How to Secure Ingress Traffic for a Fleet of Servers
CrowdSec Console to the Rescue
The CrowdSec Console is a centralized UI that helps you manage and monitor all your CrowdSec Security Engine installations. The Console comes with real-time security events monitoring, metrics, dashboards, management of Blocklists and Decisions.
It also uses the CrowdSec CTI to retrieve intelligence on specific IP addresses, their level of aggressiveness, and their past behaviors.
In this article, I want to walk your through the CrowdSec concept of Decisions and how to levarage real-ime Decision Management — one of the latest features introduced with the Security Engine 1.5 release — to manage ingress traffic for a fleet of servers.
Let’s dig in!
What is a Decision?
In the CrowdSec Security Engine, Decisions dictate what actions will be taken by the system to block an IP address or a range of IP addresses.
Prior to the 1.5 release, were created in two ways:
- Automatically: Generated by the Security Engine, based on an attack Scenario, and enforced by the Remediation Component. For example, if an IP address repeatedly tries to access a protected resource and fails, CrowdSec will enforce the Decision to block that IP address for a period of time.
- Manually: Applied locally to one or multiple Security Engines by the administrator to block incoming requests from a set of IP addresses.
In Security Engine 1.5, we introduced the Decisions Management feature that allows users to:
- Configure and manage ingress traffic
- View the existing Decisions
- Take action to block or unblock IP addresses as needed.
Centralizing Decision management helps improve the overall security and performance of a system by reducing the risk of attacks and preventing malicious activity.
Before we dive into the exciting world of CrowdSec Decisions, let's make sure everyone's on the same page.
- Sign up for a Console account
Simply go to https://app.crowdsec.net/signup and follow the easy steps to get started.
- Install CrowdSec on your server
Follow these instructions for the installation process.
- Enable Polling API
This is a must-do step to initiate the polling of updates from the security engine. Read our documentation to learn more.
- Install a Remediation Component
This component is key for blocking malicious incoming traffic. Learn how to install it in our documentation.
- Get an Enterprise plan
You need an Enterprise plan to access the Decision Management feature in the Console. Go ahead and check the Enterprise plan here.
Introducing Decisions Management
Decisions taken by the security engine are communicated to the central API. You can then manages the Decisions for all your Security Engines via the Console:
- Create new Decisions or remove existing ones
- Target one or multiple Security Engines
The Security Engine actively listens the polling API to safely retrieve updates in real-time. The Remediation Component then acts upon defined Decisions to block or hinder malicious activity.
The Decisions dashboard
The Decisions dashboard can be found inside the Security Engines menu. Here you see the fulllist of all the Decisions that apply to your fleet of Security Engines. All Decisions are either created automatically by the Security Engines, or manually by a user of the organization.
Clicking on a blocked IP address will redirect you to the CTI which provides all the details available for this IP.
Expand a Decision to view the comprehensive list of Security Engines that are protected from a particular IP. You can also find information on the status of the Decision and whether it has been applied or not.
To remove a Decision for a specific Security Engine a cross is available in each row.
You can also globally select all the Security Engines impacted by an aggressive IP using the checkbox.
Adding a decision
Click on the Add a Decision button at the top right corner and fill out the relevant fields toconfigure the new Decision.
The IP / IP Range field allows you to specify the IP address or range of IP addresses that will be added to the Decision. This field accepts one or multiple IP addresses, which can be separated by a semi-colon. In order to apply a Decision over a range of IP addresses, you can add the CIDR mask. For example, if you want to cover all IPs between 22.214.171.124 and 126.96.36.199, you could write: 188.8.131.52/24
This is handy for building a Decision and then applying it to multiple IPs at once.
The remediation type that you can use depends on the Remediatio Components installed with your Security Engine. Remediation Components have different capabilities — some enforce a ban policy while others have the ability to apply a CAPTCHA. For example, the firewall Component only handles ban remediation whereas the Nginx one can also deal with CAPTCHA. Other Remediation Components may be able to handle any predefined remediation, and that is where custom remediation is useful.
The Duration field allows you to set the time duration for which the IP address or range of IPs should be blocked.
Three preset options are provided: 4 hours, 8 hours, or Custom. If the Custom option is selected, the input must be a custom time duration using valid time units, namely h for hour, m for minute, and s for second. This option provides flexibility in setting the duration of the decision to suit specific needs.
Note: Attacking IPs are often attached to compromised machines or temporary attributed IPs.his isof the strength of the CrowdSec real-time blocklist: no stale information and no false positive. So, unless you're certain about it, I don’t recommend setting an expiration date too far in the future. If you do want to set the expiration date for days ahead, you cannot do so using the day (d) unit. Instead, set the expiration date for a Decision in hours — for example, 2 days and 3 hours would be 51h.
The Reason field is a short open field you can use to add a description to let your teammates know why you created this Decision.
Targeting tags or Security Engines
You can target specific Security Engines in three ways:
- Select All Security Engines linked to your account
- Select one or multiple Security Engines individually
- Select one or multiple Tags grouping a bunch of Security Engines