always there and they always think _they_ have truth and honor and decency on their side, when nothing like that is the case. Either keep these people out or see whatever you created burn down in flames or rot until nothing of any value is left.

Re:

[Anonymous Coward]

Why do I trust the other people contributing?

The answer is because you are doing reputation weighting completely wrong.

Not trusting a single source completely is the entire reason for assigning a weight to that source.
Only when all the weights from all of your sources exceed a threshold would you want to "trust" the aggregate and take action, yet even then the trust required is nothing more than "something abnormal is going on"
This is also why the action to take is left completely up to you.

Obviously, as with any project first getting started, there a

Re:

[Jean-CrowdSec]

Because we make sure they are trustworthy. Every network member (watchers sharing their signals) gets a trust rank (TR). By consistently sending back valuable and exact information, the TR gets better over time. A daemon reporting for months, with 100% accuracy, valuable information will eventually reach the maximum TR. Feeding the system with wrong information would result in a severe and immediate loss of TR. This mechanism is made to avoid poisoning. All TR can partake in the consensus, but only the hig

will not work for ISP natted ip's and flex IP's

[Joe_Dragon]

will not work for ISP netted ip's and flex IP's that can lead to ban's of real users.

Re:

[alt63]

will not work for ISP netted ip's and flex IP's that can lead to ban's of real users.

The local greengrocer's called and as'ked if you could give your apos'trophes' back

Re:

[GrahamJ]

That's my concern too - IPs don't necessarily map to bad actors, or at least the certainly of the mapping degrades with time. This might be ok for personal or corporate networks but I don't see it working well for public services.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Entrope]

As opposed to actual, serial abusers, who use those same services to protect against correct attribution of their attacks?

Re:not going to go well

[Jean-CrowdSec]

You are right but we thought about this upfront so we've put the following system in plance. Every network member (watchers sharing their signals) gets a trust rank (TR). By consistently sending back valuable and exact information, the TR gets better over time. A daemon reporting for months, with 100% accuracy, valuable information will eventually reach the maximum TR. Feeding the system with wrong information would result in a severe and immediate loss of TR. This mechanism is made to avoid poisoning. All TR can partake in the consensus, but only the highest TR rank can publish to the database without needing validation from our own honeypot network. It nevertheless has to pass the test of the Canary list, meaning the IP reported shouldn’t be one of the canary. Canaries are in fact whitelisted IP, known to be trustworthy, like the Google bot, Microsoft updates, etc. If a scenario is too sensitive or twitchy, it might shoot a canary. This mechanism is made to avoid false positives.

Re:

[Windrip]

There's a wizard behind that backdrop: the Consusus Engine. So you don't have to actually RTFF [crowdsec.net]

Some people have expressed questions about "why" we aren't open-sourcing the "central intelligence" aka "global consensus" part. While we are focused on making the CrowdSec suite a suitable software for the open-source world, it means there is constant arbitration between maximum efficiency and compatibility with the larger population. And, rather often, we make our decisions based on the fact that we want the larg

linked website is shit

[kunwon1]

can't even view the article, it has three different popups that can't be closed

So is this like fail2ban

[bobstreo]

except actually accumulating a bunch of peoples experiences, and "curating" the results?

I think on my (currently dead server) I had a ton of blocks for ssh and web stuff. I just added some iptables blocks for China, Russia and Brazil, and moved my external ssh port to something "not port 22" and noticed a massive drop in attempts.

Re:

[bill_mcgonigle]

> and moved my external ssh port to something "not port 22" and noticed a massive drop in attempts.

Don't forget to leave an instance of endlessh [github.com] on port 22 to throw a wrench in the economics of the scanners.

Re:

[bobstreo]

> and moved my external ssh port to something "not port 22" and noticed a massive drop in attempts.

Don't forget to leave an instance of endlessh [github.com] on port 22 to throw a wrench in the economics of the scanners.

Just like keeping telemarketers on the line for as long as you can to help save others. Thanks

Wise crowds.

[Ostracus]

So basically relying on the hypothesis that crowds are wiser than individuals. Good thing no one has tested it.

Re: Wise crowds.

[BAReFO0t]

Unpopular observation (not to be confused with a belief):

A democracy is an idiocracy by definition.

Local machine only?

[BobC]

If installed on a router (perhaps running some flavor of DD-WRT), it seems CrowdSec can support only the router itself, and not any attached systems.

Is this correct? Or am I misreading/misunderstanding CrowdSec's level of functionality?

Why not Rust instead of Go?

[BobC]

There is a developing preference to avoid languages like Go and C/C++ for apps in the security pipeline, with Rust rapidly becoming ascendant in this area.

My prior employer started porting selected C++ code having ongoing security issues (as reported by customers and fuzz testing) to Rust, and the finished port essentially eliminated the maintenance churn on that code, despite their minimal organizational experience with Rust. They still use Rust tactically, with no near-term overall strategy for it to rep

The trust problem

[dskoll]

I wouldn't trust crowdsourced data to actually block anything. But it could be useful to tweak thresholds. For example, let's say my normal rules allow 10 bad password attempts on SMTP AUTH before banning an IP. It might be useful to lower this to 3 if the crowdsourced data says the offending IP is likely a bad actor.

Personal 50 cent army

[Nocturrne]

You know this will get adapted and abused by someone to make their own Xitler styled great firewall.

Literal Idiocracy.

[BAReFO0t]

Yeah, like I'm gonna leave my firewalling to the dumbest common denominator of a majority vote of of ye average morons...

Here's why this is a stupid idea:

[Rick Schumann]

The goal is to leverage the power of the crowd to create a real-time IP reputation database.

Sure. And the criminals, scammers, and foreign nationals working in the interests of their own countrys' government will work like the damned to bias that 'crowdsourcing' to ensure that their compromised sites are listed as 'safe'.

Re: Here's why this is a stupid idea:

[NagrothAgain]

Wonder what happens when 127.0.0.1 gets blacklisted.

Re:

[Rick Schumann]

Nothing, since that's not a routable IP address.

Dynamic IP

[cygnusvis]

People have forgotten about dynamic IP addresses.

Re: Dynamic IP

[nuckfuts]

Nothing wrong with blocking an attack from a dynamic IP address. Just remove the block after a week or so.

Some answers

[CrowdSec]

Hi guys, We've put together a FAQ that offers answers to most questions raised. Simply google "CrowdSec FAQ" and topics like poisoning, IPV4 NAT issues, GDPR, License, Consensus engine, Monetization, and much more are addressed. The global concept has been thought through and developed by people with years of experience in pentests, defensive security, and open-source (NAXSI, PHP MF, Snuffleu Paggus, etc.). That doesn't mean we thought about everything, but let's say we know the classical pitfalls. At its core, it's a sort of modern, on steroid 2021 Fail2ban. The sharing of IP spotted as malevolent is curated in a central way before being redistributed to the users (for free). This curation process is made to avoid FP, poisoning, and detect low noise signals. (Like IP banding together but not being super aggressive individually). It's decoupled (detect here, remedy there), IPV6 ready, fast (60x faster than F2B) and uses simple grammar to make it accessible to the greatest number. As for the IP you want to ban (like Tor exit nodes or VPNs), this is already doable by many soft. The online back office, coming soon, will allow you to customize what IP groups and what behavior you want to stop, based on their global rep (like A.B.C.D is known to do credit card stuffing, stop it if in a payment tunnel of a webshop). What we advise though is not to "block" on your RP or FW, but rather use bouncers dealing with higher layers. ie if you try to secure an HTTP app, send a captcha rather than drop the connexion. (Always use the minimum necessary remediation.) That being said, we're equally proud and scared to be featured on slashdot. So if you have questions beyond those treated in the FAQ, feel free to ask. We also have a Discourse & Gitter if you feel like crashing by. Philippe

Re:

[Windrip]

Very interesting idea. I have no idea how it will play out, but I look forward to inspecting the FAQ.

Re:

[Jean-CrowdSec]

Glad to hear. Happy to help if needed. You can find us on our Gitter channel: https://gitter.im/crowdsec-pro... [gitter.im]