Setting up a Multi-Server Security Engine Installation

This guide demonstrates how to configure a multi-server CrowdSec Security Engine, enhancing your network's collective security. One server acts as the parent (server-1), receiving alerts from child Log Processors (server-2 and server-3). This architecture allows for distributed threat detection and remediation.

Server-1, the parent, hosts the HTTP REST API (LAPI) and manages signal storage and distribution. Server-2 and server-3, the children, are internet-facing, forwarding alerts to server-1. Remediation, managed by Remediation Components, is independent of detection and relies on server-1's LAPI. Child Log Processors have their LAPI disabled to conserve resources.

Key Considerations:

• A PostgreSQL backend is recommended for server-1's LAPI for enhanced stability (though SQLite with WAL is a viable alternative).
• Requires three Ubuntu 22.04 servers: one parent and two children, connected via a local network.

Setup Steps:

1. Parent LAPI Server (server-1):

• Install CrowdSec: Follow the installation guide and use the provided commands:

  curl -s https:/packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
  sudo apt install crowdsec

• (Optional) PostgreSQL Setup: If using PostgreSQL, install it (sudo apt install postgresql), create the crowdsec database and user, grant privileges, and update /etc/crowdsec/config.yaml's db_config section accordingly. Regenerate credentials and restart CrowdSec.

  sudo -i -u postgres
  psql
  # ... PostgreSQL commands ...
  sudo cscli machines add -a –force
  sudo systemctl restart crowdsec

• Expose LAPI Port: Modify /etc/crowdsec/config.yaml to expose the LAPI port (e.g., 10.0.0.1:8080).

  api:
    server:
      listen_uri: 10.0.0.1:8080

2. Child Log Processors (server-2 & server-3):

• Install CrowdSec: Use the same installation commands as server-1.

• Register with LAPI: Register each child with server-1's LAPI:

  sudo cscli lapi register -u http://10.0.0.1:8080

• Disable Child LAPI: Disable the local API in /etc/crowdsec/config.yaml:

  api:
    server:
      enable: false

• Validate Registration: On server-1, validate each child using cscli machines list and cscli machines validate <machine_id></machine_id>.

• Restart CrowdSec: Restart CrowdSec on each child.

3. Remediation (server-2 & server-3):

• Generate API Key: On server-1, generate an API key for each child using cscli bouncers add <bouncer_name></bouncer_name>.

• Install Remediation Component: Install the cs-firewall-bouncer-iptables component.

• Configure Remediation Component: Configure /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml with the API URL and key.

• Restart Remediation Component: Restart the crowdsec-firewall-bouncer service.

Important Notes:

• Communication between servers is currently unencrypted HTTP (consider HTTPS for production).
• This setup lacks monitoring and alerting (refer to CrowdSec documentation for details).
• Server-1 is a single point of failure.

This enhanced setup provides a more robust and scalable security posture. Future articles will cover high-availability configurations. Engage with the CrowdSec community for support and feedback.

The above is the detailed content of Setting up a Multi-Server Security Engine Installation. For more information, please follow other related articles on the PHP Chinese website!