:: Re: [DNG] How do you run crowdsec o…
Top Page
Delete this message
Reply to this message
Author: Marjorie Roome
Date:  
To: dng
Subject: Re: [DNG] How do you run crowdsec on daedalus?
Hi onefang, Anthony,

On Mon, 2023-07-31 at 23:45 +1000, onefang wrote:
> On 2023-07-31 14:56:09, Antony Stone wrote:
> > On Monday 31 July 2023 at 14:46:08, Robert Montante, Ph.D. via Dng
> > wrote:
> >
> > > I'm running the apache2 webserver on an installation of daedalus
> > > rc7, and I really need some protection from all the attacks.  It
> > > seems that "crowdsec" is being promoted as better than
> > > "fail2ban",
> >
> > Reference/s?
> >
> > > so I installed that... but I can't see any evidence that it's
> > > actually running.  It doesn't show up as a service, and it
> > > doesn't show up as a process.
> >
> > I haven't used crowdsec, so I can't answer your actual question,
> > however I find the comparison between this and fail2ban somewhat
> > odd, because crowdsec is based on a group of machines reporting
> > suspicious behaviour to each other and using the sum of information
> > from multiple sources to decide what security measures to
> > implement, whereas fail2ban operates on a single machine and
> > reacts to events in its local log files.
> >
> > I believe fail2ban can be set up to communicate with other
> > instances of itself over a network, but those have to be configured
> > by the sysadmins and are therefore still far more of a private
> > service than crowdsec, which is exchanging information with loads
> > of machines, the identities of which you have no idea.
> >
> > I'm not saying I think fail2ban is better; I'm just saying they do
> > different jobs and therefore can't be directly compared.
>
> First I have heard of crowdsec, but I always say that the biggest
> problem with fail2ban is that it ... fails 2 ban.  While it comes
> with a great variety of rules, the only one I have ever seen it ban
> anything with is the one I wrote myself.
>
> So some replacemnt that actually works out of the box would be useful
> to me.


I have no experience of crowdsec, though I know people who rate it
highly. It seems to be a crowdsourced spamhaus for known bad IP, but
obviously it depends on you - the crowd reporting bad IPs, and I'm
unclear how it's detection works.

I find on my mail server fail2ban does work, but obviously it has its
limitations.

Firstly, of course, you have to get postfix to filter out the spam, I'm
quite aggressive in my postfix filters and also use rspamd. 
The biggest reason for spam fails is the lack of a reverse dns or they
are attempting a sasl login. 

I run fail2ban with one additional jail (postfix-extra [*]) and,
because spammers space out their emails to get round the standard
fail2ban settings I wait for fewer retries before banning, allow for a
longer window to find repeats and ban for much longer by default. 
Spammers still work to get round this by repeated attempts but with
different IPs.

I use the following fail2ban jails (for email):
dovecot (0, 3, 12h, 3d)
postfix (13, 3, 12h, 3d)
postfix-extra (66, 3, 12h, 3d)
postfix-sasl (25, 2, 16h, 7d)

where the numbers are how many IP are currently banned, max tries
allowed, length of window to find repeats, ban time. 
nb. this is on on a family server with about 50 emails a day.

[*] I added Gary Gapinski's postfix-extra jail because there were
errors I could see in mail.log that the standard jail regex weren't
matching.

--
Marjorie