Network Install
Deploy a single hub that all agents connect to. This allows the whole network to share events.
Install a Local Sec Hub
Start with just the main CrowdSec binary.
curl -s https://install.crowdsec.net | sudo sh
sudo apt install crowdsec
Configure The Hub
Configure the hub on to listen on the network
sudo sed -i 's/listen_uri: 127.0.0.1:8080/listen_uri: 0.0.0.0:8080/' /etc/crowdsec/config.yaml
sudo systemctl restart crowdsec.service
Generate a Client API Key
To connect, clients should use individual API keys.
# For a host named 'www' in this case, change as desired.
sudo cscli machine add www --auto -f -
Machine 'www' successfully added to the local API.
url: http://0.0.0.0:8080
login: www
password: sadkljfhaslkdjhfalkwsuehfaliseudhbf00987
Install and Configure a Detection Client
Install CrowdSec on the client.
curl -s https://install.crowdsec.net | sudo sh
sudo apt install crowdsec
Comment out the server block to prevent starting a hub here too.
sudo vi /etc/crowdsec/config.yaml
...
...
user: nobody # plugin process would be ran on behalf of this user
group: nogroup # plugin process would be ran on behalf of this group
api:
client:
insecure_skip_verify: false
credentials_path: /etc/crowdsec/local_api_credentials.yaml
# server:
# log_level: info
# listen_uri: 127.0.0.1:8080
# profiles_path: /etc/crowdsec/profiles.yaml
# console_path: /etc/crowdsec/console.yaml
# online_client: # Central API credentials (to push signals and receive bad IPs)
# credentials_path: /etc/crowdsec/online_api_credentials.yaml
# trusted_ips: # IP ranges, or IPs which can have admin API access
# - 127.0.0.1
# - ::1
# tls:
# cert_file: /etc/crowdsec/ssl/cert.pem
# key_file: /etc/crowdsec/ssl/key.pem
prometheus:
enabled: true
level: full
listen_addr: 127.0.0.1
listen_port: 6060
Supply the Sec Hub address and password.
sudo vi /etc/crowdsec/local_api_credentials.yaml
url: http://sechub.lan:8080
login: www
password: sadkljfhaslkdjhfalkwsuehfaliseudhbf00987
sudo systemctl restart crowdsec.service
sudo systemctl status crowdsec.service
Configure a Mitigation Agent
The best place to stop attacks is at the border. If you’re running OpenWRT or a Linux Firewall there’s a handy netfilter ‘bouncer’ you can add.
Back on your SecHub, generate an API key for it.
sudo cscli bouncers add router-1-bouncer
API key for 'router-1-bouncer':
XXXXXXXXXX
Over on your firewall, install the bouncer and add the API details
curl -s https://install.crowdsec.net | sudo sh
sudo apt install crowdsec-firewall-bouncer-nftables
# Adjust 'SecHub' as needed and past in your key (or directly edit the file)
sudo sed -i 's#api_url: http://127.0.0.1:8080/#api_url: http://SecHub:8080/#' /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
sudo sed -i 's#api_key: <API_KEY>#api_key: XXXXXX#' /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
sudo systemctl restart crowdsec-firewall-bouncer.service
You can install the bouncer in other places as well if you need to establish defense in depth. Though you may need to look into how private ranges are whitelisted to protect different segments.
Confirmation
Is it working? Take a look at the decision list.
# On the hub, this will show the community block list.
sudo cscli decisions list --origin CAPI
# On the firewall, this will show the corresponding table contents from the list
sudo nft list table ip crowdsec
Troubleshooting
table ip crowdsec { … }
In some cases, the hub server will not download the community block list after installation without a reboot. Everything will seem to be working but no default list until you reboot.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.