Introduction

   

CrowdSec is an open-source and lightweight software that allows you to detect peers with malevolent behaviors and block them from accessing your systems at various levels (infrastructural, system, applicative).

To achieve this, CrowdSec reads logs from different sources (files, streams ...) to parse, normalize and enrich them before matching them to threats patterns called scenarios.

CrowdSec is a modular and plug-able framework. It ships a large variety of well-known popular scenarios; users can choose what scenarios they want to be protected from as well as easily add new custom ones to better fit their environment.

Detected malevolent peers can then be prevented from accessing your resources by deploying bouncers at various levels (applicative, system, infrastructural) of your stack.

One of the advantages of CrowdSec when compared to other solutions is its crowd-sourced aspect: Meta information about detected attacks (Source IP address, time, and triggered scenario) is sent to a central API and then shared amongst all users.

Thanks to this, besides detecting and stopping attacks in real-time based on your logs, it allows you to preemptively block known bad actors from accessing your information system.

Main features

CrowdSec, besides the core "detect and react" mechanism, is committed to a few other key points :

• Easy Installation: Out of the box on most Linux setups (see here for FreeBSD)
• Easy daily operations : Using cscli and the hub, keeping your detection mechanisms up-to-date is trivial
• Reproducibility: CrowdSec can run not only against live logs but as well against cold logs. It makes it a lot easier to detect potential false positives, perform forensic analysis or generate reporting
• Observability: Providing strong insights on what is going on and what crowdsec-agent is doing :
  • Humans have access to a trivially deployable web interface
  • OPs have access to detailed Prometheus metrics
  • Admins have a friendly command-line interface tool
• API Centric: All the components are communicating via an HTTP API, allowing easy multi-machines setups

Architecture