Deploying Crowdsec on a Windows machine

Print Friendly, PDF & Email

Well, We have already seen in The above document a little bit of the concepts and ideas of how to deploy Crowdsec in our organization, today what we have in the menu is how to install Crowdsec on a Windows machine and protect it. Protect it from botnets, Attacks, Curious, Boring…

So let's get to it, we start with a Windows! Habitually, it is understood that we will do it on a Windows Server, a server that has a service published and we want to protect; does not necessarily have to be on the Internet. We'll start by installing the Crowdsec Security Engine for you, which is the agent that will take care of everything, Process your logs, Make your decisions… Then we will install the bouncer (o Remediation component) for your Windows firewall, of your OS, in case we are interested in acting and can register rules in it, blocking temporary access to evil IP addresses. And we'll end up registering it in the Crowdsec Console.

With that we will almost have it, since the document will continue, will be optional, but if you are going to want centralized management, You will have to take a few more steps; And that's it, A choice of yours. If you are interested, You must read yourself before The previous post.

This post has the following structure:

 

 

Crowdsec Agent Installation

 

Before you go any further, the .NET Runtime requirement will need to be installed beforehand: https://dotnet.microsoft.com/en-us/download/dotnet/thank-you/runtime-6.0.11-windows-x64-installer

 

We can proceed, download the MSI installer and start the installation of Crowdsec Engine, of https://github.com/crowdsecurity/crowdsec/releases/. Crowdsec during installation you will need internet access, to download some items such as collections… as well as for normal operation, the agent needs access to a couple of Crowdsec sites, I recommend you read the sites/ports You may need.

"Next",

 

“Install”,

 

We wait a few seconds while installing...

 

And finish! We already have Crowdsec installed!

 

Installing the Crowdsec Windows Firewall bouncer

 

Crowdsec will detect but will not be able to take action, for this we will need the bouncer for the Windows firewall. So, we download it: https://github.com/crowdsecurity/cs-windows-firewall-bouncer/releases and we begin its installation,

 

“Install”,

 

 

 

And now we have the bouncer, it will protect us at the firewall level, “Finish”,

 

Registering Crowdsec vs. Crowdsec Console

 

If we do not have an account in https://app.crowdsec.net We can create it, to centrally manage all our Crowdsec from a GUI console, Not required, and we have a Community version with which you can also do many things, Including, Well, what we have talked about, View machine alerts, Your Status, we can subscribe them to different blocklists…. We continue to add our Crowdsec, installation on that Windows. We copy the command that we must execute.

 

And we stuck it on a system console, Run:

cscli console enroll xxxxxxxxxxxxxxxxxx

 

We return to the Crowdsec Console and accept the roll, If it doesn't work out for us, an F5 is good,

 

 

About the newly added Engine, we edit the name and we will put one that refers to who it is,

 

Habitually, We indicate the name of the machine, Update,

 

And if we want to, The next thing can be to add some blocklists, for this, We can click on “Browse available blocklists”,

 

If we are already subscribed to a blocklist, we can select it from “Manage”

 

And click on “Add Security Engine” to add this machine to this blocklist,

 

We choose a type of action and confirm. Subscribed Machine!

Remember that after registering Crowdsec against the Console you have to restart the Windows service that you have.

 

Collections

 

By default, when Crowdsec is installed on a machine, it scans for the services that we have installed and tries to protect them, In this case, on my Windows it has detected that I have IIS installed, as well as SQL Server, in addition to these collections, He must have put some additional ones on us, as well as those of Windows. We can see the collections we have installed with:

CSCLI Collections List

 

We will be able to search for more collections in your Hub, collections made by them or by the community, that can protect other services we have, as if, for example, in this Windows we had Exchange Server… Well, it would be as simple as executing:

CSCLI Collections Install CrowdSecurity/Exchange

 

And we should add in your procurement file 'C:\ProgramDataCrowdSecconfigacquis.yaml’ The content below, do not worry that the Hub is detailed in each case what to do, we corrected the paths of the Exchange logs and after restarting the Crowdsec service we would have the machine ready, protecting attacks also from OWA, SMTP Authentications…

 

##Exchange SMTP use_time_machine: true #Process logs as if we were replaying them to get the timestamp from the filenames:
  - C:\Program FilesMicrosoftExchange ServerV15TransportRolesLogsFrontEndProtocolLogSmtpReceive*. LOG labels:
  type: exchange-smtp
---
##Exchange IMAP use_time_machine: true #Process logs as if we were replaying them to get the timestamp from the filenames:
  - C:\Program FilesMicrosoftExchange ServerV15LoggingImap4*. LOG labels:
  type: exchange-imap
---
##Exchange POP use_time_machine: true #Process logs as if we were replaying them to get the timestamp from the filenames:
  - C:\Program FilesMicrosoftExchange ServerV15LoggingPop3*. LOG labels:
  type: exchange-pop
---
##Exchange OWA #OWA failed attempts are logged in the same way as RDP failed auth source: WinEventLog event_channel: Security event_ids:
 - 4625
event_level: Information Labels:
 type: eventlog
 ...

 

 

Whitelist

The whitelist, as we can interpret it, will help us to exclude, for example, an IP address from being banned or blocked by Crowdsec, usually they can be the IP addresses of a checkpoint, Jumping equipment, etc… As well as among others we can also exclude countries, For example.

 

Name: crowdsecurity/whitelists description: "Whitelist events from private ipv4 addresses"
whitelist:
  reason: "Private IPv4/IPv6 IP/Ranges"
  IP:
    - "127.0.0.1"
    - "::1"
    - "192.168.1.33"
  Cidr:
    #- "192.168.0.0/16"
    #- "10.0.0.0/8"
    - "172.16.0.0/12"
  # expression:
  #   - "'foo.com' in evt.Meta.source_ip.reverse"

The file will be found in 'C:\ProgramDataCrowdSecconfigparserss02-enrichwhitelists.yaml', and we will see that we can simply add any IP or IP range to the exclusion whitelist.

 

If we want to exclude countries, We must first install the GeoIP-Enrich parser that will feed the logs with geolocation data, such as countries, cities or GPS coordinates:

CSCLI Parsers Install CrowdSecurity/GeoIP-Enrich

 

And it will be enough to add the following expression in the whitelist file:

expression:
  - evt.Enriched.IsoCode == 'ES'

 

Remember to restart the Crowdsec service to reload these changes.

 

Notifications

 

Notifications:
  - slack_default
  - splunk_default
  - http_default
  - email_default

We can enable notifications by editing the 'C file:\ProgramDataCrowdSecconfigprofiles.yaml', where we can uncomment and select the type of notification that interests us, What can they be to Splunk, to Slack, by email, or with HTTP (for example Telegram).

 

If we want, for example, email notifications, in the 'C directory:\ProgramDataCrowdSecconfignotifications’ we would edit the YAML file email.yaml (o slack.yaml or splunk.yaml or http.yaml), where we will configure the parameters of our mail server. Those of us from Telegram saw it in a post Old man.

 

Testing it

 

We'll end up trying it, won't we??  if not how do we trust this to work? 🙂 You can do the wrong entrance exams you want, or validate it with a vulnerability scanner, or websites… In that old document you have an example with Nikto.

 

You can see the decisions your machine has made with:

CSCLI Decisions List

 

In this case you have banned the IP address 192.168.1.253 for making a Windows Brute Force, it could be that I have entered the user wrong several times when accessing the server by RDP, or SMB…

 

Or from the LAPI server if we have registered it (What comes next)

docker exec -it crowdsec-crowdsec-1 cscli decisions list

 

If we have already deployed the Crowdsec Mirror, we will be able to verify that the banned IP address appears in the URL where we publish our http blocklist://DIRECCION_IP_CROWDSEC_MIRROR:41412/security/blocklist

 

If we want to ban an IP address, We will do it with:

cscli decisions add --ip DIRECCIÓN_IP --reason "Description"

 

If we want to unban an IP address, We will do it with:

cscli decisions delete --ip DIRECCIÓN_IP

 

 

We will be able to investigate the alerts we have had with:

cscli alert list

 

 

With the previous command we list them, and now selecting the ID of a particular alert and we will be able to know which log file generated it, What I was doing, The path, HTTP status… in this case of the image there are many 404 al path /apps/files_sharing/publicpreview/

CSCLI Alert Inspect ID_ALERTA [-d]

 

And, if we need it, create our own Whitelist file to make exclusions in cases of false positives, Pej en 'C:\ProgramDataCrowdSecconfigparserss02-enrichwhitelist-allow-pdfs.yaml, You can use these example expressions to make exclusion filters:

Name: crowdsecurity/mylistablancapdfs description: "Ignore PDFs"
whitelist:
  reason: "ignore PDFs"
  expression:
    #- evt.Meta.http_path startsWith '/apps/files_sharing/publicpreview/'
    #- evt.Meta.http_status == '404' && evt.Meta.http_path startsWith '/apps/files_sharing/publicpreview/'
    - evt.Parsed.request contains '/apps/files_sharing/publicpreview/'

 

 

As usual, without forgetting to restart the Crowdsec service with each configuration change.

 

 

Registering Crowdsec against our LAPI server

 

API:
...
  Server:
    enable: False
...

 

We need to disable the local LAPI, we edit the file 'C:\ProgramDataCrowdSecconfigconfig.yaml'.

 

Now we register against the LAPI server that we have deployed on the network:

cscli lapi register -u http://DIRECCION_IP_CROWDSEC_LAPI:8080 --Machine NOMBRE_MAQUINA

 

On the LAPI server we will be able to see the registration request of the Windows machine, We list with:

Sudo Docker Exec -it CrowdSEC-CrowdSEC-1 CSCLI Machines List

 

We accept the registration request and relist to confirm the status:

Sudo Docker exec -it CrowdSEC-CrowdSEC-1 CSCLI machines validate NOMBRE_MAQUINA

 

Now our Crowdsec on Windows will communicate and read from the LAPI server any decision, therefore using the central server. If the rest of Crowdsec's agents would do the same, all of them would have the same information in common, and therefore, when a machine suspects an IP is evil, the rest of Crowdsec's agents will know it instantly.

 

Registering the Crowdsec bouncer against our LAPI server

And to conclude, we must also register the bouncers we have, in this case the Windows firewall bouncer, if we want that bouncer to read from the central LAPI, We must follow these steps, This is what has been said, when someone or something adds an IP to the central LAPI, this operating system firewall will make a rule denying access to said malicious IP.

From the LAPI server, We can first if we want to list the bouncers that we have registered with:

Sudo Docker exec -it crowdsec-crowdsec-1 cscli bouncers list

And to register the bouncer of the firewall of this Windows we will run:

sudo docker exec -it crowdsec-crowdsec-1 cscli bouncers add NOMBRE_MAQUINA-FW

We write down the API Key that has given us,

On Windows, we edit the C file:\ProgramDataCrowdSecconfigbouncerscs-windows-firewall-bouncer.yaml and enter the IP of the LAPI, its port and the API Key that gave us the previous command. Save the file and restart the service “Crowdsec Windows Firewall Bouncer”.

And the FW of the registered Windows computer will come out, we verify it

Sudo Docker exec -it crowdsec-crowdsec-1 cscli bouncers list

And that's it! Final! For now I think that's enough, No? 🙂 We've already seen how to deploy Crowdsec to protect a Windows server, with their services, as well as some basic configurations, and the part of centralizing it, I hope it has been of some use to you, Give your infrastructure a little love with this type of solution, I send you a greeting, Hoping you do very well, A hug,

Recommended Posts

Author

nheobug@bujarra.com
Autor del blog Bujarra.com Cualquier necesidad que tengas, Do not hesitate to contact me, I will try to help you whenever I can, Sharing is living ;) . Enjoy documents!!!

Bed sensor in Home Assistant

31 de October de 2024