Skip to content

Crowdsec

What is Crowdsec?

Crowdsec is an open source software that detects and blocks attackers using log analysis. It has access to a global community-wide IP reputation database.

Source

Installation

Crowdsec supports multiple installation methods, however this page will use the docker installation.

Docker mailserver

In your compose.yaml for the DMS service, add a bind mount volume for /var/log/mail. This is to share the DMS logs to a separate crowdsec container.

Example

services:
  mailserver:
      - /docker-data/dms/mail-logs/:/var/log/mail/

Crowdsec

The crowdsec container should also bind mount the same host path for the DMS logs that was added in the DMS example above.

services:
  image: crowdsecurity/crowdsec
  restart: unless-stopped
  ports:
    - "8080:8080"
    - "6060:6060"
  volumes:
    - /docker-data/dms/mail-logs/:/var/log/dms:ro
    - ./acquis.d:/etc/crowdsec/acquis.d
    - crowdsec-db:/var/lib/crowdsec/data/
  environment:
    # These collection contains parsers and scenarios for postfix and dovecot
    COLLECTIONS: crowdsecurity/postfix crowdsecurity/dovecot
    TZ: Europe/Paris
volumes:
  crowdsec-db:

Configuration

Configure crowdsec to read and parse DMS logs file.

Example

Create the file dms.yml in ./acquis.d/

---
source: file
filenames:
  - /var/log/dms/mail.log
labels:
  type: syslog

Warning

Crowdsec on its own is just a detection software, the remediation is done by components called bouncers. This page does not explain how to install or configure a bouncer. It can be found in crowdsec documentation.