I have been running crowdsec on my OpenWRT firewall for a bit now, I am just curious as to what others think about it?

Thank you @irmadlad the webui you suggested is showing the logs a lot better than my vibe coded HA plug ins (both my ssh honey pot and my plug in showed nothing) looking over the logs shows so much activity that is happening.

  • SomeDudeFromSpace@lemmy.ml
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    7 hours ago

    I had it running in front of my Matrix server. With the default configuration it gave a lot of false positives, leaving friends out of the server. Also, most of my users use VPNs regularly, so geo-blocking was a hassle too. I tuned it a bit, but kept giving me headaches, so I ended up disabling it. I’ll spend more time tuning it someday.

    • talentedkiwi@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 hours ago

      Yeah, I keep getting myself blocked because of something I’m hosting is giving a lot of false positives. I suppose I’ll have to dig into it at some point. For now I just whitelist the IPs I use.

    • stratself@lemdro.id
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 hours ago

      I don’t think geoblocking would be a great fit for Matrix, since you’d be contacted by servers from all over the world. It’s more suitable for something like a static website

  • Mio@feddit.nu
    link
    fedilink
    English
    arrow-up
    2
    ·
    9 hours ago

    I believe it is a good start with crowdsec but feels like it gives false protection. The blocking only happens after they have done a couple of attempts and not before.

  • irmadlad@lemmy.world
    link
    fedilink
    English
    arrow-up
    23
    ·
    15 hours ago

    When I ran Crowdsec, I thought it was a great piece of software, and a very decent free tier. I didn’t have any real complaints other that there was not a way, at the time that I knew of, to have the UI selfhosted. I think now someone has created a selfhostable user front end to it, but I haven’t dabbled in that.

    Here we go: https://corelab.tech/crowdsec-web-ui-setup-guide/

    I think this gent posted this a week or so ago.

  • Mereo@lemmy.ca
    link
    fedilink
    English
    arrow-up
    7
    ·
    13 hours ago

    It’s great! I use it on both my home server and my Hetzner server. It blocks connections based on behaviors defined by scenarios. I configured it to block any connections it decides to block via the firewall.

    So far, so good. I don’t even know it’s running. It just does its job of blocking bots.

  • The Zen Cow Says Mu@infosec.pub
    link
    fedilink
    English
    arrow-up
    14
    ·
    15 hours ago

    i run it on opnsense. When my services were on individual subdomains each with their own certificate, they got hit a lot and crowdsec blocked lots of bots and scripts

    I ultimately moved all my services to a wildcard sub-subdomain, and poof all the bots went away and now crowdsec doesn’t do much other than block port scanners which the firewall does anyway.

    it’s not worth the hassle to uninstall though.

    • confusedpuppy@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      5
      ·
      12 hours ago

      I also haven’t seen any bot activity after I started using wildcard sub domains. My ISP blocks all incoming on common ports so I also use uncommon ports. I assume the combination of the two makes it too time consuming to find me.

      I hid my ssh port with a wireguard connection so I also don’t see any attempts on my ssh port anymore either. My logs, including fail2ban, are quiet and boring.

      It’s nice to have a quiet corner of the internet for myself.

      • irmadlad@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        4 hours ago

        My logs, including fail2ban, are quiet and boring.

        Every once in a while, I’ll tail my f2b logs, almost half heartily hoping I find an anomaly. But, no…it’s a snoozefest. pFsense out there on the edge, just doing it’s job.

      • RxBrad@infosec.pub
        link
        fedilink
        English
        arrow-up
        12
        ·
        15 hours ago

        That was my experience also. Within minutes of spinning up any new subdomain with a dedicated A DNS record, I had bots that scraped it from https://crt.sh/ knocking on the door.

        With wildcard subdomains and relatively obscure URLs, it’s pretty quiet.