Why Nostr? What is Njump?
2023-08-01 08:14:59

fluidtrack on Nostr: ## Introduction: Are you a bitcoiner self hosting your own node and other ...

Introduction:

Are you a bitcoiner self hosting your own node and other infrastructure ? If so, safeguarding infrastructure from cyber threats is paramount. Discover how CrowdSec, the collaborative cybersecurity solution, can fortify our defenses by dynamically performing intrusion detection and blocking malicious traffic and actors. CrowdSec is an open-source, community-driven intrusion detection and prevention system (IDS/IPS) that uses machine learning to detect and block malicious traffic. CrowdSec can be deployed on a variety of platforms, including Docker. If you would like to know more about CrowdSec you can find the information here. Follow this step-by-step guide to deploy CrowdSec’s engine in a Docker container and build your own intrusion detection and prevention system.

Prerequisites:

  1. Ubuntu/Debian Linux-based system with Docker and Docker Compose installed.
  2. Basic familiarity with Docker concepts and commands.
  3. Administrative access to configure the firewall.

Step 1: Setting Up the Docker Environment

Ensure Docker and Docker Compose are installed on your system:

docker --version
docker-compose --version

If not installed, refer to the official Docker documentation for guidance here.

Step 2: Creating the CrowdSec Configuration File

Start by creating the directory structure below.

mkdir crowdsec
cd crowdsec
mkdir config

Create the acquis.yaml file in the config folder using a text editor of your choice (I use nano) and add the following minimal configuration:

---
filenames:
 - /logs/auth.log
 - /logs/syslog
 - /logs/kern.log
labels:
  type: syslog

The paths shown will be configured in the .yaml file below.

Step 3: Running CrowdSec Engine in a Docker Container

Deploy the CrowdSec engine in a Docker container using the docker-compose.yaml file:


version: "3"
services:
  crowdsec:
    container_name: crowdsec
    image: crowdsecurity/crowdsec:v1.5.2
    restart: unless-stopped
    environment:
      - COLLECTIONS=crowdsecurity/sshd crowdsecurity/iptables
      - GID=${GID-1000}
    volumes:
      - crowdsec_config:/etc/crowdsec/
      - crowdsec_data:/var/lib/crowdsec/data/
      - crowdsec_log_data:/logs/
      - ./config/acquis.yaml:/etc/crowdsec/acquis.yaml
      - /var/log/auth.log:/logs/auth.log:ro
      - /var/log/syslog:/logs/syslog:ro
      - /var/log/kern.log:/logs/kern.log:ro
    networks:
      - crowdsec
    ports:
      - 8080:8080
      - 6060:6060


networks:
  crowdsec:


volumes:
  crowdsec_log_data:
  crowdsec_data:
  crowdsec_config:

Docker compose performs the following steps :

  1. Pulls the crowdsec base image from the docker registry.
  2. Creates 3 docker volumes for log data, config data and the crowdsec database.
  3. It the mounts these volumes into the approprriate mount points within the container.
  4. It also bind mounts the host directories which it needs to actually monitor the log files.
  5. The collections which make crowdsec even more effective for this task are passed in via environment variable, along with the group id of the locally running user.
  6. required ports for crodsec are exposed

Launch the CrowdSec engine in the Docker container by typing the following command in your terminal:

docker-compose up -d

Step 4: Installing and Configuring the Firewall Bouncer on the Docker Host

Install the firewall bouncer on your host system by adding the CrowdSec repository and then typing the following commands in the terminal:

curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash

sudo apt install crowdsec-firewall-bouncer-iptables

Configure the firewall : First generate your api key by typing the following commands in your terminal :

docker exec crowdsec cscli bouncers add <name your bouncer>

This will generate an api key for you which you should now store carefully because you will use it in the next step

Open the /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml in a text editor of your choice and make changes to the api_key line:

api_url: http://127.0.0.1:8080/
api_key: <your api key which you got in the last step>

Run the following command in the terminal :

sudo systemctl enable --now crowdsec-firewall-bouncer

Thats about it. You should be now protected by CrowdSec from bruteforce ssh and port scanning attacks against your node. There is a “gotcha” I would like to bring to your attention, especially if you are using docker with the ufw firewall on Ubuntu/Debian here.

I would like to point out that if you sign-up with the CrowdSec console, you get a good view of what is happening with your logs, attacks against you, alerts and the action taken by the bouncer.

Conclusion:

Empower the security of your full node with CrowdSec’s engine in a Docker container, coupled with the firewall bouncer. This formidable combination will perform IDS/IPS and dynamically block malicious traffic/actors and defend against cyber threats, providing you (some) peace of mind. Dont forget that security works in layers and is never static

#Bitcoin #FullNode #SelfHosting #CyberSecurity #DockerSecurity #CrowdSecEngine #FirewallProtection #CyberDefenses #DockerContainer #NetworkSecurity #IDSIPS

Author Public Key
npub1y5x7nvmmtuvv63zzmua8awqnrl4ljeyrd88dudxevkzyvk66tntq7zcalf