crowdsec v1.2 releases: open-source and lightweight software

About the crowdsec project

Crowdsec is an open-source and lightweight software that allows you to detect peers with malevolent behaviors and block them from accessing your systems at various levels (infrastructural, system, applicative).

To achieve this, Crowdsec reads logs from different sources (files, streams …) to parse, normalize and enrich them before matching them to threats patterns aka scenarios.

It is a modular and plug-able framework, it ships a large variety of well known popular scenarios; users can choose what scenarios they want to be protected from as well as easily add new custom ones to better fit their environment.

Detected malevolent peers can then be prevented from accessing your resources by deploying blockers at various levels (applicative, system, infrastructural) of your stack.

One of the advantages of Crowdsec, when compared to other solutions, is its crowded aspect: Meta information about detected attacks (source IP, time, and triggered scenario) are sent to a central API and then shared amongst all users.

Besides detecting and stopping attacks in real-time based on your logs, it allows you to preemptively block known bad actors from accessing your information system.

Key points

Fast assisted installation, no technical barrier

User is assisted during setup, providing functional out-of-the-box setup

Out of the box detection

Baseline detection is effective out-of-the-box, no fine-tuning required

Easy blocker deployment

It’s trivial to add blockers to enforce decisions of crowdsec

Easy dashboard access

It’s easy to deploy a Metabase interface to view your data simply with cscli

This repository contains the code for the two main components of crowdsec :

• crowdsec : the daemon a-la-fail2ban that can read, parse, enrich, and apply heuristics to logs. This is the component in charge of “detecting” the attacks
• cscli: the cli tool mainly used to interact with crowdsec: ban/unban/view current bans, enable/disable parsers, and scenarios.

Changelog v1.2

New features

• Support for notification plugins (slack,splunk,ES, http push) (#878)
• Improve community blocklist pull management : prepare for new consensus release (#871)
• Add /health endpoint to local API (#881) @nanikjava

Bugfixes & Improvements

• update to use cdn for hub (#920) @sabban
• Remove last remaining autogen messages in cscli doc (#926) @blotus
• Avoid code duplication for protobuf in plugins (#918) @sbs2001
• fix release drafter + readme + remove dead readme for acquis (#933) @buixor
• fix #919 : display error message (#929) @buixor
• fix datasource prometheus metrics not being registered (#927) @blotus
• enforce a bit more parsing for resillience (#928) @buixor
• allow deleting multiple machines (#930) @AlteredCoder
• Update cscli doc for docusaurus (#924) @blotus
• Add plugin interface code in protobufs package (#921) @sbs2001
• don’t try to send/don’t notify if plugin chan is nil (#923) @buixor
• add suport for –since in journalctl DSN (#917) @blotus
• Rpm fixes (#909 #911 #912 #913 #914) @sabban
• Minor changes to specific logs (#900) @ThinkChaos
• Makefile: default GOARCH to the arch we are running on (#908) @blotus
• Download datafile (#895) @sabban
• Document scope parameter for stream API (#897) @sbs2001
• import debian & rpm sources (#898) @blotus
• fix #890 : log info if profile is in debug, independently of the result (#894) @buixor
• fix #885 : remove dead dependencies for plugin (#891) @buixor
• set hubBranch to master if not provided in the configuration and if c… (#884) @blotus
• add a hook on fatal/panic to ensure we’re logging to stderr as well (#879) @buixor
• Fix big serialized entries (#877) @buixor
• Goroutine leak hunt (#874) @buixor
• don’t wait for acquis tomb if we have no sources (#868) @blotus
• check if api:client is present (#867) @buixor
• fix the unit tests (#858) @sabban
• simplify, and only kill/wait on tomb when relevant (#866) @buixor
• allow to override GOARCH and GOOS when building with the Makefile (#862) @blotus
• Update README for FreeBSD (#859) @sbz
• Remove non POSIX sed usage (#855) @sbz
• Fix the notification plugin directory structure (#942) @sabban
• fix stacktrace when mmdb file are not present (#935) @AlteredCoder
• Use our fork of grokky (#953) @blotus
• don’t install all items from hub when upgrade –force (#948) @AlteredCoder
• make debian package own /etc/crowdsec/* (#947) @sabban
• add jsonExtractUnescape Helper (#962) @he2ss
• do no set hub_branch to master in docker (#956) @blotus
• remove config.patch on master (#957) @buixor
• multiple fixes for functional tests (#960) (#958) (#969) @sabban
• Fix crash if plugin config is broken (#964) @sbs2001
• update docker image documentation + docker start script (#965) @he2ss
• log more information if server returns non 200 status code (#966) @blotus
• fix docker image + install whitelists on build (#968) @he2ss
• Func tests (#970) @sabban
• default to current GOOS in makefile (#973) @blotus
• fix static build (#971) @buixor

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Install & Use

Copyright (c) 2020 crowdsecurity