Dear estimated community,

We would like to introduce a new security project, CrowdSec, and collect your feedback & comments.
The solution is available on GitHub and will remain open-source (MIT license) and free of charge.

TL;DR: CrowdSec parses logs from various data sources, normalizes and enriches them before applying heuristic scenarios to identify aggressive behaviors and protect you from most attack classes. Like with fail2ban, things like credential stuffing, web or port scans, ssh / ftp / telnet brute-force, and many others are really easy to defeat with the software, but CrowdSec modern grammar & architecture give the users more possibilities.

Target & goal: CrowdSec is designed to protect servers, services, containers or VMs exposed on the Internet with a server side agent. It currently runs on Linux (ports to MacOS & Windows are on the roadmap).

How it works: The software is written in Go-Lang and thought from day one to run on modern, complex architectures, like cloudified ones, lambdas, containers, etc. To achieve this, it’s “decoupled”. Meaning you can “detect here” (say in your database logs) and “remedy there” (say in your firewall or Rproxy). The tool internally uses leaky buckets to allow for tight event control. Scenarios are written in YAML to make them as simple and readable as possible, without sacrificing granularity. The inference engine lets you get insights from chain buckets or meta-buckets. (i.e. if several buckets (web scan, port scan and login attempt failed) overflow in a “meta bucket”, you can trigger a “targeted attack” remediation).

Aggressive IPs are dealt with by bouncers. The CrowdSec Hub offers ready to use data connectors, bouncers (Nginx, PHP, CloudFlare, Netfilter) and scenarios to deter various attack classes. Bouncers will be able to remedy threats in various ways. We work on bouncers like Captcha, limiting applicative rights, MFA, throttling queries, or activating Cloudflare attack mode just when needed, etc. You also already get a sense of what’s happening locally (and where from), with a lightweight visualisation interface and a strong prometheus observability.

While the software currently looks like a 2020 pimped fail2ban, the endgame is to leverage the power of the crowd to create a very accurate IP reputation database. When CrowdSec bounces a specific IP, the triggered scenario and the timestamp are sent to our API, to be checked and integrated in the global consensus of bad IPs. While we are already redistributing a block list to our community (you can see it with the CLI: cscli ban list --api), we plan to really improve this part as soon as we have dealt with other, prerequisite, code lines. The network already has sightings of 100K+ IPs (refreshed daily), and is able to redistribute ~10% (10K) of those to our community members. Also to be noted, the project has been designed to be GDPR compliant and privacy respectful, both in technical and legal terms.

Mid-term vision: When the CS community will be large enough, we will all generate, in real time, the most accurate IP reputation database. This global reputation engine coupled with the local behavior assessment and remediation should allow lots of businesses to get tighter security at a very low cost.

Current state: Setup is quick & easy, heavily assisted by the wizard, to allow the greatest number to use it. The project is production-grade and already runs in many places, including hosting companies. As a good example, one of the CrowdSec users was able to stop a botnet attack from 7,000 different IPs in 5 minutes last week thanks to the solution. We are looking for more users, contributors and ambassadors to take the project to the next level. As of today, community members come from 21 countries across 5 different continents.

We would love to hear your feedback and engage further discussions so don’t hesitate to comment, reach out through our website, GitHub, Discourse or give us a shout on Gitter.

Hope you will like it, use it and eventually contribute to improve it. Thanks in advance for sharing your thoughts.

The CrowdSec team