New to crowdsec: next steps
Hi! i'm new to crowdsec and i dont known to do after the instalation to start blocking ips, lol
can someone help me?
10 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Did you take a look through our post installation guide?
https://docs.crowdsec.net/u/getting_started/next_steps
Post Installation Steps | CrowdSec
Now that your CrowdSec installation is up and running, here are some post-installation steps to help you continue your journey.
Hi! yes!
installed CrowdSec on a machine in my network, enrolled it, and installed a remediation component. I also subscribed to 3 blocklists.
My server runs Apache, but it's inside a Docker container.
is there a way for me to specify the log file for CrowdSec to monitor?
Yes its covered in the post install within the acquistiion section: https://docs.crowdsec.net/u/getting_started/post_installation/acquisition
However, keep in mind for the docker you will need to mount the log files inside the container namespace
Acquisition | CrowdSec
By default when CrowdSec is installed it will attempt to detect the running services and acquire the appropriate log sources and Collections.
i have two alerts but I manually banned my IP, both local and external, and yet I was still able to access the application. 😦
if your remeidation is firewall componet please see the note tied to the chains section: https://docs.crowdsec.net/u/bouncers/firewall#iptables_chains
Firewall | CrowdSec
📚 Documentation
Oh i seee, thank you
i'm having a little bit of trouble because i'm brazilian and my english is bad
Could you recommend or create a summarized roadmap to start studying CrowdSec? A starting point?
sorry for asking too much, i'm really new to crowdsec
1. Mount your Apache logs into the CrowdSec container
Since Apache is running in Docker, CrowdSec needs access to its logs. You can do this by mounting the Apache log folder into the CrowdSec container.
2. Tell CrowdSec to read those logs
Edit your acquisition file (explained here: Acquisition Guide) and point it to the mounted Apache log path.
3. Check your firewall chain
If you are using the firewall remediation, make sure the
DOCKER-USER chain is set up correctly, as Docker can override iptables rules. You can find details here: Firewall Chain Setup.
After these steps, CrowdSec should be able to detect attacks from your Apache logs and block IPs properlyn my case, Apache is running in Docker, and CrowdSec is installed on the host server.
I would like CrowdSec to read the logs from my Apache running inside a Docker container.
The log file is accessible via /var/lib/docker/containers/<container-id>/<container-id>-json.log.
If you apache is writing to stdout of the container then you can use the docker acqusition instead.
So within CrowdSec you can mount the docker socket like so : https://github.com/crowdsecurity/example-docker-compose/blob/c8e97b5b367e6b6aba88e8189f14cadb2ef9412b/container-socket/docker-compose.yml#L36
Then you can create an acqusition file to find the apache container: https://github.com/crowdsecurity/example-docker-compose/blob/main/container-socket/crowdsec/acquis.yaml
supporting docs: https://docs.crowdsec.net/docs/next/log_processor/data_sources/docker#configuration-example