Ubuntu Firewall with CrowdSec for WordPress

Last Revised: October 2, 2021

Having a firewall at the Operating System level is not usually a simple task, and that is why we usually install them as WAF for WordPress… but what if there was a firewall that was easy to install and maintain by the community?

CrowdSec is an open-source massively multiplayer firewall capable of analyzing visitor behavior and providing an adapted response to all types of attacks. It also harnesses the power of the crowd to generate a global IP reputation database to protect the network of users.

IMPORTANT: A firewall can filter valid traffic, so it is highly recommended to carefully analyze the exceptions or plugin configurations that we may have, since functionalities can be limited.

This tutorial has been created on a Clouding.io VPS. You can create your own VPS from 3€/month.

In addition, you have the possibility to create your VPS with the WordPress image in one click.

PARTNERSHIP

Requirements

Installing CrowdSec

We start from the basis that we already have a server assembled, preferably already with the services working, that is, with Apache or nginx, PHP cone and with the MySQL or MariaDB database. If we already have everything installed, it will be easier for the instaclation to detect everything automatically.

We will start with the installation of the repository.

cd
wget -qO - https://s3-eu-west-1.amazonaws.com/crowdsec.debian.pragmatic/crowdsec.asc | apt-key add - && apt-add-repository -y -s  "https://s3-eu-west-1.amazonaws.com/crowdsec.debian.pragmatic/$(lsb_release -cs) $(lsb_release -cs) main"
apt -y update

And we install the software.

apt -y install crowdsec

In the machine there are nginx and MariaDB and we see this:

Creating crowdsec configuration in /etc/crowdsec

[INF] crowdsec_wizard: Checking if service 'apache2' is running (ps+systemd)
[INF] crowdsec_wizard: Checking if service 'httpd' is running (ps+systemd)
[INF] crowdsec_wizard: Checking if service 'nginx' is running (ps+systemd)
[INF] crowdsec_wizard: Found 'nginx' running
[INF] crowdsec_wizard: Checking if service 'sshd' is running (ps+systemd)
[INF] crowdsec_wizard:  Found 'sshd' running
[INF] crowdsec_wizard: Checking if service 'mysql' is running (ps+systemd)
[INF] crowdsec_wizard: Found 'mysql' running
[INF] crowdsec_wizard: Checking if service 'telnet' is running (ps+systemd)
[INF] crowdsec_wizard: Checking if service 'smb' is running (ps+systemd)

Detected services (unattended) : nginx sshd mysql linux

[INF] crowdsec_wizard: Installing collection 'crowdsecurity/linux'

[03/19/2021:05:25:56 PM] [INF] crowdsec_wizard: Installing collection 'crowdsecurity/sshd'
[03/19/2021:05:25:56 PM][INF] crowdsec_wizard: Installing collection 'crowdsecurity/mysql'
[03/19/2021:05:25:56 PM][INF] crowdsec_wizard: Installing collection 'crowdsecurity/nginx'
[03/19/2021:05:26:02 PM][INF] crowdsec_wizard: Found following services : nginx
[03/19/2021:05:26:02 PM][INF] crowdsec_wizard: Found logs file for 'nginx': /var/log/nginx/access.log
[03/19/2021:05:26:02 PM] [INF] crowdsec_wizard: Found logs file for 'nginx': /var/log/nginx/error.log
[03/19/2021:05:26:02 PM][INF] crowdsec_wizard: Acquisition file generated
[03/19/2021:05:26:02 PM][INF] crowdsec_wizard: Found logs file for 'sshd': /var/log/auth.log
[03/19/2021:05:26:02 PM][INF] crowdsec_wizard: Acquisition file generated
[03/19/2021:05:26:02 PM][INF] crowdsec_wizard: Found logs file for 'linux': /var/log/syslog
[03/19/2021:05:26:02 PM] [INF] crowdsec_wizard: Found logs file for 'linux': /var/log/kern.log
[03/19/2021:05:26:02 PM][INF] crowdsec_wizard: Acquisition file generated

The system has automatically detected nginx, SSH, MySQL and “linux”. It has also found a series of logs to analyze.

Once installed, we can configure it to always be activated and validate that it is working.

systemctl stop crowdsec
systemctl enable crowdsec
systemctl start crowdsec
systemctl status crowdsec

As we also have WordPress, we will install the system that reviews WordPress.

cscli collections install crowdsecurity/wordpress
systemctl reload crowdsec
systemctl status crowdsec

We already have the firewall working… and we shouldn’t have to do anything else… the system has already automatically connected with the general API, so it is already analyzing, sending and receiving the community information.

Reviewing CrowdSec

What’s working?

cscli hub list

If we want to analyze which elements are active, we can see the different parsers, scenarios and collections, which are the three basic components of each of the systems that are controlled.

Parsers are those systems that analyze log files and the like looking for attacks.

Scenarios are the elements that make the decisions of how to manage information.

The collecctions are the application of everything for each of the tools.

Statistics

cscli metrics

In the metrics part we have information about what has been read and how it has been managed, how it has been applied by each of the tools and later how the information has been managed by the APIs.


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.