wild-cloud/wild-directory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
945d2225a2d256183c08bfbe6b942302f8ac343b
wild-directory/crowdsec
History

README.md

CrowdSec Security Service

CrowdSec is an open-source security engine that analyzes traffic patterns and blocks malicious actors. This service integrates CrowdSec with Traefik to provide automatic threat detection and rate limiting for all Wild Cloud ingresses.

Components

  • CrowdSec Agent: Analyzes traffic patterns, maintains decision lists, and connects to the CrowdSec threat intelligence network
  • Traefik Bouncer: Integrates with Traefik via ForwardAuth to enforce CrowdSec decisions
  • Security Middlewares: Traefik middleware for rate limiting and security headers

Default Protection

After installation, all ingresses are automatically protected with:

  • Threat detection (blocks known malicious IPs and attack patterns)
  • Rate limiting (100 requests per minute per IP)
  • Security headers (HSTS, XSS protection, content-type sniffing prevention)

Configuration

Configuration is stored in config.yaml under apps.crowdsec:

apps:
  crowdsec:
    rateLimitAverage: "100"
    rateLimitBurst: "100"

Secrets

Secrets are stored in secrets.yaml under apps.crowdsec:

apps:
  crowdsec:
    agentPassword: <auto-generated>
    bouncerApiKey: <auto-generated>

Opting Out

To disable CrowdSec protection for a specific ingress (e.g., webhooks, health checks):

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: ""

Using Only Rate Limiting

To use rate limiting without threat detection:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: crowdsec-rate-limit@kubernetescrd

Monitoring

View active decisions (blocked IPs):

kubectl exec -n crowdsec deploy/crowdsec -- cscli decisions list

View registered bouncers:

kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list

View alerts:

kubectl exec -n crowdsec deploy/crowdsec -- cscli alerts list

View metrics (Prometheus format):

kubectl port-forward -n crowdsec svc/crowdsec-lapi 6060:6060
curl http://localhost:6060/metrics

Threat Intelligence

CrowdSec includes these detection collections:

  • crowdsecurity/traefik - Traefik-specific detections
  • crowdsecurity/http-cve - Known HTTP CVE exploits
  • crowdsecurity/whitelist-good-actors - Whitelist for known good actors (search engines, etc.)

Enabled scenarios:

  • HTTP probing and path traversal detection
  • Bad user agent detection
  • Sensitive file access attempts
  • HTTP crawling detection
  • SSH brute force (if exposed)

Troubleshooting

Bouncer not connecting to agent:

kubectl logs -n crowdsec deploy/traefik-crowdsec-bouncer
kubectl exec -n crowdsec deploy/crowdsec -- cscli bouncers list

Check if middleware is applied:

kubectl get middleware -n crowdsec
kubectl describe ingressroute -n <app-namespace> <route-name>

View CrowdSec logs:

kubectl logs -n crowdsec deploy/crowdsec