Pangolin: Secure your hosts ssh using crowdsec

SSH is a critical service for system administrators, but it is often targeted by brute-force attacks. As part of the Pangolin open-source project, securing your infrastructure is a priority. Beside other security measures like setting e.g. proper firewall rules, we could use crowdsec to scan our auth.log for suspicious behaviours. To additionally secure your hosts ssh access using crowdsec, we’ll have to take a couple of steps.

Install local bouncer on your host

To be able to react to crowdsec decisions (made in its docker container ;) on host-level, we need to install a remediation component. If you don’t have crowdsec repositories installed, check their documentation. We will name it “host-bouncer” in the following steps.

1
sudo apt install crowdsec-firewall-bouncer-iptables

Add bouncer in crowdsec

Here we will take the step into our crowdsec container and create a new bouncer.

1
docker exec crowdsec cscli bouncers add iptablesFirewallBouncer

This will give you an API Key which our “host-bouncer” will use to “connect” to crowdsec.

Configure host bouncer

Now we will edit the configuration of our “host-bouncer” accordingly:

1
nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

Under “api_key” add the API Key we just created. The api_url gives us an idea what to do next :)

1
2
api_url: http://127.0.0.1:8080/
api_key: your_api_key

Edit pangolin’s docker-compose.yaml

In the next step we have to edit the docker-compose.yaml to open up our containers a little bit.

Expose port 8080

As our local firewall bouncer will try to connect to the endpoint given in its crowdsec-firewall-bouncer.yaml…

1
api_url: http://127.0.0.1:8080/

… we will have to expose it in pangolin’s docker-compose.yaml

1
2
3
ports:
      - 6060:6060
      - 8080:8080

Make your auth.log available to crowdsec

And to make the host’s auth.log available in the crowdsec container… we’ll map the /var/log/ directory to the container:

1
2
volumes:
      - /var/log/:/var/log/host:ro

Create an acquisition-file

Last but not least we create an acquisition-file in the config/crowdsec/acquis.d/ directory. If your pangolin installation in located under /opt/pangolin/…

1
nano /opt/pangolin/config/crowdsec/acquis.d/hostauth.yaml

You could put the acquisition to your acquis.yaml file as well, but this is outdated.

1
2
3
4
filenames:
  - /var/log/host/auth.log
labels:
  type: syslog

After restarting your stack, crowdsec should start parsing your auth.log. Check if you have proper sshd collections installed.

Your auth.log should show up in metrics after connecting to ssh

1
docker exec crowdsec cscli metrics

When setup correctly, our new bouncer should appear… Bouncers

…as well as our auth.log acquisition… Metrics

This is another small layer to make your VPS a little bit safer.

Install local bouncer on your host#

Add bouncer in crowdsec#

Configure host bouncer#

Edit pangolin’s docker-compose.yaml#

Expose port 8080#

Make your auth.log available to crowdsec#

Create an acquisition-file#