Dear estimated community,
We would like to get your feedback on our new security project.
CrowdSec is free and open source (under an MIT License), with the source code available on GitHub. It is currently available for Linux, with ports to macOS and Windows on the roadmap.
CrowdSec is designed to protect servers, services, containers, or virtual machines exposed on the internet with a server-side agent. It was inspired by Fail2Ban and aims to be a modernized, collaborative version of that intrusion-prevention framework.
How CrowdSec works
CrowdSec is written in Golang and was designed to run on modern, complex architectures such as clouds, lambdas, and containers. To achieve this, it’s “decoupled,” meaning you can “detect here” (e.g., in your database logs) and “remedy there” (e.g., in your firewall or rproxy).
The tool uses leaky buckets internally to allow for tight event control. Scenarios are written in YAML to make them as simple and readable as possible without sacrificing granularity. The inference engine lets you get insights from chain buckets or meta-buckets, meaning if several buckets (e.g., web scan, port scan, and login attempt failed) overflow into a “meta-bucket,” you can trigger a “targeted attack” remediation.
Aggressive Internet Protocols (IPs) are dealt with using bouncers. The CrowdSec Hub offers ready-to-use data connectors, bouncers (e.g., Nginx, PHP, Cloudflare, Netfilter), and scenarios to deter various attack classes. Bouncers can remedy threats in various ways.
It works on bouncers such as Captcha, limiting applicative rights, multi-factor authentication, throttling queries, or activating Cloudflare attack mode just when needed. You can get a sense of what’s happening locally (and where it’s occurring) with a lightweight visualization interface and strong Prometheus observability.
While the software currently looks like a spruced up Fail2Ban, the goal is to leverage the power of the crowd to create a very accurate IP reputation database. When CrowdSec bounces a specific IP, the triggered scenario and the timestamp are sent to our API to be checked and integrated into the global consensus of bad IPs.
While we are already redistributing a blocklist to our community (you can see it by entering cscli ban list --api on the command line), we plan to really improve this part as soon as we have dealt with other prerequisite code lines. The network already has sightings of 100,000+ IPs (refreshed daily) and is able to redistribute ~10% (10,000) of those to our community members. The project has also been designed to be GDPR compliant and privacy respectful, both in technical and legal terms.
Our vision is that once the CrowdSec community is large enough, we will all generate, in real time, the most accurate IP reputation database available. This global reputation engine, coupled with local behavior assessment and remediation, should allow many businesses to achieve tighter security at a very low cost.
Getting started and getting involved
CrowdSec’s setup is quick and easy (taking just five minutes, tops). It’s heavily assisted by a wizard to allow as many people and organizations as possible to use it. The project is production-grade and already runs in many places, including hosting companies, although it’s still in beta.
Currently, our community members come from 50 countries across 6 different continents. We are looking for more users, contributors, and ambassadors to take the project to the next level.
We would love to hear your feedback and engage further discussions so don’t hesitate to comment or to reach us through GitHub or on our website. Thank you!