open-appsec
WebsiteManagement PortalPlaygroundGitHub
  • open-appsec Documentation
  • What is open-appsec?
  • open-appsec Video Tutorials
  • Release Notes
  • Getting started
    • Getting Started
    • Start With Kubernetes
      • Install Using Interactive CLI Tool (Ingress NGINX)
      • Configuration Using Interactive CLI Tool
      • Install Using Helm
      • Install Using Helm - new flow (beta)
      • Configuration Using CRDs
      • Configuration Using CRDs - v1beta2
      • Configuration using CRDs - special options for Large Scale Deployments
        • Using appsec class for assigning separate custom resources to specific deployments
        • Using namespace-scoped custom resources
      • Monitor Events
    • Start With Linux
      • Install open-appsec for Linux
      • Using the open-appsec-ctl Tool
      • Configuration Using Local Policy File (Linux)
      • Local Policy File (Advanced)
      • Local Policy File v1beta2 (beta)
      • Monitor Events
    • Start with Docker
      • Install With Docker (Centrally Managed)
      • Install With Docker (Locally Managed)
      • Deploy With Docker-Compose (Beta)
      • Configuration Using Local Policy File (Docker)
      • Local Policy File (Advanced)
    • Using the Web UI (SaaS)
      • Sign-Up and Login to Portal
      • Agents Deployment
      • Connect Deployed Agents to SaaS Management Using Tool (K8s & Linux)
      • Connect Deployed Agents to SaaS Management Using Helm (K8s)
      • Connect Deployed Agents to SaaS Management (Docker)
      • Create a Profile
      • Protect Additional Assets
      • Monitor Events
    • Using the Advanced Machine Learning Model
  • Concepts
    • Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • SETUP INSTRUCTIONS
    • Setup Web Application Settings
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • Additional Security Engines
    • Anti-Bot
    • API Schema Enforcement
    • Data Loss Prevention (DLP) Rules
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
  • Snort Rules
    • Import Snort Rules
    • Write Snort Signatures
  • HOW TO
    • Configuration and Learning
      • Track Learning and Move From Learn/Detect to Prevent
      • Configure Contextual Machine Learning for Best Accuracy
      • Track Learning and Local Tuning in Standalone Deployments
      • Move From Detect to Prevent in K8s With Many Ingress Rules
  • Deployment and Upgrade
    • Load the Attachment in Proxy Configuration
    • Upgrade Your Reverse Proxy/API Gateway When an Agent is Installed
    • Integration in GitOps CD (K8s)
    • Build open-appsec Based on Source Code
  • Management Web UI
    • Track Agent Status
    • Delete or Reset Management Tenant (SaaS)
    • Disconnect an open-appsec agent from Central Management
  • Integrations
    • About Integrations With 3rd Party Solutions
    • CrowdSec
      • CrowdSec Bouncer Support
      • CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario
    • NGINX Proxy Manager
      • Install NGINX Proxy Manager with open-appsec managed from NPM WebUI
      • Install NGINX Proxy Manager with open-appsec managed from central WebUI (SaaS)
      • Frequently Asked Questions
      • How to Migrate from an Existing NGINX Proxy Manager Deployment and Keep Configuration
    • NPMplus
    • Docker SWAG
      • Install Docker SWAG with open-appsec (locally managed)
      • How to connect locally managed Docker SWAG with open-appsec to WebUI
      • Install Docker SWAG with open-appsec (centrally managed)
      • Deploy Docker SWAG with docker-compose (beta)
      • Frequently Asked Questions
  • Troubleshooting
    • Troubleshooting
    • Troubleshooting Guides
      • Configuration contains ingress/asset with URL which already has asset attached to it in your tenant
      • HTTP Request to Port 80 Not Returning as Expected
      • Agent Fails to Recognize HTTP Transactions with NGINX
      • Agent Not Recognizing Initial HTTP Requests
      • Handling Large Requests (413 Responses)
      • open-appsec on Docker HTTP Transaction Handler Is Set To Ready
      • Traffic Recognition Issue on Single-Core Machine/Connection Timed Out
      • Installing open-appsec on CentOS 7
      • SELinux: checking status and disabling
      • Deploy open-appsec directly on the web server hosting the application to protect
      • object is locked or remote, and therefore cannot be modified
      • Failed to Register to Fog
  • references
    • Agent CLI
    • Event Query Language
    • Events/Logs Schema
    • WAF Comparison Project
Powered by GitBook
On this page
  • About CrowdSec
  • open-appsec bouncer for CrowdSec Threat Intelligence (CTI)
  • Configuration
  • Additional information

Was this helpful?

  1. Integrations
  2. CrowdSec

CrowdSec Bouncer Support

PreviousCrowdSecNextCrowdSec Intelligence Sharing Using open-appsec Parser/Scenario

Last updated 22 days ago

Was this helpful?

Note: open-appsec integration with CrowdSec is currently in alpha. It currently supports: - open-appsec for NGINX ingress controller on K8s - open-appsec Docker with NGINX and Kong more platforms and integrations will be added soon.

About CrowdSec

CrowdSec is an open-source project which provides crowd-sourced protection against malicious IP addresses. The CrowdSec Threat Intelligence (CTI) distributes reputation intelligence for e.g. known malicious IP addresses and networks, which originates from tens of thousands of CrowdSec users sharing their local threat intelligence data with the community using "parsers" and "scenarios" to generate threat indicators based on 3rd party security logs like open-appsec. The actual enforcement of these CTI indicators is performed by 3rd party (security) solutions like open-appsec that provide so called "CrowdSec bouncers" allowing them to block traffic from those indicators in addition to their own (security) capabilities.

More information about CrowdSec: CrowdSec Docs: CrowdSec Threat Intelligence (CTI):

Here's an overview of the CrowdSec integration architecture:

open-appsec bouncer for CrowdSec Threat Intelligence (CTI)

open-appsec's provides CrowdSec integration by offering a CrowdSec "bouncer". This allows open-appsec to detect or prevent traffic based on CrowdSec's CTI indicators (source IP addresses and source IP networks) in addition to its own various security capabilities like the contextual ML engine, IPS and more.

Configuration

Prerequisites:

Make sure the following prerequisites are met:

  • URL known for the CrowdSec API to be used (LAPI)

  • API key created and known allowing access to CrowdSec API (LAPI)

Note that support for direct connection to CrowdSec CAPI isn't available yet, but will be added soon. Therefor please connect to LAPI which will provide Intelligence from the CAPI as well like the CrowdSec Community Blocklist.

In Kubernetes the configuration of open-appsec's CrowdSec bouncer functionality is maintained in a ConfigMap and confidential information like the API key in a Secret.

The easiest way is to configure the content of the configmap and secret directly using the values listed below with the deployment of open-appsec using Helm. Alternatively you can just specify the name of the ConfigMap and the Secret using the corresponding Helm values and populate their contents yourself (e.g. using a GitOps CD process). List of available key-values:

appsec.configMapName: STRING allows you to specify the name of the configMap for advanced open-appsec configurations (default is "appsec-settings-configmap")

appsec.configMapContent.crowdsec.enabled: {true|false} enable or disable CrowdSec bouncer

appsec.configMapContent.crowdsec.mode: {detect|prevent} set enforcement mode for the CrowdSec bouncer to "detect" or "prevent"

appsec.configMapContent.crowdsec.logging: {enabled|disabled} enable or disable the logging of security events based on CrowdSec Threat Intelligence

appsec.configMapContern.crowdsec.auth.method: [apikey] select desired authentication method for the authentication against the CrowdSec API (note that currently only authentication using API key is supported) (default is "apikey")

appsec.secretName: STRING specify the name of the secret holding confidential information like api-keys (default is "appsec-settings-secret")

appsec.secretContent.crowdsec.auth.data: provide the CrowdSec API key which open-appsec will use to authenticate against the API

Note: You can e.g. get this for the LAPI (local API) using CrowdSec's "cscli" command as follows (or you can create it for the CAPI (central API) in CrowdSec's WebUI), you will then see an API key shown in the resulting output.

cscli bouncers add openappsec

Note: When changing the above parameters make sure that the open-appsec ingress controller pod is redeployed for the performed changes to become effective.

In Docker environments (Kong and NGINX) the configuration of open-appsec's CrowdSec bouncer functionality is maintained using environment variables. You can enhance your existing docker run command for the open-appsec Agent with the following environment variables which are relevant specifically for CrowdSec.

List of available environment variables: -e CROWDSEC_ENABLED={true|false} enable or disable CrowdSec bouncer

-e CROWDSEC_MODE={"detect"|"prevent"} set enforcement mode for the CrowdSec bouncer to "detect" or "prevent"

-e CROWDSEC_LOGGING={"enabled"|"disabled"} enable or disable the logging of security events based on CrowdSec Threat Intelligence

-e CROWDSEC_AUTH_METHOD={apikey} select desired authentication method for the authentication against the CrowdSec API (note that currently only authentication using API key is supported) (default is "apikey")

-e CROWDSEC_AUTH_DATA=["Add-CrowdSec-API-Key-here"] provide the CrowdSec API key which open-appsec will use to authenticate against the API

Note that Linux support for open-appsec's CrowdSec bouncer functionality is not available yet but will be available soon. Please check this documentation again later.

Note that central configuration for open-appsec's CrowdSec bouncer functionality is not available yet but will be available soon. Until then please use the configuration via the CrowdSec helm chart. This will also continue to work when open-appsec is managed centrally via the WebUI (SaaS). Please check this documentation again later.

Congratulations, now you have successfully configured open-appsec to bounce traffic from malicious source IPs based on CrowdSec Threat Intelligence (CTI). Now is a good time to also configure your own CrowdSec deployment to share signals based on your local open-appsec Security Logs with CrowdSec's Threat Intelligence Community. You find the simple configuration steps below:

Additional information

Which Threat Intelligence is imported from the CrowdSec API? open-appsec will load CrowdSec Threat Intelligence (CTI) via the configured CrowdSec API based on the following criteria, once connection to CrowdSec LAPI is configured:

  • CTI with origin "capi", which contains tens of thousands "Shoot-in-sight" IPs with high confidence level of being indeed malicious (collaborative threat intelligence)

  • CTI with origin "cscli" (local, manual threat intelligence)

  • CTI with origin "crowdsec" (local, automatic threat intelligence)

  • Note that threat intelligence from scenarios where the CrowdSec scenario name contains "openappsec" or "open-appsec" and origin is "crowdsec" is NOT imported. The reason is explained below.

Note: This excluding filter allows you to use a custom local CrowdSec scenario on CrowdSec security engine side to parse the original open-appsec logs to create/share additional CrowdSec Threat Intelligence based on open-appsec's preemptive, ML-based detection capabilities which include zero day attack detection/prevention. Always make sure to include "open-appsec" in the name of such scenario for this filter to work to prevent a loop where IP-based indicators originating from open-appsec logs that are added to CrowdSec's local Threat Intelligence would then again be loaded by open-appsec. As open-appsec can itself prevent those attacks and provides much more in-depths details about each attack (like threat indicators included in the attack) it wouldn't make sense to have them blocked only based on the Source IP based on CrowdSec's indicators.

Which CrowdSec Threat Intelligence can be detected/prevented by open-appsec?

Based on the above filter criteria for importing CrowdSec Threat Intelligence (CTI) open-appsec is then able to detect or prevent (based on the configured mode for enforcement) all resulting CTI indicators with CrowdSec mode set to "ban" (IP addresses and networks).

Please make sure to also install the base-http-scenarios in your CrowdSec deployment to get all relevant HTTP/HTTPS based IP indicators from CrowdSec Threat Intelligence. These are available here:

Existing installation of open-appsec for NGINX Ingress Controller (see: )

Existing installation of CrowdSec on the K8s cluster with accessible LAPI (= local API, exposed by crowdsec-lapi pod) (see: ) OR access to some CrowdSec LAPI

appsec.configMapContent.crowdsec.api.url: STRING configure the URL that is used by open-appsec to communicate with the CrowdSec API (LAPI or CAPI), default is (which is example for the LAPI (local API) as exposed by the crowdsec-lapi pod in K8s)

-e CROWDSEC_API_URL=["Add-CrowdSec-API-URL-here"] configure the URL that is used by the open-appsec Agent to communicate with the CrowdSec API (LAPI), e.g. .

https://hub.crowdsec.net/author/crowdsecurity/collections/base-http-scenarios
Start with Kubernetes
docs.crowdsec.net
http://crowdsec-service:8080/v1/decisions/stream
http://crowdsec-service:8080/v1/decisions/stream
CrowdSec Intelligence Sharing Using open-appsec Parser/Scenario
www.crowdsec.net
docs.crowdsec.net
www.crowdsec.net/product/threat-intelligence