• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • The ImunifyAV extension is now deprecated and no longer available for installation.
    Existing ImunifyAV installations will continue operating for three months, and after that will automatically be replaced with the new Imunify extension. We recommend that you manually replace any existing ImunifyAV installations with Imunify at your earliest convenience.

Question Does anyone use CrowdSec with Plesk?

herrMartin

herrMartin

New Pleskian
Server operating system version
CentOS Linux 7.9.2009 (Core)
Plesk version and microupdate number
Plesk Obsidian Version 18.0.45 Update #2
I am using Crowdsec on another non Plesk VPS in a docker environment with everything behind Traefik. I am super happy with this solution, especially with Crowdsec which replaces a lot of other expensive, slower security solutions.
Is anyone using Crowdsecwith Plesk and CentOS 7? Any recommendations for the setup. Just asking because often with Plesk there are special headaches.

www.crowdsec.net

CrowdSec - The open-source & collaborative IPS

CrowdSec is an open-source and collaborative security stack leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. Join the community and let's make the Internet safer, together.
www.crowdsec.net www.crowdsec.net
 
Thanks for reminding me ;-)

I tried CrowdSec a year ago and decided not to use it. I can't remember the reason why. I guess because it wasn't really active at that time. Low install/downloads etc.

I gave it another shot and installed it on a Plesk AlmaLinux 8.7 server.
Added a few test subscriptions logs:
Code: 
# mkdir /etc/crowdsec/acquis.d
# cat /etc/crowdsec/acquis.d/plesk.yaml
filenames:
  - /var/www/vhosts/system/domain1.com/logs/proxy_access_ssl_log
  - /var/www/vhosts/system/domain1.com/logs/access_ssl_log
  - /var/www/vhosts/system/domain2.com/logs/proxy_access_ssl_log
  - /var/www/vhosts/system/domain2.com/logs/access_ssl_log
labels:
  type: nginx
---

So far, it mostly blocks bad-user-agents:

Code: 
# cscli decisions list
╭───────┬──────────┬────────────────────────┬───────────────────────────────────┬────────┬─────────┬───────────────────────────────────┬────────┬────────────────────┬──────────╮
│  ID   │  Source  │ Scope:Value            │              Reason               │ Action │ Country │                AS                 │ Events │     expiration     │ Alert ID │
├───────┼──────────┼────────────────────────┼───────────────────────────────────┼────────┼─────────┼───────────────────────────────────┼────────┼────────────────────┼──────────┤
│ 22661 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 14061 DIGITALOCEAN-ASN            │ 2      │ 3h59m2.879054818s  │ 15       │
│ 22660 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m41.927612664s │ 14       │
│ 22659 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m41.178042482s │ 13       │
│ 22658 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m40.170986732s │ 12       │
│ 22657 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 13335 CLOUDFLARENET               │ 2      │ 3h57m39.172110935s │ 11       │
│ 22656 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ GB      │ 3170 VeloxServ Communications Ltd │ 2      │ 3h29m44.468924046s │ 10       │
│ 22655 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ US      │ 398722 CENSYS-ARIN-03             │ 2      │ 3h22m53.773628827s │ 9        │
│ 22654 │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ US      │ 14061 DIGITALOCEAN-ASN            │ 2      │ 3h21m9.524985973s  │ 8        │
│ 4     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ NL      │ 202425 IP Volume inc              │ 2      │ 2h49m30.708270174s │ 4        │
│ 3     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ DE      │ 24940 Hetzner Online GmbH         │ 2      │ 2h34m41.664605675s │ 3        │
│ 2     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-bad-user-agent │ ban    │ GB      │ 3170 VeloxServ Communications Ltd │ 2      │ 2h28m48.78155151s  │ 2        │
│ 1     │ crowdsec │ Ip:xx.xx.xx.xx         │ crowdsecurity/http-open-proxy     │ ban    │ NL      │ 202685 Aggros Operations Ltd.     │ 1      │ 2h13m20.342538872s │ 1        │
╰───────┴──────────┴────────────────────────┴───────────────────────────────────┴────────┴─────────┴───────────────────────────────────┴────────┴────────────────────┴──────────╯
 
Last edited:
on my docker / traefik vps I have secured two sites with it which were hammered with spam, bots, brute force attacks, etc and It gets the job done and gives me peace of mind. You can also realize quite easy geo-blocking with traefik and crowdsec. Something which IO haven't managed to do on my cent os 7 / plesk system.
 
Please do not forget the Apache and Plesk panel log files:

YAML: 
filenames:
  - /var/www/vhosts/system/*/logs/error_log
  - /var/www/vhosts/system/*/logs/access_log
  - /var/www/vhosts/system/*/logs/error_ssl_log
  - /var/www/vhosts/system/*/logs/access_ssl_log
  - /var/log/plesk/httpsd_access_log
  - /var/log/sw-cp-server/error_log
labels:
  type: apache2
 
You must log in or register to reply here.

Similar threads

H
Question Decommissioning a hacked Plesk/CentOS 7/Plesk web server, and migrating all sites to CentOS 7/Plesk
Replies
2
Views
1K
Huey Tinman
H
burnley
Issue Obsidian on CentOS 7: Plesk generates broken Dovecot configuration if client tries to secure email with invalid ssl certificate
Replies
3
Views
2K
IgorG
IgorG
burnley
Forwarded to devs Obsidian on CentOS 7: Plesk generates broken Dovecot configuration if client tries to secure email with invalid ssl certificate
Replies
1
Views
1K
IgorG
IgorG
Endre
Issue Server Error 500 Plesk\Exception\Database DB query failed: SQLSTATE[HY000] [2002] No such file or directory
Replies
15
Views
9K
MihaiNecreala
M
A
Resolved Cannot update my first Plesk PRODUCTION server
Replies
4
Views
2K
Andrew Jackson
A
Back
Top