crowdsec
-
but he kept repeating his opinion is the most important in the world over and over again like a broken record
He isn't the only one that could be accused of this.
FWIW, I have a great deal of experience as well, and I see valid points on both sides of the argument. Honestly, I think this discussion has completely run its course.
-
@dennypage We'll have to agree to disagree on "valid" on this one.
-
@Zermus I appreciate the honest back-and-forth.
Based on your experience (especially with 20 years in the field and a CISSP under your belt), Iām genuinely curious how you see the comparison between CrowdSec and something like Security Onion ā particularly with its Kibana/Elastic stack.-
Do you see CrowdSecās real-time, community-driven blocking as overlapping with what Security Onion does, or are they fundamentally different in purpose?
-
Security Onion seems great for deep forensic analysis and manual threat hunting, while CrowdSec feels more automated and lightweight ā maybe more of a first line of defense?
-
From a cost and operational perspective, do you think the lighter footprint of CrowdSec brings enough value, especially in smaller environments where a full SO deployment might be overkill?
Not trying to stir the pot ā just trying to get a clearer picture of where these tools fit best from someone who's seen a wide range of deployments.
-
-
@JonathanLee Security Onion is something I really like from what I've seen. You're right. Crowdsec is more automated while Security Onion offers that defense in depth approach and they go crazy with it. I don't have much experience with most of their stuff, but what I've tested I like.
I've personally only used their honeypot on my home/colo environment, and it seemed to be solid and the best well maintained honeypot product I could find, although I was just testing it out and it didn't add much to my personal environments and I stopped maintaining it. I should probably keep one running though. I need to test out more of their stuff, because I did really like what I saw, but I have other stuff running that would make it redundant, but it's worth checking out to see if it's better. Wish I had the free time lol.
It's a shame Elastic took their stuff in house and ELK stacks are no longer free. Tom Lawrence's (https://www.youtube.com/@LAWRENCESYSTEMS) videos convinced me that I should go over to Graylog Open on my personal stuff when that happened and I'm happy with it.
What I really like about Crowdsec is it is automated based on log analytics and they claim to block active attack networks based on your location. It's a good system that keeps you informed and protected without having to do much manual log correlation. In fact it seems to eliminate the need for manual log correlating for the most part. You can think of it like a fail2ban on borg collective steroids and it is always adapting new filters to catch and adapt on it's own to block threats. Instead of blocking locally it blocks on the perimeter firewall, which in most of our cases here would be pfSense. It can also use pfSense's data on blocks to build a better threat model. The more you feed it the better it gets.
-
It's a shame Elastic took their stuff in house and ELK stacks are no longer free. Tom Lawrence's (https://www.youtube.com/@LAWRENCESYSTEMS) videos convinced me that I should go over to Graylog Open on my personal stuff when that happened and I'm happy with it.
I always viewed ELK as overly complicated. Graylog is much more manageable, although the console isn't as nice. Work in progress.
-
@Zermus Sorry to ressurect this thread, but Iām just wondering about how to best put Crowdsec to good use.
Iām just at hobbyist on this issue, so I havenāt got the funds to shell out for the subscription level features of Crowdsec. This means use of the free tier and that leaves the question:
Since Crowdsec already have their blocklists (max 3 on the free tier) available for download directly from a pfSense URL Alias (https://docs.crowdsec.net/u/integrations/pfsense), what are you looking for additionally with the dedicated Crowdsec package?
The package is available, but not in the official repoās: https://docs.crowdsec.net/docs/getting_started/install_crowdsec_pfsense/
But as I understand it there is no need to install the package if you intend to use the āsmall - remediation onlyā part.Is it because you expect the loganalyser engine to produce additional ānear real time blocksā from the log analysis on your own pfSense?
For that to be really usefull does that not more require the HAproxy package and nginx parts of pfsense to integrate the crowdsec blocking integration so it can do more than IP blocking?
Does it really make sense to run the actual security engine on pfSense itself? Is it not better to run it on a VM or small server (Pi fx.) and ship pfSense logs to it using syslog? Any blocklists it might produce can then be updated pĆ„ pfSenseā Alias lists with 5min intervals.
Any additional blocking actions it decides would require the HAproxy, nginx plugins to actually make it more usefull. -
@keyser I actually don't even pay out for Crowdsec subscription. I just use the free option because I setup a basic PHP website that pulls all the data I need reported from command line from the "security engine" server that a subscription would do off the crowdsec website, so it basically negated that subscription need for me. It's easy to do with AI help.
As for what I use it for, well for instance I have multiple pfSense servers in multiple locations. This crowdsec works best for my datacenter colo proxmox box that I have pfSense running as a frontend. Multiple VMs running multiple services and whatnot behind it each running it's own log analyzer reporting to the security engine server. Crowdsec is the best thing for aggregating the myriad of attack vectors and using pfSemse, I block them at my "perimeter" since I have the pfSense bouncer on the front end access, it is the best and simplest approach I've come across. If something is aggressive toward one thing I want to block it across my entire footprint. I don't even bother with putting bouncers in HAProxy or server level firewalls when I can just have it block it on pfSense. That's really it's greatest strength to integrate with pfSense. On top of that it analyzes all the scanning that pfSense blocks and takes action against it much better than Snort or Suricata would do by themselves. Also the more data you report the more Crowdsec will offer different premium block lists, so that's a nice perk that you can layer on top of Snort/Suricata.
At my home I have a similar setup since I have static IPs with my ISP and run a basically mirror setup to my colo, so if it blocks it at once location it blocks it at the other.
It really is just Fail2ban on steroids, but it's much more sophisticated in it's attack research and blocking and coordinates it across anything instead of just on a local server.
-
@Zermus Thank you for the reply.
I'm still a little unclear as to why you think an official pfSense package is needed then? From your usage I gather you are also only using the various blocklists crowdsec produces directly as an URL alias in pfSense?
-
@keyser For the log analyzer on the pfSense firewall to analyze front end attacks, to report to crowdsec, and for the bouncer feature of blocking it with pfSense. Like I said I don't want to put bouncers on each one of my VMs when just one on pfSense can do the job and block it on everything all at once. The "decision" to block something from the security engine is sent to the pfSense bouncer to block on the pfSense firewall at my perimeter.
Nothing on vanilla pfSense comes close to all of this integration.
-
@keyser For the log analyzer on the pfSense firewall to analyze front end attacks, to report to crowdsec, and for the bouncer feature of blocking it with pfSense. Like I said I don't want to put bouncers on each one of my VMs when just one on pfSense can do the job and block it on everything all at once. The "decision" to block something from the security engine is sent to the pfSense bouncer to block on the pfSense firewall at my perimeter.
Nothing on vanilla pfSense comes close to all of this integration.
I can relate to the log analyzer part although I'd prefer that to run outside of pfSense - preferably on the host that receives all logs (from pfSense and inside webservers and such).
The "bouncer feature" as you put it is - as far as I can see - just a IP list (blocklist) that pfsense downloads using an URL Alias to populate previously created block rules. This is a native pfSense feature - nothing extra needed.
I don't think there are any specific crowdsec services or such in the package that actually does "dropping existing states" and force updates blocklists on demand from the security server service. -
@keyser My "security engine" which is the server that receives all the logs and makes decisions, can be run on a separate server. That is my exact setup so I can run my own web/php front end.
As per the the url block list, or EDL since I'm entrenched in Palo terminology, doesn't do the log analysis and crowdsec reporting. Different strokes for different folks I guess.
