Protecting your Raspberry Pi with CrowdSec

In this tutorial, we will be showing you how to protect your Raspberry Pi using CrowdSec.

Raspberry Pi CrowdSec

CrowdSec is a threat intelligence engine similar to Fail2Ban. It is designed to protect your device from outside attackers using predefined rules.

This software helps protect your device by analyzing every IP address that connects. If it detects a malicious IP address, it is forwarded to what is called a remediation component.

These remediation components are what will actually block a detected malicious IP address. It can achieve this in several ways, including simply adding the IP to your firewall block list.

An advantage of using CrowdSec is that it is significantly faster on your Raspberry Pi than Fail2Ban. This will allow it to process more IP addresses. This speed advantage is helped by it being written in Go rather than Python.

While CrowdSec is free and open source, they offer paid blocklists that contain IP addresses they have already identified as malicious. You do not need to pay for these blocklists to utilize CrowdSec, and it isn’t something we used when trying out this software.

Please note that you must be running a 64-bit operating system to run CrowdSec. They do not provide builds for 32-bit versions of Raspberry Pi OS.

Equipment

Below is a list of equipment we used when installing and setting up CrowdSec on your Raspberry Pi.

Recommended

Optional

We last tested this tutorial on a Raspberry Pi 5 running the latest version of Raspberry Pi OS Bookworm (64-bit).

Installing and Running CrowdSec on a Raspberry Pi

Over the following sections, we will walk you through installing and running CrowdSec on the Raspberry Pi.

Setting up CrowdSec is a relatively straightforward process. The hardest part is basically just adding the third-party package repository.

Preparing your Raspberry Pi to Run CrowdSec

1. Before installing CrowdSec onto our Raspberry Pi, we must ensure we have everything we require.

The first part of this process is to ensure our Pi is up to date by running the following two commands in the terminal. We update the package list cache with the first command, and with the second, we upgrade any out-of-date packages.

sudo apt update
sudo apt upgrade -y

2. Once our Pi is updated, we can ensure that both the “curl” and “lsb_release” packages are installed.

We will use these two packages to set up the CrowSec repository.

sudo apt install curl lsb-release

Adding the CrowdSec Package Repository

3. Since CrowdSec isn’t available through the official Raspberry Pi OS package repository, we must add their own. Luckily, this process isn’t overly complicated.

With this first step, we will be saving the GPG key for CrowdSec onto our Pi. This GPG key ensures the packages we are downloading from their repository are valid.

curl -fsSL https://packagecloud.io/crowdsec/crowdsec/gpgkey | sudo  gpg --dearmor -o /usr/share/keyrings/crowdsec_crowdsec-archive-keyring.gpg

4. With the GPG key saved, our next step is to add the CrowdSec repository list to our sources list.

You can add this repository to our Pi’s sources using the following command in the terminal.

echo "deb [signed-by=/usr/share/keyrings/crowdsec_crowdsec-archive-keyring.gpg] https://packagecloud.io/crowdsec/crowdsec/debian $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/crowdsec.list

5. As we have adjusted our available repositories, we will need to update the package list cache. If we forget to do this, we will run into a missing package error later on.

You can update this cache by using the update command within the terminal.

sudo apt update

Installing CrowdSec on to your Raspberry Pi

6. With the package repository updated, all we need to do to install the CrowdSec security engine on our Raspberry Pi is to run the following command.

sudo apt install crowdsec

7. While the security engine is now installed, we must install a remediation module. CrowdSec only provides two builds, one for iptables and one for nftables.

In this case, we will install the bouncer for the iptables firewall. This is what CrowdSec will use to block any IP addresses that it detects as malicious.

sudo apt install crowdsec-firewall-bouncer-iptables

8. We can verify that we have successfully installed CrowdSec on our Raspberry Pi by getting it to list the available bouncers.

sudo cscli bouncers list

If everything has worked properly so far, you should see that the “crowdsec-firewall-bouncer” is listed by this command.

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                            IP Address  Valid  Last API pull         Type                       Version                                                       Auth Type
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 cs-firewall-bouncer-1724412389  127.0.0.1   ✔️     2024-08-23T11:27:03Z  crowdsec-firewall-bouncer  v0.0.29-debian-pragmatic-arm64-9594360ca83272d5c15ed1c343a6d  api-key
                                                                                                     96868d83cbc

Adding a Scenario to CrowdSec

9. Your next step with configuring CrowdSec is to add additional scenarios. A scenario is basically a ruleset that CrowdSec uses to determine whether an IP address is potentially malicious.

Before we add a new scenario, let us get it to list out the ones already configured.

sudo cscli scenarios list

Below, you can see that three scenarios have been enabled by default. Two of these help deal with brute-force attempts against your SSH server. The third scenario is there to help protect against a possible exploit in OpenSSH.

You may have additional scenarios than ours as CrowSec will attempt to identify the services you are running and set up relevant rules.

SCENARIOS
───────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                             📦 Status    Version  Local Path
───────────────────────────────────────────────────────────────────────────────────────────────────────
 crowdsecurity/ssh-bf             ✔️  enabled  0.3      /etc/crowdsec/scenarios/ssh-bf.yaml
 crowdsecurity/ssh-cve-2024-6387  ✔️  enabled  0.2      /etc/crowdsec/scenarios/ssh-cve-2024-6387.yaml
 crowdsecurity/ssh-slow-bf        ✔️  enabled  0.4      /etc/crowdsec/scenarios/ssh-slow-bf.yaml
───────────────────────────────────────────────────────────────────────────────────────────────────────

10. You can find a list of scenarios that you can install to your Raspberry Pi’s CrowdSec installation by browsing their configuration hub. Each scenario is typically designed to help protect a particular service or help with a certain use case.

For this example, let us install the “iptables-scan-multi_ports” scenario. This scenario lets CrowdSec detect if a single IP attempts to connect to many different ports. Essentially, we are attempting to stop people scanning for open ports.

sudo cscli scenarios install crowdsecurity/iptables-scan-multi_ports

Registering your CrowdSec Installation

11. One core feature of CrowdSec is its website, which allows you to check on your installation from anywhere.

To connect your Raspberry Pi’s security engine installation with CrowdSec, you will require an account. Once you have created an account, you can continue to the next step.

https://app.crowdsec.net/signup

12. After creating an account, you will want to go to the “security engines” page.

You should see a command on this page at the bottom of the screen. This is the command that you will want to run on your Raspberry Pi to enroll it with your CrowdSec account.

https://app.crowdsec.net/security-engines

13. After finding the command you need to run, return to your Raspberry Pi and run it. The command should be similar to what we have shown below; however, “<ID>” will be a unique identifier.

sudo cscli console enroll -e context <ID>

If your Raspberry Pi was successfully registered with CrowdSec you should see a message similar to the one shown below.

INFO manual set to true
INFO context set to true
INFO Enabled manual : Forward manual decisions to the console
INFO Enabled tainted : Forward alerts from tainted scenarios to the console
INFO Enabled context : Forward context with alerts to the console
INFO Watcher successfully enrolled. Visit https://app.crowdsec.net to accept it.
INFO Please restart crowdsec after accepting the enrollment.

14. On the CrowdSec website, you should see an “ACCEPT ENROLL” button. You must click this button to allow your Raspberry Pi to connect to your account.

Once the interface confirms your enrollment, proceed to the next step.

15. To ensure your CrowdSec has completely synchronized with the web service, you will want to restart the software.

You can restart the security engine on your Raspberry Pi by running the following command in the terminal.

sudo systemctl restart crowdsec

Conclusion

Hopefully, you will have successfully installed and set up CrowdSec on your Raspberry Pi.

CrowdSec is a great solution for helping protect your Pi from malicious outside attackers. It is a modern alternative to the popular Fail2Ban.

You can read more about CrowdSec and how to configure it by reading through the official documentation.

Please feel free to comment below if you have any questions or concerns about running CrowSec on a Pi.

If you found this tutorial to be helpful, we recommend taking some time to explore some of our other Raspberry Pi projects.

Leave a Reply

Your email address will not be published. Required fields are marked *