# CrowdSec Security Service

CrowdSec is an open-source security engine that analyzes traffic patterns and blocks malicious actors. This service integrates CrowdSec with Traefik to provide automatic threat detection and rate limiting for all Wild Cloud ingresses.

## Components

- **CrowdSec Agent**: Analyzes traffic patterns, maintains decision lists, and connects to the CrowdSec threat intelligence network
- **Traefik Bouncer**: Integrates with Traefik via ForwardAuth to enforce CrowdSec decisions
- **Security Middlewares**: Traefik middleware for rate limiting and security headers

## Default Protection

After installation, **all ingresses are automatically protected** with:
- Threat detection (blocks known malicious IPs and attack patterns)
- Rate limiting (100 requests per minute per IP)
- Security headers (HSTS, XSS protection, content-type sniffing prevention)

## Configuration

Configuration is stored in `config.yaml` under `apps.crowdsec`:

```yaml
apps:
  crowdsec:
    rateLimitAverage: "100"
    rateLimitBurst: "100"
```

## Secrets

Secrets are stored in `secrets.yaml` under `apps.crowdsec`:

```yaml
apps:
  crowdsec:
    agentPassword: <auto-generated>
    bouncerApiKey: <auto-generated>
```

## Opting Out

To disable CrowdSec protection for a specific ingress (e.g., webhooks, health checks):

```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: ""
```

## Using Only Rate Limiting

To use rate limiting without threat detection:

```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: crowdsec-rate-limit@kubernetescrd
```

## Monitoring

View active decisions (blocked IPs):
```bash
kubectl exec -n crowdsec deploy/crowdsec -- cscli decisions list
```

View registered bouncers:
```bash
kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list
```

View alerts:
```bash
kubectl exec -n crowdsec deploy/crowdsec -- cscli alerts list
```

View metrics (Prometheus format):
```bash
kubectl port-forward -n crowdsec svc/crowdsec-lapi 6060:6060
curl http://localhost:6060/metrics
```

## Threat Intelligence

CrowdSec includes these detection collections:
- `crowdsecurity/traefik` - Traefik-specific detections
- `crowdsecurity/http-cve` - Known HTTP CVE exploits
- `crowdsecurity/whitelist-good-actors` - Whitelist for known good actors (search engines, etc.)

Enabled scenarios:
- HTTP probing and path traversal detection
- Bad user agent detection
- Sensitive file access attempts
- HTTP crawling detection
- SSH brute force (if exposed)

## Troubleshooting

**Bouncer not connecting to agent:**
```bash
kubectl logs -n crowdsec deploy/traefik-crowdsec-bouncer
kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list
```

**Check if middleware is applied:**
```bash
kubectl get middleware -n crowdsec
kubectl describe ingressroute -n <app-namespace> <route-name>
```

**View CrowdSec logs:**
```bash
kubectl logs -n crowdsec deploy/crowdsec
```