New to self-hosting, seeking advice from cybersecurity buffs.
I have the Oracle Free Tier. I've already ran it for a year or so with the usual services like Nextcloud and Immich, but I'm still inexperienced and want advice. I want to do it right this time, documenting it as I go through the setup so that I don't forget.
Up until now, my plan was to run Rootless Docker with NPM and Keycloak. Then I found out about CrowdSec, and it seems that it attaches to whatever reverse-proxy service one uses?
The real question is: Together with CrowdSec, what other services/setup would you recommend for security?
For example, I've heard of Suricata and seems like another service that's good to run alongside CrowdSec.
And while browsing the documentation, it seems that base NPM is not supported/it doesn't support CrowdSec.
I only used NPM at first because that's what whatever video I watched suggested. So, what reverse-proxy service would you recommend?
I plan on running everything through docker. I'll also use DeSEC for DNS, in case it matters for let's encrypt certs or anything else.
Here are a few other services I plan on running, in case it matters: Uptime Kuma, Owncloud Infinite Scale, Immich + Immich Public Proxy, Glance, Karakeep, Bookstack/or a digital garden service, Codeberg, some Gitpod alternative, Watchtower, Vaultwarden as a backup and Adguard + Unbound or Blocky + Unbound.
6 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
If you are using Docker, I would advise you check out a blog post I made about using Traefik as the Reverse Proxy with CrowdSec:
https://www.nova-labs.net/setting-up-traefik-v3-with-file-provider-crowdsec-on-your-homelab/
In short, you could run your NPM/app via the necessary stuff, and have the Reverse Proxy connect the requests (user hitting your reverse proxy) with the service (npm/nginx/etc.)
You can deploy Suricata via Docker too, more or less you only have to worry about where the log files are getting created and that the CrowdSec Parser Agent container has access to those paths
In this when a container makes logs that CrowdSec needs, I have a CrowdSec Parser Agent deploy, but I only have one CrowdSec LAPI Server, all of the Parsers/Blockers/Appsec agents connect to the main Server (LAPI Server)
Telling a CrowdSec install to only be an agent is as easy as disabling the Server feature, it will now just be an Agent, otherwise it will with Server enabled, deploy both Server and Agent
Nova-Labs
Traefik v3 via File Provider with CrowdSec for Plex | Nova-Labs
This guide walks you through setting up Traefik v3 as a reverse proxy using the file provider for dynamic configuration. We’ll deploy it to serve Plex (via plex.randomdomain.com) and a general website (www.randomdomain.com), with CrowdSec integration for security. The real neat thing we do in this example is setup a TCP router and service for
There's something I don't understand. I've found CrowdSec's collections for different apps. Does this mean that CrowdSec can only protect apps that have a collection?
Because in my mind, I thought that CrowdSec attached itself to the reverse proxy service (in my case, Nginx Proxy Manager), and worked on everything that used it, which in my case is going to be all the services I plan to use.
I don't know how Suricata would fit in that, though.
I apologize for my lack of knowledge in this, I'm clueless when it comes to networking.
Collections are just a convenient way to keep together log parsers and scenarios of the attacks, the way it is designed allows to use different parsers to later on pass the messages further for processing by other matchers to trigger specific scenarios. If you just have nginx logs then it should process generic http scans/bots and so on without any additional tweaks (unless apps need it to prevent false positives such as nextcloud due the way the API responds via HTTP codes). You can also write your own parsers for apps logs and scenarios if needed - it usually is used to detect special attacks such as failed logins or to prevent false positives as mentioned earlier.
Also nginx logs may serve different purpose to the app logs, where the app usually logs more details than just 'bad request' or 'forbidden' in the http response. This way you can have a better checks based on the app logs which are usually much more valuable in detecthing threats.
I see. So they're just more detailed and specialized than base NPM logs, but using CrowdSec on NPM already covers everything, since everything goes through NPM, as I understand it.
Where does Suricata fit in this? I'm not quite sure what it does.
Would using NPM (Or a more secure option, if it exists) + CrowdSec + Suricata be a reasonable setup for security?
I ask for suggestions on this since I don't know what services exist at all, much less which ones are updated and recommended.
I heard that Suricata is resource-intensive so it actually might not be a good fit for the 4 vCPUs, 24gbs of RAM from the Oracle free tier VPS.
So now it seems that just Crowdsec and its WAF is a better solution. I have no idea how they work though, and this is just my guess.
The real question is: Together with CrowdSec, what other services/setup would you recommend for security?This would be a bit off topic since this server is focused on CrowdSec, but honestly there's no easy answer I can give you. Generally, you want to make sure everything is kept up to date (Automatic updates are really helpful here), configure things securely, try not to expose stuff to the internet you don't need.
For example, I've heard of Suricata and seems like another service that's good to run alongside CrowdSec.Suricata mostly focuses on inspecting network traffic and blocking anything that looks suspicious, all CrowdSec would be doing is banning IPs that trip Suricata.
And while browsing the documentation, it seems that base NPM is not supported/it doesn't support CrowdSec. I only used NPM at first because that's what whatever video I watched suggested. So, what reverse-proxy service would you recommend?There's NPM Plus which supports CrowdSec, but I personally like to use vanilla NGINX. Using the http server collections will cover 90% of your use cases, the application specific collections does include some protection that are specific to that application but an app doesn't need to have an collection for it to be effective, it helps but it's not strictly required. They're both resources intensive but CrowdSec WAF can be lighter if you use their vpatch collection, but that's mainly because those rules are highly specialized against very specific kinds of attacks, once you start loading in a ton of rules the performance hit should be about the same. imo CrowdSec's WAF isn't the greatest at the moment, it has basically non-existent rules to protect against generic attacks which is probably something you want. You shouldn't see Suricata and CrowdSec's WAF as either or, they can both work together since they look at different stuff. In general, you'll probably get more value from running a WAF than Suricata if all your hosting are web based services. There's also the fact that most stuff is encrypted nower days which makes most of the rules in Suricata useless