CrowdSec, an open-source, modernized & collaborative fail2ban for free

Dear estimated community,

We would like to introduce a new security project, CrowdSec, and most importantly collect your feedback & comments. The solution is available on GitHub and will remain open-source (MIT license) and free of charge.

CrowdSec is a hybrid security engine leveraging 2 different capabilities to protect its users.
The first one is a local agent, running on Internet-facing services. It blocks any aggressive behavior, based on various scenarios.
The second mechanism uses our global IP reputation network (run and curated by us), based on the alerts sent by our user community. Every time the behavior engine blocks an IP, all participants are informed that this IP is dangerous and should be blocked.

Image: https://opensource.com/sites/default/files/uploads/crowdsec_operation.jpg

We leverage the crowd power to make this IP reputation database as accurate as possible. As of today, community members come from 50+ countries across 5 different continents and already blocked 100,000+ IPs.

We would love to hear your thoughts and engage further discussions. Unfortunately we cannot add any link to this post but you can give us a shout on GitHub (crowdsecurity/crowdsec) or on our website via the chat.

Many thanks in advance for your valuable feedback!

The CrowdSec team

Find more posts tagged with

cybersecurity tools

linux

cybersecurity

Comments

JDMurray

What kind of evidence (i.e., triage information) does CrowdSec supply about IPs that would allow my SIEM to prioritize the criticality of the IP's detected activity? The more and varied the triage information provided to the SIEM the better.

Does CrowdSec search/store historical information that can be queried to discover the historical activity of IP and domain activity? For example, can I find out the reputation of a given IP or domain in March 2018? SOC and Threat Intel analysts also need such information to perform further investigations and research.

CrowdSec

Thanks for your questions.

Regarding the first one, when you receive reputation information about an IP, you will get the list of triggered scenarios, but there is no triage about criticality per se.

About the second one, such an API is not publicly available, but will be in the future.

Does that help?

JDMurray

I need to know if an Internet IP is a proxy gateway for an organization's Internet traffic. If one user behind that proxy starts scanning/spamming/attacking hosts on the Internet, I do not want to blacklist/block that IP and cut off access to the 10,000's of legitimate users behind that same proxy. How would CrowdSec keep me from blocking the whole barrel because of one bad apple?

CrowdSec

Very good point. Everything is covered in our FAQ section (crowdsec.net/faq)

The idea is not to ban blindly. Rather to do the minimum that is required. First, if we're talking about the web, we can send a captcha rather than drop the connection. For other protocols, we can send a 2FA or limit access to certain functions. The IP ban should only be the last alternative in IPV4. We can also react at the application, business or session level.