Replace fail2ban with CrowdSec

[klausagnoletti]

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
I'd like to replace fail2ban in the tpot project with CrowdSec; a free, open source tool that (much like f2b) analyses logfiles and detects attacks. There are key differences: CrowdSec is less resource heavy and fast (written in Go), more intelligent in that it can detect far more advanced attacks. Not just slow-bruteforce but also bot scrapings, L7 DDoS just to name a few. Also it would be able to protect web login. Last but definately not least it by default anonymously submits metadat on attacks it sees (ip, timestamp, metadata on the attack. Nothing else) to the CrowdSec community so all other users prone to similar attacks will be able to block it right away.

Describe alternatives you've considered
Keep using fail2ban (and miss all the fun)

Additional context
More information on CrowdSec at https://crowdsec.net/ and https://doc.crowdsec.net/
Full disclosure: I am head of community and interested in as many CrowdSec deployments as possible since this makes the collected data even better and spreads the knowledge of CrowdSec to everyone else so they can help fight back (by blocking the cybercriminals we aim to make it harder and more expensive for them to run their businesses)

[t3chn0m4g3]

@klausagnoletti It's already on the ToDo list.

[t3chn0m4g3]

Thing is, I cannot assume that packagecloud.io is reachable for all the T-Pots enrolled today. I understand that development pace might be an issue, however we have chosen Debian exactly for the reason, that we dodge compatibility issues we had in the past (while using Ubuntu) and have almost accomplished to eliminate the dependancy to third party resources (used docker from their repos and this only caused trouble) and avoiding this comes through lessons learned. This increases stability and security efforts alike while also solving availability, since it is expected to allow access to the Debian repositories in order to receive updates and upgrades (do not get me wrong here, I do believe that the CrowdSec resources are maintained properly!).
I think it makes a lot of sense to have up to date packages (as far as stable supports this) readily available in Debian, however I do also understand the reasons not to do it.
I appreciate the chat offer but I do not want to bug in your strategy (there is obviously more to it, and you want to keep the dev pace for being able to make fast changes on agent and backend) and if Debian is not on the roadmap I accept that.

[klausagnoletti]

Thanks for the explanation. Debian is literally our distro of choice.
That being said I don’t know what the plans are on this. But I do know that our CTO is psyched over the fact that we got you guys’ attention. But I’ll follow up and let you know.

[t3chn0m4g3]

Sounds good, thank you!

[klausagnoletti]

I know a bit more now: The Debian package maintainer is working on new packages but as you know all that is in the mercy of the Debian folks. Do you have any suggestions to how we can make distribution of packages better for those T-pot users other than having official packages in Debian stable? Obviously this has a very long time horizon.
Another option could be to add official but totally voluntary support for CrowdSec (although we would obviously prefer something more mandatory :-) ) What do you think?

[t3chn0m4g3]

I'd rather want to wait for the Debian packages (lessons learned ), which will be a technical requirement, followed by tests from the team.

[ghenry]

Why not put it in Alpine for use in Docker or is f2b in the base OS? Does that work?

[t3chn0m4g3]

@ghenry The idea is good, however CrowdSec bouncers work closely with iptables on the host, hence the discussion for host based (Debian) packages.

[ghenry]

Ah, thought so.

[bzed]

https://tracker.debian.org/pkg/crowdsec

Packaged since Debian 11 at least....