Hey all, i’ve decided I should probably setup something else to help block nefarious IP addresses. I’ve been looking into CrowdSec and Fail2Ban but i’m not really sure the best one to use.

My setup is OpnSense -> Nginx Proxy Manager -> Servers. I think I need to setup CrowdSec/Fail2Ban on the Nginx Proxy Manager to filter the access logs, then ideally it would setup the blocks on OpnSense - but i’m not sure that can be done?

Any experience in a setup like this? I’ve found a few guides but some of them seem fairly outdated.

Edit: thanks everybody for the great info. General consensus seems to be with crowdsec so I’ll go down that path and see how it goes.

  • billwashere@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 hours ago

    I’ve been meaning to check out crowdsec because it seems to fit my niche usage. Wuzah seems VERY powerful and something I could likely use at work so that’s an advantage but very complex. Fail2ban is good at what it does but very simplistic and would require a lot of individual instances that would seem like a bear to maintain. CrowdSec seems like it’s in the Goldilocks zone somewhere in the middle. Pretty powerful, not terribly hard to manage, and not too difficult to install. But I haven’t done anything with any of them yet so I’m not very much help. I am curious what you go with though.

  • vegetaaaaaaa@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    5 hours ago

    Fail2ban unless you need the features that crowdsec provides. They are different tools with different purposes and different features.

  • betterdeadthanreddit@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    3
    ·
    9 hours ago

    CrowSec, it’s not one that you mentioned but once they locate the source of the malicious traffic, they send out a murder of trained attack birds to resolve the issue.

  • SayCyberOnceMore@feddit.uk
    link
    fedilink
    English
    arrow-up
    2
    ·
    10 hours ago

    Crowdsec will block external, public, IPs

    Fail2Ban will block login attempts (ie from anywhere)

    I have a similar setup with pfSense, pfBlockerNG, HAProxy, etc, but I keep F2B running on my DMZ server in case something is ever compromised as it’ll block / slow down anyone trying to move around the network.

    • danA
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 hours ago

      Crowdsec blocks login attempts too.

  • Noggog@programming.dev
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 hours ago

    I’ve been using crowdsec … but I’ve yet to see anyone banned but myself so far. Is everyone else having to write tons of whitelist parsers? I could whitelist my IP but I feel like that’s sidestepping the issue and doesn’t address friends/family also getting banned, coffeeshops, etc.

    Feels like I’m missing something as so far it’s been quite a pain to configure

  • danA
    link
    fedilink
    English
    arrow-up
    5
    arrow-down
    4
    ·
    edit-2
    9 hours ago

    Crowdsec is much more efficient than fail2ban. Fail2ban is a lot of old single-threaded Python code with inefficient log parsing/tailing routines. Crowdsec is a more modern Go codebase.

    If you’re looking at old-school solutions, there’s also DenyHosts.

  • Tournesol@feddit.fr
    link
    fedilink
    English
    arrow-up
    20
    arrow-down
    1
    ·
    18 hours ago

    I actually refrain from using Crowdsec since we found ourselves with a friend banning each other for no known reasons. (I swear I’m a good boy)

    • irmadlad@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      1
      ·
      16 hours ago

      As you probably know the crowdsec bouncer doesn’t directly parse logs or do checks like F2B filters. It queries the crowdsec LAPI for decisions and applies them. The “allowed” or “whitelisted” IP logic is handled at the Security Engine or LAPI level, not by the bouncer itself.

      You can whitelist an ip in /etc/crowdsec/whitelists.yaml or even whitelist decisions in the whitelist.yaml as such:

      name: private-ips
      description: Whitelist local and private IPs
      whitelist:
        reason: "Allow local and private IPs"
        ip:
          - "127.0.0.1"
          - "192.168.1.0/24"
        cidr:
          - "10.0.0.0/8"
      

      Then issue sudo systemctl reload crowdsec. Kind of the same concept as F2B’s ignoreip option. If you are using Tailscale to administer the server, then it’s easier to whitelist. IIRC, you can use cscli decisions add --type whitelist --ip 192.168.1.100 --duration 1y but it doesn’t add them to the whitelist.yaml. Instead it keeps them in crowdsec’s database managed by LAPI. To undo: cscli decisions delete --ip 192.168.1.100 --type whitelist

      https://docs.crowdsec.net/u/getting_started/post_installation/whitelists/

    • just_another_person@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      17 hours ago

      Care to elaborate? This seems kind of insanely specific.

      Also, if you’re using fail2ban, the same thing would happen.

      • Tournesol@feddit.fr
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        1
        ·
        17 hours ago

        I don’t have much to elaborate on ^^’ but yeah, could have been an hyper specific case but that was my experience with it. I assumed my ip was banned on the crowd or something like that and even if my friend unbanned me twice, the ban came back. Don’t know what really happened for sure.

        • just_another_person@lemmy.world
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          15 hours ago

          Ok…but crowdsec bans abusive IPs. Are you saying your actions got you banned for some reason?

          Also, whitelist first. Ban second.

          • Tournesol@feddit.fr
            link
            fedilink
            English
            arrow-up
            1
            ·
            11 hours ago

            I truly don’t think I did anything to get banned. The only thing “non-standard” I do, is having a seedbox

  • irmadlad@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    15 hours ago

    From the guy that has been accused of going overboard on security measures, I use both. It just depends on your setup tho. On a low resource server, I would pick crowdsec as it covers more ground than F2B. Running two log parsers does use more resources. ~ my 2 cents

  • SirMaple__@lemmy.ca
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    edit-2
    18 hours ago

    Crowdsec with a central LAPI server. You should install it on the servers themselves to monitor the application logs directly. Then every bouncer(firewall, router, edge device) connected to the LAPI will all block the same IPs. I got sick of repeat offenders and upped the ban time to 1 year in hours.

    • Matty_r@programming.devOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 hours ago

      Awesome that makes a lot of sense, cheers. So I’ll install the Crowdsec agent on the Nginx Proxy Manager, and potentially also on the servers.

    • mbirth@lemmy.ml
      link
      fedilink
      English
      arrow-up
      9
      ·
      18 hours ago

      I’ve recently enabled banning whole subnets if more than 3 malicious actors from that subnet are on the blocklist. This is great for all those DigitalOcean droplets and other cheap hosters used by those people…

      • SirMaple__@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        17 hours ago

        I’ve been thinking about going this route. What size subnet are you banning? /24?

        Only thing stopping me is I selfhost email and don’t want to ban say a whole subnet from Microsoft/Azure and end up blocking the outgoing servers for O365. I’m sure I can dig around and look at the prefixes to see which are used for which of their services just haven’t had the time yet.

        • mbirth@lemmy.ml
          link
          fedilink
          English
          arrow-up
          4
          ·
          15 hours ago

          I let CrowdSec determine that. I’m seeing /13, /12 and even /10 in my decisions list. All seem to be Amazon AWS ranges.

          • sudneo@lemm.ee
            link
            fedilink
            English
            arrow-up
            2
            ·
            10 hours ago

            Wow, those are big networks. Obviously I suppose in case of AWS it doesn’t matter as no human visitor (except maybe some VPN connection?) will visit from there.

            As someone who bans /32 IPs only, is the main advantage resource consumption?

  • mbirth@lemmy.ml
    link
    fedilink
    English
    arrow-up
    7
    ·
    18 hours ago

    I had fail2ban running for several years before switching to CrowdSec late last year. They both work in a similar fashion and watch your logfiles for break in attempts. With the small difference that CrowdSec also lets you use blocklists from the “crowd” to block malicious actors before they even get to try their luck on your machine(s).

    I’m using CrowdSec with Traefik and nftables. But there are some bouncer plugins for nginx and OpnSense, too.

    I just followed their example configurations for Docker, Docker Compose and then started tinkering with the config until everything worked as desired.

    • Matty_r@programming.devOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 hours ago

      Thanks those links were helpful to get me on the right path. I like that there is a plugin for Opnsense directly and has that central LAPI, because I’d need something similar if I was to use f2b.

    • Lem453@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      ·
      17 hours ago

      I have traefik running with all config done via the docker compose files and I just couldn’t figure out how to get the bouncer middleware to work without causing problems. Doesn’t help that most examples seem to be based on the static yaml based config so I’m trying to convert jt. Would appreciate anyone who might know of a resource that explains with docker compose environment tags.

      I also have middle ware for things like authentik which complicates things.

      • mbirth@lemmy.ml
        link
        fedilink
        English
        arrow-up
        7
        ·
        edit-2
        17 hours ago

        In the Traefik static configuration (usually traefik.yml), add this to load the CrowdSec plugin:

        experimental:
          plugins:
            crowdsec-bouncer-traefik-plugin:
              moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
              version: "v1.4.2"
        

        (The name for the plugin is defined here as crowdsec-bouncer-traefik-plugin.)

        Then, in your dynamic configuration, add this (I’ve used a separate file dynamic_conf/050-plugin-crowdsec-bouncer.yml):

        http:
          middlewares:
            crowdsec-bouncer:
              plugin:
                crowdsec-bouncer-traefik-plugin:
                  CrowdsecLapiKey: "...YOUR CROWDSEC LAPI KEY HERE..."
                  Enabled: true
        

        (The name for this new middleware defined here is crowdsec-bouncer. It uses the crowdsec-bouncer-traefik-plugin defined in the previous step. Make sure these names match.)

        You can get the LAPI key by registering a new bouncer in CrowdSec.

        And, finally, make sure all incoming traffic routes through the bouncer plugin. You can do this individually, or in general via the static config:

        entryPoints:
        
          websecure:
            address: :443
            http:
              middlewares:
                - crowdsec-bouncer@file
                - secure-headers@file
        

        The middlewares are processed top to bottom.

        Any change to the static configuration requires a restart of Traefik to become active.

      • JASN_DE@feddit.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 hours ago

        In addition to the explanation you got from the other user: once you’ve set up the bouncer middleware in the configs (don’t know if there even exists a good way to do that outside of the configs files), you simply assign the middleware in the compose file as usual.

  • just_another_person@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    2
    ·
    17 hours ago

    Crowdsec if you have many instances that need to report to each other.

    If you just have a single instance and care to configure f2b for those services, then it’s fine. I would suggest incorporating the use of public blocklists though.

  • jrgd@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    18 hours ago

    I’m currently going through a similar situation at the moment (OPNSense firewall, Traefik reverse proxy). For my solution, I’m going to be trial running the Crowdsec bouncer as a Traefik middleware, but that shouldn’t discourage you from using Fail2Ban.

    Fail2Ban: you set policies (or use presets) to tempban IPs that match certain heuristic or basic checks.

    Crowdsec Bouncer: does fail2ban checks if allowed. Sends anonymous bad behavior reports to their servers and will also ban/captcha check IPs that are found in the aggregate list of current bad actors. Claims to be able to perform more advanced behavior checks and blacklists locally.

    If you can help it, I don’t necessarily recommend having OPNSense apply the firewall rules via API access from your server. It is technically a vulnerability vector unless you can only allow for creating a certain subset of deny rules. The solution you choose probably shouldn’t be allowed to create allow rules on WAN for instance. In most cases, let the reverse proxy perform the traffic filtering if possible.

    • Matty_r@programming.devOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 hours ago

      I did have that same thought actually, with opening up opnsense to be modified. But I also like the idea of it getting blocked before it even gets into my network, instead if letting it in initially and then blocking afterwards - that’s kinda the whole job of a firewall after all ha ha

  • catloaf@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    24
    ·
    18 hours ago

    Why not just put everything behind a VPN and stop worrying?

      • catloaf@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        arrow-down
        9
        ·
        18 hours ago

        It doesn’t, but I wouldn’t recommend selfhosting email for a small org. The low price of Office 365 or whatever Google is calling their business product now is far cheaper than the anguish of running your own server and dealing with spam, both incoming and making sure there’s none outgoing, and making sure your recipient servers aren’t considering your spam.

        • maniacalmanicmania@aussie.zone
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          18 hours ago

          Our small mail server is doing OK. Incoming spam is an issue but not a massive problem. Outgoing spam doesn’t exist. Once a year the IP ends up on the Microsoft blocklist but using the deliverability form to submit mitigation requests is easy enough and takes half a day or so to sort out.

          I’m looking forward to seeing what the Thunderbird team does with Stalwart.

          That reminds me I’ve been meaning to spin up a server, install Stalwart and test it out.

        • jrgd@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          18 hours ago

          If you’re running an email server for more than a handful of persistent users, I’d probably agree. However, there are self-host solutions that do a decent job of being ‘all-in-one’ (MailU, Mailcow, Docker-Mailserver) that can help perform a lot of input filtering.

          If your small org just needs automation emails (summaries, password resets), it’s definitely feasible to do actually, as long as you have port 25 available in addition to 465, 587 and you can assign PTR records on reverse DNS. Optionally you should use a common TLD for your domain as it will be less likely to be flagged via SpamAssassin. MXToolbox and Mail-Tester together offer free services to help test the reliability of your email functionality.

    • The Quuuuuill@slrpnk.net
      link
      fedilink
      English
      arrow-up
      5
      ·
      18 hours ago

      VPNs are not a panacea by any stretch of the imagination. they are good for certain use cases but from OP’s description they would do next to nothing

      • catloaf@lemm.ee
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        3
        ·
        18 hours ago

        It would protect all the services. Instead of having to secure each one, you only expose the VPN server and connect to that. You don’t have to worry about North Korean hackers breaching your services if they’re not exposed at all, only the single VPN service. Less attack surface, less worry.

        • JASN_DE@feddit.org
          link
          fedilink
          English
          arrow-up
          3
          ·
          11 hours ago

          And basically useless if you need external users to be able to connect to the services.

        • The Quuuuuill@slrpnk.net
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          11 hours ago

          This is a scenario where a single node VPN would reduce, not increase OP’s security stance. You do have to worry about NK hackers breaching your services because they’re all exposed through the single node VPN server. Same attack surface, less knowledge needed to hit the target with the payload.