--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: RFP: crowdsec -- lightweight agent to detect and respond to bad behaviours. It also automatically benefits from our global community-wide IP reputation database
- From: Antoine Beaupre <anarcat@debian.org>
- Date: Tue, 20 Oct 2020 10:46:11 -0400
- Message-id: <160320517188.16731.8431079267269417444.reportbug@curie.anarc.at>
Package: wnpp
Severity: wishlist
* Package name : crowdsec
Version : 0.3.5
Upstream Author : Crowd Security
* URL : https://crowdsec.net/
* License : MIT/Expat?
Programming Lang: Golang
Description : lightweight agent to detect and respond to bad behaviours
Crowdsec is an open-source, lightweight software, detecting peers with
aggressive behaviors to prevent them from accessing your systems. Its
user friendly design and assistance offers a low technical barrier of
entry and nevertheless a high security gain.
Processing is done in 5 steps:
1. Read Data sources (log files, streams, trails, messages ...),
normalize and enrich signals
2. Matching those signals to behavior patterns, aka scenarios (*)
3. If an unwanted behavior is detected, deal with it through a
bouncer : a software component integrated into your applicative
stack that supports various remediations such as block, return
403, and soon captcha, 2FA, etc.
4. (ONLY) The aggressive IP, the scenario name triggered and a
timestamp is then sent to our curation platform (to avoid
poisoning & false positives)
5. If verified, this IP is then integrated to the block list
continuously distributed to all CrowdSec clients (which is used as
an enrichment source in step 1)
By detecting, blocking and sharing the threat they faced, all clients
are reinforcing each-others (hence the name Crowd-Security). Crowdsec
is designed for modern infrastructures, with its "Detect Here, Remedy
There" approach, letting you analyse logs coming from several sources
in one place and block threats at various levels (applicative, system,
infrastructural) of your stack.
(*) CrowdSec ships by default with scenario (brute force, port scan,
web scan, etc.) adapted for most context, but you can easily extend it
by picking more of them from the hub. It is also very easy to adapt an
existing one or create one yourself.
====
This is similar to fail2ban and sshguard, but with the extra touch
that it allows for federation and distribution of blocklists. It also
integrates with Prometheus, also packaged in Debian.
I haven't tested it. I guess it could be maintained by the Go team?
Source code is available here: https://github.com/crowdsecurity/crowdsec
The software is free (MIT), but to get access to the crowd-sourced
reputation data, you must also share it. The server-side of things is
also non-free.
--- End Message ---