fraggle/WebsiteTemplate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
WebsiteTemplate/cheatsheets/crowdsec.html
Fraggle 6f42a58ee5
first commit
2026-01-25 11:33:37 -04:00

236 lines
7.7 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
<meta http-equiv="X-Content-Type-Options" content="nosniff">
<link rel="stylesheet" href="../assets/css/style.css">
<link rel="icon" type="image/x-icon" href="../favicon.ico">
<script>
// Apply theme immediately to prevent flash
(function() {
const theme = localStorage.getItem('theme') ||
(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
document.documentElement.setAttribute('data-theme', theme);
})();
</script>
<title>crowdsec Cheatsheet - Cheatsheets - Launch Pad</title>
</head>
<body>
<button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
<svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
<svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
</button>
<br/><br/>
<div class="name">
__ _______________________ _________._________________________
\_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/
| __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_
| \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \
\___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ /
\/ \/ \/ \/ \/ \/ \/
</div>
<div class="blog-page-header">
<div class="blog-header-content">
<a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
</a>
<h1 class="blog-page-title">crowdsec Cheatsheet</h1>
</div>
</div>
<div class="blog-post-container">
<div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
<div class="blog-post">
<div class="blog-post-content">
<p><a href="index.html">← Back to cheatsheets</a></p>
<p><a href="../index.html">← Home</a></p>
<hr>
<p>CrowdSec is a collaborative intrusion prevention system that analyzes behaviors, responds to attacks, and shares threat intelligence. Modern, open-source alternative to fail2ban with community-driven detection rules.</p>
<hr>
<h2>Basic Usage</h2>
<ul>
<li>crowdsec -h - Show help</li>
</ul>
<ul>
<li>crowdsec status - Show status</li>
</ul>
<ul>
<li>systemctl status crowdsec - Service status</li>
</ul>
<ul>
<li>systemctl start crowdsec - Start service</li>
</ul>
<ul>
<li>systemctl stop crowdsec - Stop service</li>
</ul>
<ul>
<li>systemctl restart crowdsec - Restart service</li>
</ul>
<hr>
<h2>Configuration</h2>
<ul>
<li>/etc/crowdsec/config.yaml - Main configuration</li>
</ul>
<ul>
<li>/etc/crowdsec/acquis.yaml - Log sources</li>
</ul>
<ul>
<li>/etc/crowdsec/parsers/ - Parser configurations</li>
</ul>
<ul>
<li>/etc/crowdsec/scenarios/ - Detection scenarios</li>
</ul>
<ul>
<li>/etc/crowdsec/collections/ - Collection definitions</li>
</ul>
<hr>
<h2>Management</h2>
<ul>
<li>cscli -h - CLI tool help</li>
</ul>
<ul>
<li>cscli hub list - List installed collections</li>
</ul>
<ul>
<li>cscli hub update - Update collections</li>
</ul>
<ul>
<li>cscli hub upgrade - Upgrade collections</li>
</ul>
<ul>
<li>cscli collections list - List collections</li>
</ul>
<ul>
<li>cscli collections install crowdsecurity/linux - Install collection</li>
</ul>
<ul>
<li>cscli parsers list - List parsers</li>
</ul>
<ul>
<li>cscli scenarios list - List scenarios</li>
</ul>
<hr>
<h2>Bouncers</h2>
<ul>
<li>cscli bouncers list - List bouncers</li>
</ul>
<ul>
<li>cscli bouncers add mybouncer - Add bouncer</li>
</ul>
<ul>
<li>cscli bouncers delete mybouncer - Delete bouncer</li>
</ul>
<ul>
<li>cscli bouncers inspect mybouncer - Inspect bouncer</li>
</ul>
<hr>
<h2>Decisions & Alerts</h2>
<ul>
<li>cscli decisions list - List active decisions</li>
</ul>
<ul>
<li>cscli decisions list -i 192.168.1.100 - Decisions for IP</li>
</ul>
<ul>
<li>cscli alerts list - List alerts</li>
</ul>
<ul>
<li>cscli alerts inspect &lt;alert_id&gt; - Inspect alert</li>
</ul>
<ul>
<li>cscli decisions delete -i 192.168.1.100 - Delete decision</li>
</ul>
<ul>
<li>cscli decisions add -i 192.168.1.100 -t ban - Add decision</li>
</ul>
<hr>
<h2>Metrics & Monitoring</h2>
<ul>
<li>cscli metrics - Show metrics</li>
</ul>
<ul>
<li>cscli hub list -v - Verbose collection list</li>
</ul>
<ul>
<li>cscli version - Show version</li>
</ul>
<ul>
<li>cscli capi status - API status</li>
</ul>
<hr>
<h2>Common Examples</h2>
<h3>Install Collection</h3>
<pre><code>cscli collections install crowdsecurity/linux</code></pre>
<p>Install Linux collection.</p>
<h3>Update Collections</h3>
<pre><code>cscli hub update && cscli hub upgrade</code></pre>
<p>Update and upgrade all collections.</p>
<h3>List Decisions</h3>
<pre><code>cscli decisions list</code></pre>
<p>Show active bans.</p>
<h3>Check IP</h3>
<pre><code>cscli decisions list -i 192.168.1.100</code></pre>
<p>Check if IP is banned.</p>
<h3>Add Manual Ban</h3>
<pre><code>cscli decisions add -i 192.168.1.100 -t ban --duration 24h</code></pre>
<p>Manually ban IP for 24 hours.</p>
<h3>Remove Ban</h3>
<pre><code>cscli decisions delete -i 192.168.1.100</code></pre>
<p>Remove ban for IP.</p>
<h3>View Alerts</h3>
<pre><code>cscli alerts list</code></pre>
<p>List recent security alerts.</p>
<h3>Service Status</h3>
<pre><code>systemctl status crowdsec</code></pre>
<p>Check service status.</p>
<hr>
<h2>Configuration Files</h2>
<ul>
<li>/etc/crowdsec/config.yaml - Main config</li>
</ul>
<ul>
<li>/etc/crowdsec/acquis.yaml - Log acquisition</li>
</ul>
<ul>
<li>/var/log/crowdsec.log - Main log file</li>
</ul>
<ul>
<li>/var/lib/crowdsec/data/ - Database directory</li>
</ul>
<hr>
<h2>Tips</h2>
<ul>
<li>Install collections for your services (nginx, ssh, etc.)</li>
</ul>
<ul>
<li>Regularly update collections: cscli hub update</li>
</ul>
<ul>
<li>Configure acquis.yaml to monitor your logs</li>
</ul>
<ul>
<li>Use bouncers to integrate with firewalls</li>
</ul>
<ul>
<li>Monitor decisions and alerts regularly</li>
</ul>
<ul>
<li>Share intelligence with community (optional)</li>
</ul>
<ul>
<li>More modern and flexible than fail2ban</li>
</ul>
<ul>
<li>Community-driven detection rules</li>
</ul>
</div>
</div>
</div>
</div>
<script async type="text/javascript" src="../blog/analytics.js"></script>
<script src="../theme.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink