CrowdSec Bouncer Support
Last updated
Last updated
Note: open-appsec integration with CrowdSec is currently in alpha. It currently supports: - open-appsec for NGINX ingress controller on K8s - open-appsec Docker with NGINX and Kong more platforms and integrations will be added soon.
CrowdSec is an open-source project which provides crowd-sourced protection against malicious IP addresses. The CrowdSec Threat Intelligence (CTI) distributes reputation intelligence for e.g. known malicious IP addresses and networks, which originates from tens of thousands of CrowdSec users sharing their local threat intelligence data with the community using "parsers" and "scenarios" to generate threat indicators based on 3rd party security logs like open-appsec. The actual enforcement of these CTI indicators is performed by 3rd party (security) solutions like open-appsec that provide so called "CrowdSec bouncers" allowing them to block traffic from those indicators in addition to their own (security) capabilities.
More information about CrowdSec: www.crowdsec.net CrowdSec Docs: docs.crowdsec.net CrowdSec Threat Intelligence (CTI): www.crowdsec.net/product/threat-intelligence
Here's an overview of the CrowdSec integration architecture:
open-appsec's provides CrowdSec integration by offering a CrowdSec "bouncer". This allows open-appsec to detect or prevent traffic based on CrowdSec's CTI indicators (source IP addresses and source IP networks) in addition to its own various security capabilities like the contextual ML engine, IPS and more.
Please make sure to also install the base-http-scenarios in your CrowdSec deployment to get all relevant HTTP/HTTPS based IP indicators from CrowdSec Threat Intelligence. These are available here: https://hub.crowdsec.net/author/crowdsecurity/collections/base-http-scenarios
Make sure the following prerequisites are met:
Existing installation of open-appsec for NGINX Ingress Controller (see: Start with Kubernetes)
Existing installation of CrowdSec on the K8s cluster with accessible LAPI (= local API, exposed by crowdsec-lapi pod) (see: docs.crowdsec.net) OR access to some CrowdSec LAPI
URL known for the CrowdSec API to be used (LAPI)
API key created and known allowing access to CrowdSec API (LAPI)
Note that support for direct connection to CrowdSec CAPI isn't available yet, but will be added soon. Therefor please connect to LAPI which will provide Intelligence from the CAPI as well like the CrowdSec Community Blocklist.
In Kubernetes the configuration of open-appsec's CrowdSec bouncer functionality is maintained in a ConfigMap and confidential information like the API key in a Secret.
The easiest way is to configure the content of the configmap and secret directly using the values listed below with the deployment of open-appsec using Helm. Alternatively you can just specify the name of the ConfigMap and the Secret using the corresponding Helm values and populate their contents yourself (e.g. using a GitOps CD process). List of available key-values:
appsec.configMapName: STRING
allows you to specify the name of the configMap for advanced open-appsec configurations (default is "appsec-settings-configmap")
appsec.configMapContent.crowdsec.enabled: {true|false}
enable or disable CrowdSec bouncer
appsec.configMapContent.crowdsec.mode: {detect|prevent}
set enforcement mode for the CrowdSec bouncer to "detect" or "prevent"
appsec.configMapContent.crowdsec.logging: {enabled|disabled}
enable or disable the logging of security events based on CrowdSec Threat Intelligence
appsec.configMapContent.crowdsec.api.url: STRING
configure the URL that is used by open-appsec to communicate with the CrowdSec API (LAPI or CAPI), default is http://crowdsec-service:8080/v1/decisions/stream (which is example for the LAPI (local API) as exposed by the crowdsec-lapi pod in K8s)
appsec.configMapContern.crowdsec.auth.method: [apikey]
select desired authentication method for the authentication against the CrowdSec API (note that currently only authentication using API key is supported) (default is "apikey")
appsec.secretName: STRING
specify the name of the secret holding confidential information like api-keys (default is "appsec-settings-secret")
appsec.secretContent.crowdsec.auth.data:
provide the CrowdSec API key which open-appsec will use to authenticate against the API
Note: You can e.g. get this for the LAPI (local API) using CrowdSec's "cscli" command as follows (or you can create it for the CAPI (central API) in CrowdSec's WebUI), you will then see an API key shown in the resulting output.
Note: When changing the above parameters make sure that the open-appsec ingress controller pod is redeployed for the performed changes to become effective.
Congratulations, now you have successfully configured open-appsec to bounce traffic from malicious source IPs based on CrowdSec Threat Intelligence (CTI). Now is a good time to also configure your own CrowdSec deployment to share signals based on your local open-appsec Security Logs with CrowdSec's Threat Intelligence Community. You find the simple configuration steps below:
Which Threat Intelligence is imported from the CrowdSec API? open-appsec will load CrowdSec Threat Intelligence (CTI) via the configured CrowdSec API based on the following criteria, once connection to CrowdSec LAPI is configured:
CTI with origin "capi", which contains tens of thousands "Shoot-in-sight" IPs with high confidence level of being indeed malicious (collaborative threat intelligence)
CTI with origin "cscli" (local, manual threat intelligence)
CTI with origin "crowdsec" (local, automatic threat intelligence)
Note that threat intelligence from scenarios where the CrowdSec scenario name contains "openappsec" or "open-appsec" and origin is "crowdsec" is NOT imported. The reason is explained below.
Note: This excluding filter allows you to use a custom local CrowdSec scenario on CrowdSec security engine side to parse the original open-appsec logs to create/share additional CrowdSec Threat Intelligence based on open-appsec's preemptive, ML-based detection capabilities which include zero day attack detection/prevention. Always make sure to include "open-appsec" in the name of such scenario for this filter to work to prevent a loop where IP-based indicators originating from open-appsec logs that are added to CrowdSec's local Threat Intelligence would then again be loaded by open-appsec. As open-appsec can itself prevent those attacks and provides much more in-depths details about each attack (like threat indicators included in the attack) it wouldn't make sense to have them blocked only based on the Source IP based on CrowdSec's indicators.
Which CrowdSec Threat Intelligence can be detected/prevented by open-appsec?
Based on the above filter criteria for importing CrowdSec Threat Intelligence (CTI) open-appsec is then able to detect or prevent (based on the configured mode for enforcement) all resulting CTI indicators with CrowdSec mode set to "ban" (IP addresses and networks).