Question Does anyone use CrowdSec with Plesk?

[herrMartin]

Server operating system version

CentOS Linux 7.9.2009 (Core)

Plesk version and microupdate number

Plesk Obsidian Version 18.0.45 Update #2

I am using Crowdsec on another non Plesk VPS in a docker environment with everything behind Traefik. I am super happy with this solution, especially with Crowdsec which replaces a lot of other expensive, slower security solutions.
Is anyone using Crowdsecwith Plesk and CentOS 7? Any recommendations for the setup. Just asking because often with Plesk there are special headaches.

CrowdSec - The open-source & collaborative IPS

CrowdSec is an open-source and collaborative security stack leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. Join the community and let's make the Internet safer, together.

www.crowdsec.net

 

[Maarten.]

Thanks for reminding me ;-)

I tried CrowdSec a year ago and decided not to use it. I can't remember the reason why. I guess because it wasn't really active at that time. Low install/downloads etc.

I gave it another shot and installed it on a Plesk AlmaLinux 8.7 server.
Added a few test subscriptions logs:

# mkdir /etc/crowdsec/acquis.d
# cat /etc/crowdsec/acquis.d/plesk.yaml
filenames:
  - /var/www/vhosts/system/domain1.com/logs/proxy_access_ssl_log
  - /var/www/vhosts/system/domain1.com/logs/access_ssl_log
  - /var/www/vhosts/system/domain2.com/logs/proxy_access_ssl_log
  - /var/www/vhosts/system/domain2.com/logs/access_ssl_log
labels:
  type: nginx
---

So far, it mostly blocks bad-user-agents:

# cscli decisions list
╭───────┬──────────┬────────────────────────┬───────────────────────────────────┬────────┬─────────┬───────────────────────────────────┬────────┬────────────────────┬──────────╮
│  ID   │  Source  │ Scope:Value            │              Reason               │ Action │ Country │                AS                 │ Events │     expiration     │ Alert ID │
├───────┼──────────┼────────────────────────┼───────────────────────────────────┼────────┼─────────┼───────────────────────────────────┼────────┼────────────────────┼──────────┤
│ 22661 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 14061 DIGITALOCEAN-ASN            │ 2      │ 3h59m2.879054818s  │ 15       │
│ 22660 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m41.927612664s │ 14       │
│ 22659 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m41.178042482s │ 13       │
│ 22658 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m40.170986732s │ 12       │
│ 22657 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m39.172110935s │ 11       │
│ 22656 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ GB      │ 3170 VeloxServ Communications Ltd │ 2      │ 3h29m44.468924046s │ 10       │
│ 22655 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ US      │ 398722 CENSYS-ARIN-03             │ 2      │ 3h22m53.773628827s │ 9        │
│ 22654 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ US      │ 14061 DIGITALOCEAN-ASN            │ 2      │ 3h21m9.524985973s  │ 8        │
│ 4     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ NL      │ 202425 IP Volume inc              │ 2      │ 2h49m30.708270174s │ 4        │
│ 3     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 24940 Hetzner Online GmbH         │ 2      │ 2h34m41.664605675s │ 3        │
│ 2     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ GB      │ 3170 VeloxServ Communications Ltd │ 2      │ 2h28m48.78155151s  │ 2        │
│ 1     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-open-proxy     │ ban    │ NL      │ 202685 Aggros Operations Ltd.     │ 1      │ 2h13m20.342538872s │ 1        │
╰───────┴──────────┴────────────────────────┴───────────────────────────────────┴────────┴─────────┴───────────────────────────────────┴────────┴────────────────────┴──────────╯

 

[herrMartin]

on my docker / traefik vps I have secured two sites with it which were hammered with spam, bots, brute force attacks, etc and It gets the job done and gives me peace of mind. You can also realize quite easy geo-blocking with traefik and crowdsec. Something which IO haven't managed to do on my cent os 7 / plesk system.

 

[Michiel Klaver]

Please do not forget the Apache and Plesk panel log files:

filenames:
  - /var/www/vhosts/system/*/logs/error_log
  - /var/www/vhosts/system/*/logs/access_log
  - /var/www/vhosts/system/*/logs/error_ssl_log
  - /var/www/vhosts/system/*/logs/access_ssl_log
  - /var/log/plesk/httpsd_access_log
  - /var/log/sw-cp-server/error_log
labels:
  type: apache2