Bug#972573: RFP: crowdsec -- lightweight agent to detect and respond to bad behaviours. It also automatically benefits from our global community-wide IP reputation database

[Antoine Beaupre]

Package: wnpp
Severity: wishlist

* Package name    : crowdsec
  Version         : 0.3.5
  Upstream Author : Crowd Security
* URL             : https://crowdsec.net/
* License         : MIT/Expat?
  Programming Lang: Golang
  Description     : lightweight agent to detect and respond to bad behaviours

Crowdsec is an open-source, lightweight software, detecting peers with
aggressive behaviors to prevent them from accessing your systems. Its
user friendly design and assistance offers a low technical barrier of
entry and nevertheless a high security gain.

Processing is done in 5 steps:

 1. Read Data sources (log files, streams, trails, messages ...),
    normalize and enrich signals
 
 2. Matching those signals to behavior patterns, aka scenarios (*)
 
 3. If an unwanted behavior is detected, deal with it through a
    bouncer : a software component integrated into your applicative
    stack that supports various remediations such as block, return
    403, and soon captcha, 2FA, etc.

 4. (ONLY) The aggressive IP, the scenario name triggered and a
    timestamp is then sent to our curation platform (to avoid
    poisoning & false positives)

 5. If verified, this IP is then integrated to the block list
    continuously distributed to all CrowdSec clients (which is used as
    an enrichment source in step 1)

By detecting, blocking and sharing the threat they faced, all clients
are reinforcing each-others (hence the name Crowd-Security). Crowdsec
is designed for modern infrastructures, with its "Detect Here, Remedy
There" approach, letting you analyse logs coming from several sources
in one place and block threats at various levels (applicative, system,
infrastructural) of your stack.

(*) CrowdSec ships by default with scenario (brute force, port scan,
web scan, etc.) adapted for most context, but you can easily extend it
by picking more of them from the hub. It is also very easy to adapt an
existing one or create one yourself.

====

This is similar to fail2ban and sshguard, but with the extra touch
that it allows for federation and distribution of blocklists. It also
integrates with Prometheus, also packaged in Debian.

I haven't tested it. I guess it could be maintained by the Go team?

Source code is available here: https://github.com/crowdsecurity/crowdsec

The software is free (MIT), but to get access to the crowd-sourced
reputation data, you must also share it. The server-side of things is
also non-free.