CrowdSec Bouncer Support

Note: open-appsec integration with CrowdSec is currently in alpha. It currently supports: - open-appsec for NGINX ingress controller on K8s - open-appsec Docker with NGINX and Kong more platforms and integrations will be added soon.

About CrowdSec

CrowdSec is an open-source project which provides crowd-sourced protection against malicious IP addresses. The CrowdSec Threat Intelligence (CTI) distributes reputation intelligence for e.g. known malicious IP addresses and networks, which originates from tens of thousands of CrowdSec users sharing their local threat intelligence data with the community using "parsers" and "scenarios" to generate threat indicators based on 3rd party security logs like open-appsec. The actual enforcement of these CTI indicators is performed by 3rd party (security) solutions like open-appsec that provide so called "CrowdSec bouncers" allowing them to block traffic from those indicators in addition to their own (security) capabilities.

More information about CrowdSec: www.crowdsec.net CrowdSec Docs: docs.crowdsec.net CrowdSec Threat Intelligence (CTI): www.crowdsec.net/product/threat-intelligence

Here's an overview of the CrowdSec integration architecture:

open-appsec bouncer for CrowdSec Threat Intelligence (CTI)

open-appsec's provides CrowdSec integration by offering a CrowdSec "bouncer". This allows open-appsec to detect or prevent traffic based on CrowdSec's CTI indicators (source IP addresses and source IP networks) in addition to its own various security capabilities like the contextual ML engine, IPS and more.

Configuration

Prerequisites:

Make sure the following prerequisites are met:

  • Existing installation of open-appsec for NGINX Ingress Controller (see: Start with Kubernetes)

  • Existing installation of CrowdSec on the K8s cluster with accessible LAPI (= local API, exposed by crowdsec-lapi pod) (see: docs.crowdsec.net) OR access to some CrowdSec LAPI

  • URL known for the CrowdSec API to be used (LAPI)

  • API key created and known allowing access to CrowdSec API (LAPI)

In Kubernetes the configuration of open-appsec's CrowdSec bouncer functionality is maintained in a ConfigMap and confidential information like the API key in a Secret.

The easiest way is to configure the content of the configmap and secret directly using the values listed below with the deployment of open-appsec using Helm. Alternatively you can just specify the name of the ConfigMap and the Secret using the corresponding Helm values and populate their contents yourself (e.g. using a GitOps CD process). List of available key-values:

appsec.configMapName: STRING allows you to specify the name of the configMap for advanced open-appsec configurations (default is "appsec-settings-configmap")

appsec.configMapContent.crowdsec.enabled: {true|false} enable or disable CrowdSec bouncer

appsec.configMapContent.crowdsec.mode: {detect|prevent} set enforcement mode for the CrowdSec bouncer to "detect" or "prevent"

appsec.configMapContent.crowdsec.logging: {enabled|disabled} enable or disable the logging of security events based on CrowdSec Threat Intelligence

appsec.configMapContent.crowdsec.api.url: STRING configure the URL that is used by open-appsec to communicate with the CrowdSec API (LAPI or CAPI), default is http://crowdsec-service:8080/v1/decisions/stream (which is example for the LAPI (local API) as exposed by the crowdsec-lapi pod in K8s)

appsec.configMapContern.crowdsec.auth.method: [apikey] select desired authentication method for the authentication against the CrowdSec API (note that currently only authentication using API key is supported) (default is "apikey")

appsec.secretName: STRING specify the name of the secret holding confidential information like api-keys (default is "appsec-settings-secret")

appsec.secretContent.crowdsec.auth.data: provide the CrowdSec API key which open-appsec will use to authenticate against the API

Note: You can e.g. get this for the LAPI (local API) using CrowdSec's "cscli" command as follows (or you can create it for the CAPI (central API) in CrowdSec's WebUI), you will then see an API key shown in the resulting output.

cscli bouncers add openappsec

Congratulations, now you have successfully configured open-appsec to bounce traffic from malicious source IPs based on CrowdSec Threat Intelligence (CTI). Now is a good time to also configure your own CrowdSec deployment to share signals based on your local open-appsec Security Logs with CrowdSec's Threat Intelligence Community. You find the simple configuration steps below:

CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario

Additional information

Which Threat Intelligence is imported from the CrowdSec API? open-appsec will load CrowdSec Threat Intelligence (CTI) via the configured CrowdSec API based on the following criteria, once connection to CrowdSec LAPI is configured:

  • CTI with origin "capi", which contains tens of thousands "Shoot-in-sight" IPs with high confidence level of being indeed malicious (collaborative threat intelligence)

  • CTI with origin "cscli" (local, manual threat intelligence)

  • CTI with origin "crowdsec" (local, automatic threat intelligence)

  • Note that threat intelligence from scenarios where the CrowdSec scenario name contains "openappsec" or "open-appsec" and origin is "crowdsec" is NOT imported. The reason is explained below.

Which CrowdSec Threat Intelligence can be detected/prevented by open-appsec?

Based on the above filter criteria for importing CrowdSec Threat Intelligence (CTI) open-appsec is then able to detect or prevent (based on the configured mode for enforcement) all resulting CTI indicators with CrowdSec mode set to "ban" (IP addresses and networks).

Last updated

Was this helpful?