Protect your Flask applications using CrowdSec
In this post, we’re going to learn how web applications developed using python can be protected using CrowdSec at the application level.
At CrowdSec we want our users to protect themselves regardless of the tech stack they use. The simplest way to do that is to implement threat remediation at the network level, with a firewall bouncer. CrowdSec bouncers can also be set up at the upper levels of an applicative stack: web server, CDN, and in the case we are looking at here, the business logic of the main application itself.
In this post, we’re going to learn how web applications developed using Python can be protected by CrowdSec at the application level.
Remedying directly in your application can be helpful for various reasons:
- It allows you to provide a business-logic answer to potential security threats
- It gives you a lot of flexibility about what and how to do when a security issue arises
We are going to deploy a Python bouncer which will integrate with a flask application. This application will then be able to apply captcha and ban remediations to the IPs suggested by CrowdSec. A reference flask app protected by CrowdSec is available here.
Before we begin, here are the prerequisites:
- Flask application running.
- Google reCaptcha Site key and Secret key. See instructions here.
In the following steps, we would be creating a CrowdSec client and a Flask middleware. This middleware would be registered with your flask app. For every incoming request, the middleware will take any action(ban, captcha) if CrowdSec has a decision against the IP.
Creating CrowdSec Client in flask app:
We will first create a client which polls CrowdSec to keep track of the latest (IP, remediation) pairs. This client is provided by the ‘pycrowdsec’ library.
Then in your application code before you create the flask app object, instantiate the client via
sudo cscli bouncers add flaskBouncer
Creating the ban view:
We will create a view where all the IPs which are suggested to be banned by CrowdSec will be redirected to. They won’t be able to access your web app.
Creating the Captcha view:
IPs that are suggested to get captcha by CrowdSec will need to be:
- Redirected to captcha view if they haven’t solved captcha very recently
- Solve captcha correctly
- Redirected back to the original view they were trying to access.
We will be using Google’s reCaptcha to provide and verify the captcha. So this would be a lot simpler.
First, create an HTML template to render the captcha. Let’s name it “captcha_page.html”.
Registering CrowdSec middleware:
Finally, we create a middleware to combine the work of the previous steps. This middleware, again, is provided by the `pycrowdsec` library.
Now test it!
Let’s ban some IPs that you have access to.
Try accessing the flask app from this IP, you should be redirected to 403 view.
Let’s first unban our IP and then add a decision to captcha the IP
Try accessing the flask app from this IP, you should be redirected to captcha view.
After solving the captcha you’ll be redirected to the original view.
In summary, we added CrowdSec’s protection to our flask app. This was done by integrating a middleware that did the work of checking if the IP is malevolent and then taking appropriate action against it.