Learn how to secure Kubernetes using CrowdSec with this free course.

Get started

Learn how to maximize protection and reduce security & operational costs.

Download guide

CrowdSec

CrowdSec Blog
enhancing web server security with npmplus and crowdsec

Enhancing Web Server Security with NPMplus and CrowdSec

This is a guest post by CrowdSec Community Member, Zoey.

NPMplus, the enhanced version of the standard Nginx Proxy Manager (NPM), is designed to provide you with additional security, performance optimizations, and advanced features for reverse proxy and web server management.

Now, if you combine that with the power of the crowd, brought to you by the CrowdSec Security Engine, you take your web server security to the next level.

In this tutorial, I will show you how to set up NPMplus as a Remediation Component (previously known as bouncer) for the CrowdSec Security Engine with the AppSec Component enabled, and CrowdSec parsing the NPMplus logs. 

NPMplus provides a web GUI to manage Nginx, which makes it easier for you to set up a secure and well-configured Nginx server. It allows you to configure hosts for reverse proxies, redirection, dead pages, and streams but still allows you to make some manual configuration.

What you’ll need

Here’s a list of everything you’ll need to follow along this tutorial:

  • This configuration should work on any host that is able to run Docker and Docker Compose), Podman may also work. Make sure you have the Docker and Docker Compose installation ready to go.
  • A text editor (for example, nano) and a way to download the compose.yaml (like curl) 
  • Port 80/TCP, 443/TCP, and 443/UDP should be free, open, and exposed to the internet 
  • Port 81/TCP should also be free but does not need to be exposed to the internet since it is the admin interface of NPMplus

Setting up NPMplus

Let’s start by downloading the compose.yaml file like this:


curl -L https://raw.githubusercontent.com/ZoeyVid/NPMplus/refs/heads/develop/compose.yaml -o compose.yaml

Edit the compose.yaml file with your preferred text editor. 

You will need to change the following: 

  • For the NPMplus service you need to set the environments TZ and ACME_EMAIL — for example, TZ=Europe/Berlin if you live in Germany and ACME_EMAIL=admin@example.org replacing the admin@example.og with the actual email address you want to use. This email address will be used to create the ACME account for Let’s Encrypt. 
  • You also need to uncomment the environment called LOGROTATE so it is set to true. This is a requirement, otherwise, CrowdSec can not parse NPMplus logs. 

Now scroll a bit down in the compose.yaml, and you will find a service/container called crowdsec. You need to uncomment this, but make sure to keep the openappsec line commented since you won’t be setting this one up here (don’t be confused appsec and openappsec are different things).

Configuring the CrowdSec Security Engine

Now you need to configure the CrowdSec Security Engine to parse NPMplus logs.

For this, first, you need to create the /opt/crowdsec/conf/acquis.d folder. Within this folder, create a file called npmplus.yaml and copy-paste the following.


filenames:
  - /opt/npmplus/nginx/*.log
labels:
  type: npmplus
---
filenames:
  - /opt/npmplus/nginx/*.log
labels:
  type: modsecurity
---
listen_addr: 0.0.0.0:7422
appsec_config: crowdsecurity/appsec-default
name: appsec
source: appsec
labels:
  type: appsec

Note: You can find the newest version of the npmplus.yaml here.

Running NPMplus and CrowdSec

Now let’s fire up NPMplus and the Security Engine. 

For this you can run docker compose up -d inside the folder where you saved the compose.yaml file. 

Important note: Make sure to save the initial admin password of NPMplus. A minute after starting NPMplus, you can run docker logs npmplus and you’ll find the password written in the logs. Save this one for later.

Setting up NPMplus as a Remediation Component

Time to set up NPMplus to function as a Remediation Component for the Security Engine and enable the AppSec Component. Up to this point, the Security Engine only parses NPMplus logs but can’t enforce them but does not enforce any rules.

For this, you need to run this command docker exec crowdsec cscli bouncers add npmplus -o raw and copy the output.
With this key, you can now make NPMplus work as a Remediation Component by editing this file: /opt/npmplus/crowdsec/crowdsec.conf.

Here, you need to change ENABLED=... to ENABLED=true and change API_KEY to the key you saved from the output I showed you earlier. 

The last thing we need to do is restart NPMplus — running docker restart npmplus will do this for you. 

If you check the Docker logs now (docker logs npmplus), you should see some lines mentioning that NPMplus is connected to CrowdSec.

That is all, folks!

Now NPMplus is running and is protected by CrowdSec! 

Note: If you log in on https://<ip-of-the-server>:81 now using the email address you used and the password you saved earlier, you should be asked to change these credentials.

You can use the same steps to set up all your hosts if you want.
Hope you enjoyed this quick tutorial! Don’t hesitate to reach out to the CrowdSec team with questions or feedback on Discourse or Discord.

WRITTEN BY

You may also like

discover the crowdsec and wazuh integration
Guest Post

Discovering the CrowdSec and Wazuh Integration

Discover how to leverage the CrowdSec and Wazuh integration to centralize CrowdSec alerts into the open source Wazuh SIEM.

advanced application security with the crowdsec waf
Ambassador Post

Implementing the CrowdSec WAF for Advanced Web Application Security

Transform your Security Engine into a WAF with this get-started guide and learn how to integrate and configure the AppSec Component with NGINX on Debian 12.

how to improve ecommerce security and reduce operational costs
Guest Post

How to Improve Ecommerce Security and Reduce Operational Costs

In this article, we explore methods on how to improve ecommerce security, combat bots, block bad traffic, and cut your overall operational costs.