How to secure your Raspberry Pi OS with CrowdSec
Learn how to secure your Raspberry Pi server with CrowdSec and share malicious IPs with the community
In this article, I’ll describe how to install the CrowdSec agent and the firewall bouncer directly on Raspberry Pi OS and convert it into a sort of honeypot using endlessh (an ssh tarpit) and a web server which only purpose is for CrowdSec to detect attacks in its logfiles.
Raspberry Pi is a perfect device for this as it’s a cheap way to help out collecting CTI - while hopefully annoying criminals who are lured into wasting time in our ssh tarpit. What’s not to like?
One of the biggest changes in CrowdSec from v1.3.0 has happened behind the scenes as we now produce precompiled binaries for arm and Raspberry Pi OS.
Theoretically, they should work on all versions of Raspberry Pi but this hasn’t been tested yet. So if you run into any problems please let us know. In this example, I’m using Raspberry Pi OS v11.3 on Raspberry Pi 4.
So far only the firewall bouncers for iptables and nftables are available. If you wish to have other bouncers ported to Raspberry PI OS please let us know. We are very community-driven in this area.
Installing CrowdSec agent and firewall bouncer
First, install CrowdSec repositories. This can be done automatically using the script provided by packagecloud.io or manually if you prefer. I will describe the scripted installation:
Next, I’ll install the CrowdSec agent and the firewall bouncer. It’s quite important not to add them on the same apt command as we can’t control which package is installed first. And if the firewall bouncer is installed before the agent then the bouncer won’t be registered automatically with the agent (which is not a big deal but less easy).
In spite of the messages that look like errors, they’re just warnings. So this is fine. Next, I’ll install the firewall bouncer. There are two options here: the iptables- and the nftables-based bouncer. Which you’re choosing doesn’t matter much unless you are already running a firewall script based on one of them. In that case, install the corresponding firewall bouncer.
I’ll just install the iptables-based bouncer:
The lines in bold indicate that the firewall bouncer has registered automatically with the agent. Let’s check to make sure:
The output of the cscli bouncers list shows that a locally running firewall bouncer is registered. It’s probably safe to assume that it’s the one we just installed.
Installing shell completion
If you’re an experienced Linux user one of the first things you’ll notice is that there’s no shell completion, meaning that you’re on your own when typing in cscli commands in terms of remembering commands. One grows tired of that really fast. Luckily there’s support for bash completion as documented here. Basically, I am just following the instructions below.
After installation, verify that it works by typing sudo cscli and double-tapping the <TAB> key:
CrowdSec is not much fun without the right scenarios installed and since the server I am installing on is directly exposed to the internet there’s a high risk of it being hit by drive-by port scanning. We want to detect those and block them. Luckily there’s a scenario for that.
With this project, I am aiming to collect as much CTI as possible so I also want to report hosts that constantly portscans the internet. That is being done with the iptables-scan-multi_ports scenario.
Remember to reload the CrowdSec service as described for the new scenario to take effect.
Enrolling in the CrowdSec console
Next, you probably want to enroll your brand new CrowdSec instance in the Console at https://app.crowdsec.net to get fancy graphs and statistics and to be able to get more information on the IPs that are attacking you. And if you deploy more CrowdSec instances (regardless of OS) the console will give you a nice overview of your instances.
In order to be able to enroll your CrowdSec instance in the Console, the very first thing you need to do is to sign up by clicking the ‘Subscribe (Beta)’ button on https://app.crowdsec.net. Once you’ve done that it’s time to enroll agents!
This is a two-step process:
- Tell the CrowdSec agent to enroll in the console.
- Accept that connection request.
Under ‘Instances’ click ‘Add Instance’. Then copy the sudo enroll command that shows itself on the screen and paste it into your terminal and run it:
After that, you will need to accept the connection in the console.
Next, you can edit the instance to give it a name that makes more sense to you or you can tag it in a group if you wish.
Now your Raspberry Pi-powered CrowdSec instance is successfully enrolled.
In the Console, there's a rich opportunity to see who attacks your servers. This is an overview of which attacks are being detected.
Oh, it’s that the same netblock we’ve been reporting frequently since the beginning of CrowdSec:
CrowdSec is all about collecting and sharing threat intelligence so I want to install endlessh, an ssh tarpit that’s really good at annoying attackers by keeping them busy and wasting their time as well as the webserver Nginx.
I’m not setting anything up in Nginx other than the default web page since we just want a web server to listen for drive-by attacks so we can collect information on which attacks are being performed and by whom. The crowdsecurity/http-cve collection consists of scenarios designed to detect the exploitation of a number of common web-based vulnerabilities. This is a good collection to install when you have CrowdSec and a web server since we are looking into expanding this collection with even more detections over time. Also, you get to help the crowd even more by contributing more CTI.
This part of the article is not limited to Raspberry Pi OS but would work exactly the same on any Debian-derived Linux distro. So feel free to use it anywhere you want.
Open /etc/ssh/sshd_config in your favorite text editor and uncomment the #Port line and change the number after it to ‘22022’:
I want to run endless on port 22 which is the standard port for the ssh service to be able to detect as many attacks as possible. This means that I would need to change the configuration of openssh-server which is the standard ssh service so it listens on another port, say 22022.
Remember to restart the ssh service for the changes to take effect.
Depending on how brave you are, you might want to keep ssh listening on port 22 until you verify that the new port works. In that case, just add an extra line with the number 22:
After making sure you can connect to port 22022, comment out the Port 22 line in sshd_config and restart ssh again.
Next install endlessh via apt:
Then install the endlessh collection with cscli:
Remember to reload CrowdSec for the new collection to be installed properly.
By default, endlessh is not permitted to start on privileged ports (< 1024). So we need to fix that:
Endlessh needs to be configured to run on port 22 and to log (to /var/log/syslog by default). Create the file /etc/endlessh/config, using your favorite text editor and add the following lines:
The next step to getting CrowdSec to detect attacks on our fake ssh service is to tell /etc/crowdsec/acquis.yaml where to look and which format the log file is in. Add the following lines:
Make sure that each entry is separated by ‘---’. The ‘---’ in the end is not mandatory.
Lastly, both services would need to get restarted:
After a little while, you should see entries like these in /var/log/crowdsec.log:
We’re simply installing Nginx from the package repository:
After installation, make sure to start up the webserver.
For CrowdSec to know the location and type of the log files, add the following to /etc/crowdsec/acquis.yaml
Make sure to remember ‘---’ or else you’ll get weird errors.
Install the crowdsecurity/http-cve collection to detect those drive-by attacks:
Make sure to reload the CrowdSec agent after installation.
In this article, I’ve shown you how to install CrowdSec on your Raspberry Pi and explained how to set it up as a sort of honeypot device. I hope you will find it inspiring and want to join me in annoying the cybercriminals just a little bit more.
Don't forget to join our Discord server for more support and discussions with the largest cyber threat community 💪🏻.