Hey all, i’ve decided I should probably setup something else to help block nefarious IP addresses. I’ve been looking into CrowdSec and Fail2Ban but i’m not really sure the best one to use.

My setup is OpnSense -> Nginx Proxy Manager -> Servers. I think I need to setup CrowdSec/Fail2Ban on the Nginx Proxy Manager to filter the access logs, then ideally it would setup the blocks on OpnSense - but i’m not sure that can be done?

Any experience in a setup like this? I’ve found a few guides but some of them seem fairly outdated.

Edit: thanks everybody for the great info. General consensus seems to be with crowdsec so I’ll go down that path and see how it goes.

  • Matty_rOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    23 hours ago

    I thought crowdsec does everything fail2ban does in addition to global block lists?

    • vegetaaaaaaa@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      16 hours ago

      Fail2ban is a Free/Open-Source program to parse logs and take action based on the content of these logs. The most common use case is to detect authentication failures in logs and issue a firewall level ban based on that. It uses regex filters to parse the logs and policies called jails to determine which action to take (wait for more failures, run command xyz…). It’s old, basic, customizable, does its job.

      crowdsec is a commercial service [1] with a free offering, and some Free/Open-Source components. The architecture is quite different [2], it connects to Crowdec’s (the company) servers to crowd-source detections, their service establishes a “threat score” for each IP based on detections they receive, and in exchange they provide [3] some of these threat feeds/blocklists back to their users. A separate crowdsec-bouncer process takes action based on your configuration.

      If you want to build your own private shared/global blocklist based on crowdsec detections, you’ll need to setup a crowdsec API server and configure all your crowdsec instances to use it. If you want to do this with fail2ban you’ll need to setup your own sync mechanism (there are multiple options, I use a cron job+script that pulls IPs from all fail2ban instances using fail2ban-client status, builds an ipset, and pushes it to all my servers). If you need crowdsourced blocklists, there are multiple free options ([4] can be used directly by ipset).

      Both can be used for roughly the same purpose, but are very different in how they work and the commercial model (or lack of) behind the scenes.