Brian Yuen Posted February 20, 2023 Share Posted February 20, 2023 Hello, I have a few of my containers accessible to the public (plex, overseerr, bitwarden, *arrs, etc) and thought it was time to take security more seriously. Cloudflare is my registrar and I'm forwarding subdomains to NGINX Proxy Manager on my unRaid (eg., https://sonarr.domain.com). I've been doing some reading about Crowdsec and thought I've give it a shot. The Crowdsec container installation from the unRaid App section went fairly smoothly, although documentation was sourced from multiple places due to my particular setup. There's a ton of moving parts, but I BELIEVE I have it set up correctly, but wanted to run it past you fine folks to see if I did it correctly. Currently, I have it setup where Cloudflare is the 'bouncer'. I'm able to manually block my IP, so that seems to be working. The one area that I'm still not quite sure about is the part where Crowdsec analyzes the logs on my machine. Questions: Since all external connections coming in run through NPM, is it safe to say that Crowdsec only needs to analyze NPM logs? Or does it need logs from the other containers as well? Can Crowdsec analyze symlinks for the logs? #Inside /mnt/user/appdata/shared/crowdsec ln -s /mnt/user/appdata/NginxProxyManager/logs/proxy-host-6_error.log proxy-host-6_error.log How can I check if Crowdsec is seeing my logs correctly? Thank you! I'm still wrapping my head around Crowdsec and would definitely appreciate some guidance. Quote Link to comment
SeeGee Posted June 5, 2023 Share Posted June 5, 2023 Personally, I'm not comfortable exposing my *arrs to the internet. I instead created a split tunnel vpn using wireguard into my LAN, and am able to access anything behind my firewall as though I am local. If you're concerned about internet security, this is a much safer option. Expose as little attack surface as possible. My router has one port(non-default) exposed for plex, and all the rest of my services are behind the firewall. Quote Link to comment
Rykzon Posted June 16, 2023 Share Posted June 16, 2023 Crowdsec can be a bit of a struggle to setup correctly 1. access logs are certainly the main source of data for crowdsec, you can also install "collections" for other applications and point those to the relevant logs. This is just additional though and crowdsec will always provide baseline security with just access logs. 2. I'm not sure but you can check yourself with... 3. login to your crowdsec container and run "cscli metrics", at the top under "acquisition metrics" you should see your logs with some statistics Since you are using cloudflare as your bouncer, are you 100% only cloudflare can reach your endpoints? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.