Crowdsec testing
-
I only added it this morning and it is working.
It feels as if it runs "outside" of pfsense in a way, like a "BlackBox" appliance.
I mean it does block, but you do not see how or where, it does show decisions in the logs as.Example of a port scanner who creates 200+ alerts and automatically was blocked.
It says I added the three free block lists, but it not seen on the firewall anywhere or seen any logs.
It has centralized management in case you have more than one pfsense.
Things like manual decisions on the portal to block a specific IP for example are behind a paywall.Pro:
- I think it's good feeding my logs into a central DB to share with others.
- It did detect a port scanner, which Suricata doesn't.
- It blocks.
- More block lists for free (3).
Con:
- Implementation of the rules is "BlackBox" not like pfSenseBlockerNG.
- You cannot use RAM drive for /tmp and /var.
- Paywall for several features.
- Block lists can only be added via "BlackBox"-Blocking on the web portal.
What I do not know and want to test is the nginx proxy implementation. I have a web server with port forwarding 443 to it and it would be good to have its logs also monitored.
If I understand it correctly, you could monitor the nginx logs, it detects and remediates on the firewall by blocking the IP?