Have you seen the fail2ban alternative?

liamgibbins · February 13, 2022, 3:50pm

Just found this.
Its a alternative to fail2ban https://crowdsec.net/

The main points for me us that its more up to date and provides more security than fail2ban.
it comes with a nice dashboard and an API for easy integration.

I think it would be a nice addition and could possibly with as an alternative or alongside to fail2ban.

From there page;

Collaborative Security
Our strength comes from our cybersecurity community that is burning cybercriminals’ anonymity. By sharing IP addresses that aggressed you, you help us curate and redistribute a qualified IP blocklist to protect everyone.

GDPR Compliant
Sharing is caring but privacy matters even more. We collect the very strict minimum in order to be GDPR compliant. Hence, we never export your logs and the only data sent for curation are a timestamp, the aggressive IP, and the scenario used in the attack.

jlguerrero · February 13, 2022, 5:48pm

It’s not an alternative. We should use both.

eris · February 13, 2022, 6:19pm

There is allready an outstanding feature request for it…

github.com/hestiacp/hestiacp

[Feature] Consider CrowdSec (in addition to fail2ban)

opened 09:54PM - 04 Feb 22 UTC

kpapad904

feature

### Describe the feature or change in detail CrowdSec is an interesting securit…y tool (which can complement fail2ban or can be used independently ) https://github.com/crowdsecurity/crowdsec > CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. ### Would you like to sponsor this feature to have it implemented? No

liamgibbins · February 13, 2022, 10:35pm

I totally agree to run alongside fail2ban, thinking about implementing it to cover all my personal services that are exposed to the net

Hexaris · February 14, 2022, 8:27am

Crowdsec is basically an improved version of fail2ban. Letting them run together makes no sense in my opinion. Choosing one or the other via the UI makes sense, of course.
I’ve completely disabled fail2ban and only use crowdsec which is managed through one central server via API.
Maybe it would be enough to add crowdsec only to the documentation as an alternative.

eris · February 14, 2022, 8:48am

This makes no sense for us… Up keeping 2 different systems takes time we don’t have and don’t want to spend… We have removed apache2 as front facing panel for the same reason we don’t want to waste time on testing 2 different it takes to test. It requires time to adjust it every time and we don’t have It…

liamgibbins · February 14, 2022, 8:55am

Adding to the documentation would be an easier option.

Including details of how to disable fail2ban and installing and configuration of crowdsec (might stop forum posts on how to install).

This would allow people to chose to have an updated more modern security option with a nice dashboard.

Hexaris · February 14, 2022, 8:59am

I am not interested in having multiple applications. I fully understand that this doesn’t make sense to you. I just thought it was logical to be able to switch applications and not have 2 identical applications running blindly. I will admit that this is something that should probably be handled by the user.

Raphael · February 14, 2022, 9:00am

Still, this would then tend to an “official support” where we would need to test and support it. So basicly we just could implement it directly.

eris · February 14, 2022, 9:01am

According to this is should do what Fail2ban does so it doesn’t make sense to keep F2B alive …

nano /usr/local/hestia/conf/hestia.conf

replace FIREWALL_EXTENSION=‘’

And apt remove fail2ban

I am a fan of implementing in the future but need to investigate it a lot more…

liamgibbins · February 14, 2022, 9:12am

That’s how I found out about it. Lol

pluto · February 15, 2022, 3:46am

Looks interesting. Will have a play with it.

liamgibbins · February 15, 2022, 3:59am

I will be doing the same at weekend, i will be doing some tests on 3 vm’s to see if i get consistent results.
easy install and it comes with premade jails (so to speak)
https://hub.crowdsec.net/browse/#bouncers

The monitors are here.
https://hub.crowdsec.net/browse/#collections

Premade configuration files
https://hub.crowdsec.net/browse/#configurations

Just to name a few:
Dovecot
Mariadb
Docker
Nginx logs
Myself
Postfix configs

There’s loads of premade configs.

It is also worth mentioning that if you install hestiacp without fail2ban and lastly install crowdsec it will auto detect the services that are already installed on the system and auto the files necessary for the installed services, makes it even simpler.

jlguerrero · February 15, 2022, 11:36am

So it is trivial to install.

I love the idea of using crowdsec. We could all benefit from it BUT there is the issue with poisoning.

I have not seen clear information on how crowdsec handles a potential attack of denial of service by poisoning the network with false positives.

liamgibbins · February 15, 2022, 10:40pm

This is the answer I got on there forum…

Hi

To understand how CrowdSec mitigates this, you will need an understanding of how the consensus engine that assesses reveived CTI, works. To my knowledge there is not a whitepaper describing this yet but there is (at least one) video on YouTube with our CEO Philipe describing how it works. He does so from around 8m10s.

Let me know if you have more questions.

system · March 17, 2022, 10:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.