 time here for more systems and I'm wearing a shirt from CrowdSec and Fold is Closure up front. Yes, I'm a CrowdSec partner, but no, this video is not paid for and endorsed by CrowdSec. I want to bring this up because, well, everyone has an agenda, right? Everyone wants to know the biases and why people like something. And I want to explain how CrowdSec works and talk about in this video here, the concept of it. Now, this is not going to be the most technical video I do in CrowdSec. I plan on future technical videos and demos with it. And this will be my reference back to what is CrowdSec video that I share because this is, you know, how I build on topics. We'll start with what is the topic, what is the product, in case of CrowdSec here or the project, I should say. And I want to talk about how it works. Now, one thing interesting about CrowdSec is it is a actively participating firewall, if you will, for public-facing servers. Now, you're probably thinking if I'm giving them some data, I must be the product because that's how business models work on the internet. If you are getting something for free, somehow you must be the product. You're not the product in this case. Instead of being the product, you're a participant. And I think that's a really important distinction with the way CrowdSec works. It is a two-way street. I want to talk about how that system works. And I'm also scratching my head that how no one came up with this sooner. It's a great idea that I love seeing come forward. It gives us better threat intelligence data through the active participation of people in an open source project here and an open source threat intelligence feed. And it's just fascinating to me how it works. We're going to dive into some of the details of it. But first, are you an individual or company looking for support on a network engineering, storage or virtualization project? Is your company or internal IT team looking for someone to proactively monitor your system security or offer strategic guidance to keep your IT systems operating smoothly? Not only would we love to help consulting your project, we also offer fully managed or co-managed IT service plans for businesses in need of IT administration or IT teams in need of additional support. With our expert install team, we can also assist you with all of your structured cabling and Wi-Fi planning projects. If any of this piques your interest, fill out our Hire Us form at laurancesystems.com so we can start crafting a solution that works for you. If you're not interested in hiring us but you're looking for other ways you want to support this channel, there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel. And now back to our content. All right, so let's start right here on their front page and it says outnumbering cyber criminals all together. CrowdSec is a free open source collaborative intrusion prevention system or IPS, analyzes behaviors, responds to attacks and shares the signals across the community. This is why I said you are a participant in it because the sharing back and forth of these signals is what makes CrowdSec so effective at what they do. And this is one of the things I really want to make sure is clear. When you look at indicators of compromise put together by people who are working in security, by people who work for these SOC teams, by people who are putting sensors out on the internet or specifically companies that do, they put honey pots out there, they look for attacks, they look for the indicators of compromise, they analyze this data and they update their intelligence feeds that they sell to you. Now why do they sell them to you? Well, because collecting all that data is really expensive. Collecting via honey pots and managing 100, 1000, 10,000 honey pots out on the internet is a labor intensive. Hopefully no one notices their honey pots. Hopefully you made them look real enough to collect that data. The methods of collecting data have a pretty high cost associated with them to get really good threat intelligence data. That being said, CrowdSec is doing it a little bit different by you installing the CrowdSec tool and allowing it to, and they're very transparent with how this works, parse the logs on your system to look for different attacks. The attacks seen can then be added to the collective to the CrowdSec server and then sent back to the Bouncer module on there to block those attacks. This really distributes the labor differently because you're not really having to do much labor. They just had to write the tool, write the CrowdSec tools, the API and set up the servers and then you are sending the data back. Now they do have plans in the future to monetize this and some of their business model is for companies and grant that this is actually going to be a pretty popular business model and positive is for people that don't want to participate. They only want the intelligence feed. That's where they are selling data, but for you, person who wants to participate, there's no fee. That is always how they're going to do this. They have their whole system open sourced and if you don't like it, you can fork it. That's actually an attitude they've taken in a position they've taken on the market. They think this data should be out there. They think the collective behavior of all these threat actors should be public knowledge and they want to be the facilitator of that public knowledge. If you really take the time, listen to podcasts, dive into their different write-ups, you'll see where they're aligned. I've had my own conversations with their tech teams and this is why I really like them as a company and as a project. This is the two things I think are really important to understand is their commitment to security and commitment to being open source. And of course, this is critical if you're saying, wait a minute, didn't you just say they're going to have a tool loaded on my server that looks through my logs? And this is where the open source component is absolutely critical because you can look at it, you can see what data is being sent, you can understand it, you can vet it, you can verify it. That is a absolute important component to the way CrowdSec works is through pure transparency. And we're going to get into a little bit about that bouncer and how those work. Let me explain that a little bit better. CrowdSec is essentially two pieces. We have the agent that does all the log parsing. And then we have the bouncer that actively does things like modify firewall rules or any other rules and WordPress or rules in different devices. This is where it's really interesting the way they have it set up because I made firewall Debbie and Ubuntu Red Hat Debbie and custom AWS engine X WordPress. And if you notice on the front page, as of today in April of 2022, they were running some betas for Windows servers as well. The goal here is you first install the agent, which does all the collecting and parsing and then the bouncer interacts with the agent. Having these two things separate may be very helpful from a structure standpoint when you're setting things up. And all this is API driven and very scriptable. It's important to understand they've created these very clear separations here. So you can understand which each component does and you only need to load the components and modules necessary for your particular use case. And let's talk about a demo system I set up. Now here's a WordPress site I set up that I did not advertise tweet or do anything to draw attention to. I just put hello world. That's it. And the world did say hello back specifically all the different probably automated bots that come out and start looking and poking and wondering if it's configured properly. And as they're doing this are generating logs. I didn't do anything to have any of these logs generated other than throw it on here. Now, when I threw this on some of my production servers, there's a whole lot more logs where, you know, people are hitting my main website and things like that. But I wanted to focus on just how much background noise comes from these different bots and things that are hitting this. And here are the parsers of the different logs that was going through and the different data that it was parsing. Then you have the alerts and the API metrics and you go down here and we have the firewall bouncer and how those decisions are made. And then we have the WordPress bouncer right here to say which ones were bounced on WordPress because I use that plugin for this. It's pretty simple to install. But like I said, this is not going to get that technical in there. Now, in addition to the things you see right here, they also have a dashboard with the crowd sex servers. Now this particular dashboard is something you enable from the command line to send data back to them to get to the visualizer right here. This is still a beta feature, but please note, yes, you can export and it does have full exporting of all of their data and metrics. So if you can put this into your own visualizations, if you want, it's very open and very flexible with the way they do this. And here's some of the IP addresses that are hitting my site. And I'm not sure what made it so popular this particular day. I mean, granted, there's only 14 alerts from this particular IP. But it gives you breakdowns on here for where this data is coming from, the hits that I'm getting from these. And I want to scroll down here to this alert right here, because a lot of people ask about geo IP blocking and is that effective. And I've mentioned it before and I don't think it's a bad idea to geo IP block, especially if you don't have customers in that region, you want getting to the things you have public facing. But of note, I'm in the US and this servers in the US and most of these alerts are coming from the US. There's no geo IP blocking at all on this particular server. But you can see 73 alerts came from the US. And for some reason Luxembourg is a popular attack factor right here from where they came from in terms of different origin countries. And China is the lowest number of alerts. Apparently they're not that interested in this particular WordPress server. Now, while my server wasn't that interesting, not many logs and that demo server I set up, the log for J tracker they set up is still pretty relevant here in April of 2022. Because as we know, anyone who's worked in security for any length of time, people are slow to patch if ever. And that means there's a lot of active servers looking for log for J exploits. And they set up this cool tracking board. Now, the whole crowd sec blog is actually really interesting, because they've taken the time to do a lot of write ups and a lot of comparisons of how their tool works. And of course, you're going of course, they're saying nice things about themselves. But no, they're actually highlighting a lot of developers and talking about how it can be integrated and sharing with the community and highlighting community members who are making contributions back. Because the goal of all this being an open source tool is for that two way community engagement kind of the whole purpose of this product and project is to make sure that we raise the bar for security. Now, a few final thoughts, someone may ask like what makes this different than tools like Saracota, for example, which I've talked about here on my channel a few times. And Saracota is still another tool in your toolbox. This is not the only tool you should use that being crowd sec, but also other tools. It's all about having as you may have heard repeated a lot, but it's still true layered security approaches, all the different methodologies that you can apply that you can get working together. And Saracota being among them as well. Saracota is going to process things differently because it's looking at patterns of the data coming through versus crowd sec is parsing your logs and creating these block list. So these two tools are not competing with each other. Matter of fact, they can complement each other along with any other tools you may throw in there. You may have other web application firewalls. You'll have to really dive into the details of how you want to integrate something because that's a broader topic. But having each one of these tools work at different levels is important for security orchestration and overall, you know, creating that layered security model. Now I do recommend checking out their FAQ because they do answer things like, yes, they are GDPR compliant. And yes, we do go through logs and what exactly they parse out. They've got a pretty extensive FAQ that you can read through to understand better any of the questions you might have about the product. My overall feelings are, I'm partner for a reason. And I wanted to make this video to talk about what it is, why I believe in it. And of course, that I'm going to be making future videos because I'm excited they're working on some PF sense integration, which of course is a video that I am excited to see how it will integrate into the future of really lots of other firewalls, but specifically one of my favorites, PF sense. All right, links to the things I talked about are down below. Check out the crowd sec website and everything else I mentioned and thanks. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a sure project, head over to laurancesystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly. So check back frequently. And finally, our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.