Docker infrastructure with multiple services and host strategy
Hi all!!!
I just discovered crowdsec and have been playing with it for a few days and reviewing settings. Right now I have an ubuntu machine where I have docker with a traefik in front and behind it, multiple services such as adguard, portainer , multiple apps with caddy, apache .... etc ... etc
Now I have installed crowdsec in a container and I have a couple of doubts:
- I understand that I can share the journal log of the host machine to protect access to the ssh port
- what is the best strategy to configure crowdsec in containers. Just check the logs of the traefik or configure each of the services ?
Thank you
6 Replies
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type
/unresolve© Created By WhyAydan for CrowdSec ❤️
I also just started using Crowdesc, but I installed it natively.
Find it easier this way to manage, play around and test configurations. It's also easier to parse container logs this way. Just use docker volume ls and docker volume inspect <volume id or name> and locate the log file you want to parse and add it to the acquis.yaml file.
I would also say it would also make it easier when you install the bouncer on the host, for it be able interact with the iptables of the host.
My caddy is also running natively. But you should be able to access the log files as well, if they are mounted somewhere accessible on the host for crowdsec parsers to parse it.
I used this collection: https://app.crowdsec.net/hub/author/crowdsecurity/collections/caddy
I know it is not the answer you expected, since you asked for help with container setup. But maybe this can still help you, in case you want to change your approach.
Thanks for taking the time to answer me. My question comes from having a Docker-based infrastructure... I don't know if reading Traefik log would be enough or if I have to configure the logs for each container.
Depends on what you want to monitor. If you only want to observe the access to your web services hosted inside your docker container, then this should be enough.
Your Traefik is the first entry point as the reverse proxy to those services and where all HTTP(S) traffic passes through. So it should be enough to monitor your traefik logs alone for http related information.
If lets say you have wireguard or something else running inside your containers which use different protocols and ports, then you would need to log them additionally.
It's best identify the areas and information that are important for you to monitor and see if they are already covered through the traefik logs. Easiest way is to trigger logs to see if it appears or not.
good advice!!
Resolving Docker infrastructure with multiple services and host strategy
This has now been resolved. If you think this is a mistake please run
/unresolve