CrowdSec
Это решение для обеспечения безопасности с открытым исходным кодом и участием пользователей, предлагающее защиту от вредоносных IP-адресов с помощью краудсорсинга и доступ к самым передовым методам анализа угроз и защиты в реальных условиях.
Контейнеры
version: '3.8' services: crowdsec: image: crowdsecurity/crowdsec:latest container_name: crowdsec restart: unless-stopped privileged: true group_add: - "4" # adm - "33" # www-data - "998" # docker socket ports: - "192.168.1.132:8484:8080" environment: - COLLECTIONS=crowdsecurity/linux crowdsecurity/nginx crowdsecurity/nextcloud volumes: - crowdsec-db:/var/lib/crowdsec - crowdsec-config:/etc/crowdsec - /var/run/docker.sock:/var/run/docker.sock:ro - /var/log/auth.log:/var/log/auth.log:ro - proxy:/var/log/nginx:ro - nextcloud:/var/www/nextcloud/data:ro networks: - crowdsec_network healthcheck: test: ["CMD", "pgrep", "-f", "crowdsec"] interval: 30s timeout: 10s retries: 3 start_period: 90s crowdsec-ui: image: hhftechnology/crowdsec_manager:latest container_name: crowdsec-ui restart: unless-stopped ports: - "192.168.1.132:8481:8080" environment: - CROWDSEC_LAPI_URL=http://crowdsec:8080 - CROWDSEC_LAPI_KEY=JHFZuQIst+1emdfu6I0+zi9h9+ID07hAhqm/J6Sv6yE volumes: - /var/run/docker.sock:/var/run/docker.sock:ro depends_on: crowdsec: condition: service_healthy networks: - crowdsec_network crowdsec-firewall-bouncer: image: digitaldriveio/cs-firewall-bouncer:snapshot container_name: crowdsec-firewall-bouncer restart: unless-stopped network_mode: host privileged: true cap_add: - NET_ADMIN - NET_RAW environment: - CROWDSEC_LAPI_URL=http://192.168.1.132:8484 - CROWDSEC_LAPI_KEY=EIP3m69qNZzCnuHblpM8w9LD8qUEhMexhjnJ4jLZFMg - BACKEND=nftables - UPDATE_FREQUENCY=10s volumes: - bouncer-config:/config - /etc/localtime:/etc/localtime:ro depends_on: - crowdsec volumes: crowdsec-db: crowdsec-config: bouncer-config: proxy: external: true name: "nextcloud_proxy" nextcloud: external: true name: "nextcloud_nextcloud" networks: crowdsec_network: driver: bridge
Настройки парсеров
$ docker exec crowdsec sh -c "cat <<EOF > /etc/crowdsec/acquis.yaml source: docker container_name: - nextcloud-proxy labels: type: nginx --- filenames: - /var/log/auth.log labels: type: syslog --- filenames: - /var/www/nextcloud/data/data/nextcloud.log labels: type: nextcloud EOF"
Команды
$ docker exec crowdsec cscli bouncers add crowdsec-ui -k JHFZuQIst+1emdfu6I0+zi9h9+ID07hAhqm/J6Sv6yE $ docker exec crowdsec cscli bouncers add crowdsec-firewall-bouncer -k EIP3m69qNZzCnuHblpM8w9LD8qUEhMexhjnJ4jLZFMg $ docker exec crowdsec cscli bouncers list $ docker exec crowdsec cscli metrics
Статистика
$ docker exec crowdsec cscli metrics +------------------------------------------------------------------------------------------------------------------+ | Acquisition Metrics | +------------------------+------------+--------------+----------------+------------------------+-------------------+ | Source | Lines read | Lines parsed | Lines unparsed | Lines poured to bucket | Lines whitelisted | +------------------------+------------+--------------+----------------+------------------------+-------------------+ | docker:nextcloud-proxy | 13 | 13 | - | 6 | 3 | +------------------------+------------+--------------+----------------+------------------------+-------------------+ +------------------------------------+ | Local API Metrics | +--------------------+--------+------+ | Route | Method | Hits | +--------------------+--------+------+ | /v1/heartbeat | GET | 1 | | /v1/usage-metrics | POST | 1 | | /v1/watchers/login | POST | 1 | +--------------------+--------+------+ +-------------------------------------------+ | Local API Machines Metrics | +-----------+---------------+--------+------+ | Machine | Route | Method | Hits | +-----------+---------------+--------+------+ | localhost | /v1/heartbeat | GET | 1 | +-----------+---------------+--------+------+ +---------------------------------------------------------------+ | Parser Metrics | +------------------------------------+------+--------+----------+ | Parsers | Hits | Parsed | Unparsed | +------------------------------------+------+--------+----------+ | child-crowdsecurity/http-logs | 39 | 26 | 13 | | child-crowdsecurity/nginx-logs | 13 | 13 | - | | crowdsecurity/dateparse-enrich | 13 | 13 | - | | crowdsecurity/geoip-enrich | 10 | 10 | - | | crowdsecurity/http-logs | 13 | 13 | - | | crowdsecurity/nextcloud-whitelist | 13 | 13 | - | | crowdsecurity/nginx-logs | 13 | 13 | - | | crowdsecurity/non-syslog | 13 | 13 | - | | crowdsecurity/public-dns-allowlist | 13 | 13 | - | | crowdsecurity/whitelists | 13 | 13 | - | +------------------------------------+------+--------+----------+ +----------------------------------------------------------------------------------------------------+ | Scenario Metrics | +--------------------------------------+---------------+-----------+--------------+--------+---------+ | Scenario | Current Count | Overflows | Instantiated | Poured | Expired | +--------------------------------------+---------------+-----------+--------------+--------+---------+ | crowdsecurity/http-crawl-non_statics | 1 | - | 3 | 6 | 2 | +--------------------------------------+---------------+-----------+--------------+--------+---------+ +---------------------------------------------------------------------------------------+ | Whitelist Metrics | +------------------------------------+-----------------------------+------+-------------+ | Whitelist | Reason | Hits | Whitelisted | +------------------------------------+-----------------------------+------+-------------+ | crowdsecurity/nextcloud-whitelist | Nextcloud Whitelist | 13 | - | | crowdsecurity/public-dns-allowlist | public DNS server | 13 | - | | crowdsecurity/whitelists | private ipv4/ipv6 ip/ranges | 13 | 3 | +------------------------------------+-----------------------------+------+-------------+