发现一个很好用的安全防护应用CrowndSec,搭配Traefik,一切皆Docker,真方便!
话不多说,来干!
### 文件结构如下:
./crowdsec
├── docker-compose.yml
├── crowdsec-data
└── crowdsec-config
└── acquis.yaml### compose文件
services:
crowdsec:
image: crowdsecurity/crowdsec:latest
container_name: crowdsec
restart: unless-stopped
ports:
- 8080:8080
security_opt:
- no-new-privileges:true
environment:
TZ: "Asia/Shanghai"
GID: "0"
CUSTOM_HOSTNAME: "myserver"
#这是我们想要安装的collections
COLLECTIONS: "crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/sshd"
#若IP地址运行在cloudflare中,增加以下设置
POSTOVERFLOWS: "crowdsecurity/cdn-whitelist"
volumes:
- ./crowdsec-data:/var/lib/crowdsec/data/
- ./crowdsec-config:/etc/crowdsec/
# 下面填写你自己的traefik的日志文件夹路径
- ./home/wwwroot/traefik/data/logs:/var/log/traefik/:ro
- /var/log:/var/log/ssh/:ro
crowdsec-traefik-bouncer:
image: fbonalair/traefik-crowdsec-bouncer:latest
container_name: crowdsec-bouncer-traefik
security_opt:
- no-new-privileges:true
environment:
# 首次运行crowdsec后,在/crowdsec-config/local_api_credentials.yaml里面可以查看api
CROWDSEC_BOUNCER_API_KEY: {替换成你的api}
CROWDSEC_AGENT_HOST: crowdsec:8080
GIN_MODE: release
PORT: 8082
CROWDSEC_BOUNCER_LOG_LEVEL: 0
depends_on:
- crowdsec
restart: unless-stopped
ports:
- 8082:8082然后
docker-compose up -d### 在crowdsec-config/acquis.yaml,增加以下内容
filenames:
- /var/log/traefik/*
labels:
type: traefik
---
filenames:
- /var/log/ssh/auth.log
labels:
type: syslog!!!注意!!!
当以上容器都正常启动后,输入:
docker exec crowdsec cscli bouncers add bouncer-traefik### 生成api KEY,一定保存好!!这只会显示一次!!
Api key for 'bouncer-traefik':
XXXXXXXXXXXXXXXXXXXXXXXXXXX
Please keep this key since you will not be able to retrieve it!一定要保存好,后面再次运行会显示
XXX level=fatal msg="unable to create bouncer: bouncer bouncer-traefik already exists"### 接下来是Traefik的middleware 设置,这里只贴上一小部分:
http:
middlewares:
middleware-crowdsec-bouncer:
forwardauth:
address: http://crowdsec-bouncer-traefik:8082/api/v1/forwardAuth
trustForwardHeader: true ### Traefik的静态配置文件的部分内容:
entryPoints:
http:
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
permanent: true
https:
http3: {}
address: ":443"
http:
tls: {}
middlewares:
- middleware-crowdsec-bouncer@file
#若IP在cloudlfare中代理,增加下面的设置
forwardedHeaders:
trustedIPs:
- "173.245.48.0/20"
- "103.21.244.0/22"
- "103.22.200.0/22"
- "103.31.4.0/22"
- "141.101.64.0/18"
- "108.162.192.0/18"
- "190.93.240.0/20"
- "188.114.96.0/20"
- "197.234.240.0/22"
- "198.41.128.0/17"
- "162.158.0.0/15"
- "104.16.0.0/13"
- "104.24.0.0/14"
- "172.64.0.0/13"
- "131.0.72.0/22"
- "2400:cb00::/32"
- "2606:4700::/32"
- "2803:f800::/32"
- "2405:b500::/32"
- "2405:8100::/32"
- "2a06:98c0::/29"
- "2c0f:f248::/32"暂时关闭容器,把前面生成的api key填入docker-compose.yml相关位置
### 重启容器
docker-compose down && docker-compose up -d然后可以快乐的使用了!
### 一些有用的命令:
docker exec crowdsec cscli bouncers list查看api key 是否生效。生效后,会显示如下
|Name|IP Address|Valid|Last API pull|Type|Version|Auth Type|
|-------|-------|-------|-------|-------|-------|-------|
|bouncer-traefik|XX:XX:XX:XX|✔️|2023-01-22T07:53:34Z|Go-http-client|1.1|api-key|
docker exec crowdsec cscli metrics查看crowdsec状态
docker exec crowdsec cscli decisions list查看有没有ban ip
docker exec -t crowdsec cscli collections list查看规则集
docker exec -t crowdsec cscli collections install crowdsecurity/traefik安装规则crowdsecurity/traefik,可以通过容器的设定提前安装好
docker exec crowdsec cscli hub update && docker exec crowdsec cscli hub upgrade全部规则更新,这里可以设定定时任务,这里自行搞定
crontab -e添加命令
0 * * * * docker exec crowdsec cscli hub update && docker exec crowdsec cscli hub upgrade根据提示保存,然后重启crontab 服务
service cron restartEND