What is Reddit's opinion of CrowdSec?

From 3.5 billion Reddit comments

Everybody seems to agree upon suggesting Fail2Ban. I interpret this more like people suggesting what they know rather than nescessarily the best or most modern tool. And nothing at all is wrong with that :-)

So to throw something else in the mix I'll suggest CrowdSec instead. It's free, open souce crowd sourced threat intelligense. In this context it means that it can be compared to f2b but innovative in a number of ways. One really cool thing - and that's where the crowdsourcing part comes in - is that intelligence about attacks are automatically shared (anonymously!) with the entire ecosystem so that ips that attack users are automatically blocked by everyone. Also it is capable of handing much more advanced logic and detect resource abuse like data exfiltration, DDoS, bot scraping and more. And traffic can be blocked on L3 via the host firlewall or L7 directly in supported applications and frameworks such as nginx, php, cloudflare, wordpress and more.

Disclaimer: I am head of community at CrowdSec and an avid user myself. If you are interested and wants to know more details, I'll suggest our doc site or the detailed and technical talk I did at ShellCon last month. And if you have any questions or comments please let me know. I'll be more than happy to help in any way I can.

I would suggest looking into an alternative here called CrowdSec (also free and open source) which basically is a modern version of fail2ban but works fundamentally different. The biggest difference (except from the fact that it's capable of doing way more versatile and advanced decisions) is that it's based upon crowdsourced threat intelligence. This means that it parses logs to detect attacks and anonymously shares this with other users (and downloads blocklists as well). Another difference is that traffic can be blocked on both L3 and L7 and in both host firewalls and in applications such as nginx, php, wordpress or even cloudflare. And we have a port for OPNsense ready real soon!

Disclaimer: I am head of community at CrowdSec and an avid user myself. There are a lot of other differences but obviously I can't go into details here. But if you're interested I'll point to our docs and to the talk I did last month at ShellCon. And should there be any questions or comments please let me know :-).

You should check out Crowdsec.

I've been running it for about a year now. I has a great UI and centralized management via the servers built-in API.

It's become one of my favourite security addons, to date.

Yes, blacklist everything according to the new synergized zero-trust model

Cat & mouse, every time and I'm working on seeing what crowdsec.net can do as a canary to local attack trends

I would suggest that you try out CrowdSec instead of fail2ban. It's free, open source, crowd sourced threat intelligence and can be seen upon as a modern version of f2b (even though it's a bit of a simplification). Crowdsourced in this sense means that all users of CrowdSec shares information about the attacks they're experiencing so that all users can block known attackers right away. Another difference is that CrowdSec is capable of taking more advanced decisions and detect various kinds of resource abuse, DDoS (on L7), exfiltration etc. Traffic is blocked either on network level (via host firewalls) or directly in applications such as nginx, wordpress, PHP apps in general, Cloudflare or Traefik (the latter is community-developed but not less valid because of that).
Disclaimer: I am head of community at CrowdSec and an engaged user myself. If you're interested in learning more about CrowdSec I did a talk at ShellCon two months ago that is highly recommendable as it both provides an overview as well as technical details.

If you have any questions or comments please let me know. I'll be happy to help!

I'd like to suggest running CrowdSec instead. It started out as a modern version of f2b but has evolved into so much more - among others it can make more advanced decions and detect anormalies (like DDoS atttacks, stuffing, data stealing and other types of abuse and theft). It's free, open source and crowdsourced threat intelligence meaning that all users of CrowdSec shares data on attacks (anonymously!) and helps each other fight them - and also that there's better protection the more users there are.

Basically CrowdSec consists of two parts: an agent which does all the log collection and detection and a bouncers which controls traffic based on this. There's bouncers both for L3 and L7 - and there's even one for nginx. There's a bit of documentation here. Also it protects ssh out of the box and more.

Disclaimer: I am head of community for CrowdSec and an avid user myself. If there's any help or questions please let me know. I recently did a talk at ShellCon that will give an overview of the architecture and possibilities. Check it out here.

If you want to have a more advanced security measure in place you could have a look at CrowdSec. It's open source, free crowdsourced threat intelligence - basically this means that users shares information about attacks anonymously. On top of that it's capable of making more advanced decisions regarding the log it parses, thereby having a better possibility to detect all attacks. There's support for HA both in terms of reading logs and detecting attacks.

Disclaimer: I am head of community at CrowdSec and an avid user myself. Last month I did a talk at ShellCon that goes more into the nitty gritty details. And we really want to do a HA add-on but are struggling with not being able to find someone to help us. So our devs are currently starting from scratch. So if anyone wants to help out, give me a buzz.

If you want to know more about how CrowdSec works, I did a talk last month at ShellCon that goes into the nitty-gritty details. If you have questions or comments, please let me know. I'd be more than happy to help out.

I would suggest a few things here: First of all use CrowdSec instead of f2b. It's an improved, crowdsourced (but still free and open source) version of f2b that shares intelligence on attacks with other users and helps you block the bad guys by standing together. Secondly if you choose to use Cloudflare for your webserver, Crowdsec can provide you free L7 anti-DDoS. Quite a bargain, huh?

Disclaimer: I am head of community of CrowdSec and an avid user myself. Admittedly, what I wrote on CrowdSec above is a very condensed version. But the truth is that there's a lot of possibilities here that you just don't get with f2b. I talked about it at ShellCon last month. I'll suggest to watch the talk for a technical deep dive.

If you have any questions or suggestions please let me know.

I'd like to suggest a more modern alternative to Fail2Ban called CrowdSec. It's free, open source, crowdsourced threat intelligence meaning that all users contribute anonymously with intelligence of who's attacking them. Like F2B CrowdSec can protect a number of services but is able to take more advanced decisions. Nginx as a reverse proxy is supported out of the box meaning that it can protect from a number of attacks as it's able to work as a sort of firewall within nginx itself - and if the nginx is hosted on a vps it would work as an advanced (and free) L7 anti-DDoS mechanism. It would also be possible to keep stats and graphs over all your CrowdSec instance via a free-to-use webconsole.

Disclaimer: I am head of community at CrowdSec and an avid user myself.

These are just some of the things Crowdsec can do and a very short explanation of what it is and what it can do. It's new software in a rapid development with a userbase that's growing quite fast. I did a rather technical talk last week at ShellCon that will give an overview of the possibilities. Check it out here.

Let me know what you think - also I'll be happy to answer any questions and help you out as much as I can.

We addressed most of those points publicly in podcasts but you can find a condensed version in our FAQ here: https://crowdsec.net/faq/

1st point is harder to explain in a few lines but we'll make money by selling premium access to an API allowing people that do not partake in the network to actually still be able to access the blocklist. It's still free for people partaking. We also have premium features like "Am I under targeted attack", "Am I attacking other people", fleet deployment features, and the like, for larger network or hosting businesses.

Hi,

We use 4 different curation tools.

1/ A trust rank (TR) system. It reflects how frequently / accurately and for how long did a machine partake in the network. TR evolve overtime to reflect good & bad behaviors.

2/ Quarantine. No machine that is less than 6 months in the network can partake in decision.

3/ Our own honeypot network is TR0 and provides verification of signals to allow other to grow their own TR.

4/ We have a canaris list to never ban critical and trustable IPs (like google DNS, Microsoft updates, etc.), that is also crowd sourced

More comprehensive information can be found here: https://crowdsec.net/faq/

Hi skarsol. We use 4 different curation tools.

1/ A TR trust rank, system. It reflect how frequently / accurately and for how long did a machine partake in the network. TR evolve overtime to reflect good & bad behaviors.

2/ Quarantine. No machine that is less than 6 months in the network can partake in decision.

3/ Our own honeypot network is TR0 and provides verification of signals to allow other to grow their own TR.

4/ We have a canaris list to never ban critical and trustable IPs (like google DNS, Microsoft updates, etc.), that is also crowd sourced

More comprehensive information can be found here: https://crowdsec.net/faq/

I'd like to suggest CrowdSec for this. It's free and open source and based on crowdsourced threat intelligence. Think if it as an advanced version of fail2ban.

What I mean by crowdsourced here is that data on attacks are shared between all users, thereby helping each other against the bad guys out there, to put it very shortly.

LearnLinuxTV just released a video on how it works and how to set it up with nginx. But in reality that's just one possibility; another is to use Cloudflare's free tier along with CrowdSec to fight DDoS specifically targeted the application layer. It sounds a bit like you could use that.

Disclaimer: I am head of community at CrowdSec and an avid user myself. If you have any questions after checking it out, please give me a buzz here or at our Discourse. Looking forward to helping you with this exteremely annoying problem; especially since it's the very core reason why CrowdSec was created; to stand together and fight back against the bad guys!

You could also try out CrowdSec; crowdsourced threat intelligence meant as a modern version of f2b sharing all user's collective threat intelligence by default and capable of doing much more intelligent decsisions like detect DDoS attacks and other sorts of abuse. The built-in Wordpress support protects wp-admin by default and is capable of 'flex blocking' e.g. forcing suspicious users through a CAPTCHA (rather than hard-blocking them).

Disclaimer: I am head of community at CrowdSec and an avid user myself. If you want to try it out and has any problems or other feedback let me know - I'll be happy to help out in any way I can.

I would recommend CrowdSec here. It's free, open source crowd sourced threat intelligence. To put it more practical, it's a modern version of fail2ban - but can do so much more in that it's logic is more advanced; basically it can detect and react upon any deviation.

Crowdsourced means that every CrowdSec agent by parses local logs and detects attacks. By default anonymized, minimal data about the attacks is send to our smoke database where it's automatically (rulebased, no AI/ML here) determined whether this is a bad guy the entire ecosystem should ban or not - have we seen it in alerts from other agents etc). Locally it instructs your firewall bouncer to block attempts of bruteforce or whatever. CrowdSec supports both sshd and vsftpd (and lots more). On the bouncer side CrowdSec in general supports blocking on L3 and L7; iptables, nftables, pf (and soon windows firewall), nginx, Cloudflare, php, wordpress and more.

Disclaimer: I am head of community at CrowdSec and an avid user myself. If you are interested and wants to know more I can recommend the talk I did at ShellCon last month. If you have any questions or comments please let me know - I am here to help :-)

If you're looking for a new tool to play with that does the same in a different and better way (I think) you should check out CrowdSec. It's a modern, distributed version of f2b on steroids (to say it shortly). Like f2b it's free and open source but generates and shares threat intelligence among its users anonymously. On top of that it's capable of taking much more advanced decisions - like detecting and blocking DDoS attacks, credential card stuffing on top of eveything you would expect f2b to do. Data sources can be literally anything. Right now it supports files, syslogd, journald or aws cloudtrail. It can protect nginx, cloudflare and much more. Also there's a free to use graphical web console for stats (if you don't want to use prometheus observability yourself).

Disclaimer: I am head of community at CrowdSec and a happy user myself. If this condensed and simple version of what CrowdSec can do has inspired you to know more I did a talk at ShellCon a few weeks ago that takes a deep dive into the architecture and the possibilities that I can recommend. Right now the FreeBSD version is being worked on and upgraded to the latest version. If you try it out please provide me feedback; we haven't had that much feedback (if anything) from FreeBSD users yet :-). And after that we will make packages for pfSense and OPNsense - and probably OpenBSD.

If you have any questions or comments please let me know and I'll be happy to help!

>fail2ban is also a very good idea)

I would suggest CrowdSec as an alternative to f2b. CrowdSec started out as a modern version of f2b but ended up being so much more.

CrowdSec is free, open source threat intelligence - in reality this means that it parses logs and detect attacks and shares those (anonymously) with the other CrowdSec users. On top of that it also receives blocklists based on threat intelligence from the other CrowdSec users. Also, the mechanisms that detect attacks are superior to f2b.

Disclaimer: I am head of community at CrowdSec and an avid user myself. If you have any questions or comments please let me know. If you want to know more (admitted, this was the very fast version) you should check out my talk from ShellCon a few weeks ago.

Thanks for mentioning sslh. I did not know that :-)

Take a look at this case to see what the solution is capable of when under a heavy DDoS attack: https://crowdsec.net/2020/10/21/how-to-stop-a-botnet-with-crowdsec/

Allright. There's parsers and scenarios for Vaultwarden (just got commited yesterday) and nextcloud. Check https://hub.crowdsec.net for what is available. You will be missing some but ask on the Discord or do them yourself (and contribute :-). We just released an article on that. With your regexp experience it should be fairly straight forward.

Like Fail2Ban, CrowdSec also has support for Cloudflare so that it can block ips (or force users through CAPTCHA) using Cloudflare API. There's an article on it here. In the example, CrowdSec protects against L7 DDoS but that depends on the installed scenario. If you need any help setting it up, join the friendly CrowdSec Discord.

Depending on what kind of protection you’re looking for, you could look into CrowdSec - it’s bit like Fail2Ban in that it is open source and free - and it detects various attacks in the log and mitigates them. There are notable differences though: CrowdSec uses collaborative intelligence meaning that users automatically share anonymized information on the attacks they’re seeing, thereby helping each other out so that all users of similar setups can block attacks even before they happen. Secondly CrowdSec is able to detect more advanced attacks like L7 DDoS and mitigate it for free using Cloudflare (as one example). It can also detect bot crawling and other stuff.

A number of reverse proxies are supported; nginx (also nginx proxy manager), openresty, caddy, haproxy, traefik. Mitigating attacks can happen on firewall level, directly in the proxy application or in Cloudflare/Fastly. Just to name a few.

Dislaimer: I am head of community and a happy user myself. If you’d like to know more about CrowdSec I would advice you to watch my talk from BSides London and join our Discord.

I use https://crowdsec.net/. It analyses the logs (like fail2ban) in search of malicious attacks to block and (anonymously) gathers that information in order to create collective blocklists to spread to the community of users. I invite you to give it an eye.

Yeah, sorry - marketing did the title :-) I would probably have written 'detect' instead of avoid. That's more suitable.
Of course. Did you read the follow-up article on the log4j? https://crowdsec.net/blog/how-we-coped-with-the-log4j-storm-at-crowdsec/

I would recommend trying out CrowdSec - it's able to protect practically any service by reading logs from a long range of services and blocking attacks - even pretty advanced attacks like slow brute force and L7 DDoS. The really cool part of it is that it uses collaborative threat intelligence meaning that all users are sharing information on the attacks they see, thereby helping each other out.

Disclaimer: I am head of community at CrowdSec and a happy user myself. If you want to know more you should watch the talk I did at BSides London in November. And join our friendly Discord if you need help :-)

Congrats! To support the community idea of helping and inspiring each other you should look into CrowdSec. A bit like Fail2Ban but more advanced (distributed, able to block traffic on multiple layers, can detect way more advanced attacks like slow bf and bot scraping, L7 DDoS etc). The really cool part of it is that it uses collaborative threat intelligence so that all users in practice works like one helpful community sharing information about the attacks they see (anonymously) thereby helping each other out.

Disclaimer: I am head of community at CrowdSec and a happy user myself. If you want to know more you should watch the talk I did at BSides London in November. And join our friendly Discord if you need help :-)

You could also try CrowdSec - it's free, open source and a bit like Fail2Ban but using collaborative threat intelligence meaning that all users share information (anonymously) about the attacks they're seeing thereby helping each other out. Also it detects more advanced attacks like distributed brute force (if someone else reports the IPs to the crowd), slow brute force and various resource abusive attacks on L7. CrowdSec works as a distributed application communicating via http(s) rest api and there's an agent reading logs and detecting attacks - a bouncer blocks traffic on firewall- or application layer.

So in terms of your questions in relation to CrowdSec:

1. Since CrowdSec needs network connectivity between agent and bouncer and there's no docker container of the firewall bouncer (also it would need to run as root) it would be installed on the host. The agent can be in a container or on the host. There are many other bouncers on application layer, they should be installed in the same container as the application it protects like nginx with mod_lua and the nginx bouncer). There's even bouncers for Cloudflare and Fastly that can help you fight L7 DDoS attacks.
2. CrowdSec can detect way more advanced ressource abusive attacks than ufw.
3. I don't know how CrowdSec works with ufw - that is yet to be tested. Firewallbouncers on Linux support both iptables and nftables so I would guess they just create new chains.

Disclaimer: I am head of community at CrowdSec and a happy user myself. If you want to know more you should watch the talk I did at BSides London in November. And join our friendly Discord if you need help :-)

Crowdsec is like fail2ban on steroids and there is a community API that reports bad actors and the attempts made.

https://crowdsec.net/

The docs are a bit sparse and it's a learning curve but well worth it IMO. I am not affiliated with project just a user.

No problem. Yes. pycrowdsec does that. Here's an article on how to use it in Flask. If you need help using it I am sure the friendly Discord community can be of service.

I would suggest to take a look at CrowdSec. It bares some similarities to fail2ban but also a lot of differences. First of all CrowdSec uses collaborative threat intelligence meaning that all users share data on ongoing attacks in an anoymous way thereby effectively helping each other out. Secondly CrowdSec is a much newer and faster tool that's able to do take more advanced decisions and detect more advanced attacks like L7 DDoS and various bot attacks like crawling and scalping. Thirdly it's possible to block directly in PHP (and many other places like nginx etc) and redirect users to CAPTCHA without cutting real human users off. There's an article on how to do that right here.

u/Mr5andman0 u/shebazz42 u/RustyTheDed u/visitredditreviews u/patryk-tech u/cicatrix1

I'll recommend you to take a look at CrowdSec. A bit like fail2ban only more modern and able to take much more advanced decisions on L7, easy to install and uses collaborative threat intelligence in the sense that all users report the attacks they see anonymously to other users, thereby effectively helping each other out.

Thanks for the help. Yes, you're absolutely right - you don't want to expose that port :-) I am working with a colleague to get support for CrowdSec which (kinda like Fail2Ban does it) reads logs and detects attacks. And for that, log is needed :-)

Fail2Ban is already included in SWAG. But I know that they're working on making it more modular and make Fail2Ban and CrowdSec (which is a modern, collaborative alternative) available via mods instead. So no reason to switch to NPM for that.

On the mainpage of CrowdSec under 'Where to use it' there actually is pfSense mentioned as Coming Soon!
Good stuff!
I'll be setting it up directly on pf when it's available

You don't mention which http server you're running but I am guessing nginx. In that case I would install CrowdSec as an extra layer of security on your ubuntu server. CrowdSec is free, open source and collaborative threat intelligence meaning that users of CrowdSec (anonymously) share data on attacks they're seeing. CrowdSec can be seen as a modern version of Fail2Ban in that it's capable of detecting more advanced attacks such as slow bf, distributed bf (if the malevolent ips are known by the crowd) as well as various ressource heavy attacks on L7. CrowdSec can block traffic both on firewall level (in this case meaning the host firewall) or in nginx itself thereby doing what you wish to accomplish by blocking an attacker from reaching the NC login page.

Unfortunately there's no support for pfSense or even anything planned - however, support for OPNsense is coming out soon.

I would look into CrowdSec as an modern alternative to Fail2Ban. It's free, open source and collaborative threat intelligence meaning that all users shares information on attacks they're seeing with everyone else thereby effectively watching each other's back. On top of just securing ssh, CrowdSec can probably also secure whatever unspecified is running on your webserver. As someone else points out above, sharing services to your LAN is bad. But having internet exposed services shared from your LAN hacked is really, really, bad. So you absolutely don't want the web server or anything running off it compromised either.

How are you protecting those services that are internet protected? With a reverse proxy also? You should consider trying out CrowdSec. It's a bit like fail2ban but different in a number of important ways. Like Fail2ban it's free and open source - but unlike Fail2Ban it utilizes collaborative threat inteligence. This means that all users by default share information on current attacks in near realtime, thereby effectively helping each other out. Also it's capable of detecting more advanced attacks and natively supports a range of cloud technologies (it's a new project in rapid development).

u/2CatsOnMyKeyboard u/vkapadia

Cool. You should consider taking a look at CrowdSec. It's free, open source and using collaborative threat intelligence. This means that all users are sharing data on current attacks in (near) real time in an anonymous way, thereby helping each other out. Also it's able to detect more advanced threats. And both nginx, dovecot and postfix are supported :-)

If you should ever consider something else, you should try out CrowdSec with traefik log parser and bouncer. CrowdSec is free, open source collaborative threat intelligence meaning that users share intelligence on the attacks they're seeing with the crowd, thereby helping each other out. On top of that CrowdSec can detect more advanced attacks like bot scalping, L7 DDoS and much more.

Reverse proxy does nothing to secure your network. I don't like exposing ports without a dmz. I don't think you need more than the UDM Pro to accomplish a DMZ. IDS/IPS are sort of useless, in my opinion. Other things you can do to secure the server:

1. Can you expose NextCloud only over VPN? That diminishes your attack surface dramatically. If you go with something like ZeroTier or TailScale, you can avoid opening ports entirely.
2. If not VPN, but external access is from known fixed IP addresses, you can whitelist them.
3. If that isn't possible, you could use ipset blocklists (https://github.com/firehol/blocklist-ipsets) regularly updated to geoblock and add some level of security from active attacks.
4. Use CrowdSec (https://crowdsec.net/) as an additional layer of security/detection.
5. Keep the server up to date. Apply patches as soon as possible.
6. Follow NextCloud's best practices.
7. Use tools like Nessus and Lynis to scan your host for vulnerabilities.

Great guide! Just want to point out that while fail2ban is an excellent tool there are alternatives around that could be worth looking into. Most notable is CrowdSec. It's free, open source and collaborative in the sense that users are sharing information about attacks thereby effectively helping each other out. Other main differences is that it's able to detect more advanced attacks like slow-bf, L7 DDoS, bot sraping, scalping and much more. Also it blocks traffic on firewall level or directly in a given application such as nginx, traefik and much more. There's even native support for Cloudflare, Fastly and the ability to read logs from various cloud providers. And much, much more.

>goteleport.com/blog/s...

One could also consider CrowdSec as an alternative to Fail2Ban here. It's free, opensourced collaborative threat intelligence in the sense that all CrowdSec users are helping each other out by reporting the attacks they're seeing, thereby watching each other's back. CrowdSec can be seen as a modern version on Fail2Ban able to detect and protect against more advanced attacks like slow bf and distributed attacks (by utilizing collaborative CTI). Like Fail2Ban it works by parsing logs. CrowdSec can protect a large range of services apart form SSH. Check out details on which logs can be parsed here.

Np. DDoS attacks on http can be mitigated using a tool like CrowdSec and the base http scenarios. That would work for Nextcloud.

You could also look into securing your reverse proxy or ssh with a tool like CrowdSec. It's free and open source crowdsourced threat intelligence meaning that it's a modern, more advanced version of fail2ban able to make much more advanced decisions and blocking traffic on network- or application level. Also crowdsourced in this sense means that all CrowdSec users are helping each other out by sharing information anonymously about the attacks they're seeing so that others can block those ips before they start attacking. A very community-focused and technically clever project!

Log processing needs to be done by the CrowdSec agent - it can be configured with a db backend to scale better. So a bit like that - but also completely differently :-) The beauty of CrowdSec is that all components of the ecosystem communicates via http(s) rest api so it can run distributed as one wishes. You can read more about the architecture here and how to set up a multi-server setup here.

Depending on exactly how the architechture of this wifi service and the login functionality you might be able to do an intelligent blocking with CrowdSec. It's free, open source and crowdsourced threat intelligence (this last part is not relevant to you since it's on a private network) and somewhat comparable to fail2ban except it's capable to take much more advanced decisions and detect more advanced stuff like slow-bf and bot scraping. It's capable of parsing log from a large number of webservers and block traffic both on firewall- and application layer. And if the log format isn't supported, creating a new log parser is relatively easy. Let me know more about the stack and I'll be able to tell you if CrowdSec can help you out :)

CrowdSec is fantastic! It's free, open source and crowsourced threat intelligence; a modern version of fail2ban but capable of so much more. Basicall anything internet exposed it can protect in a various of ways - it can detect L7 DDoS and mitigate with Cloudflare or Fastly just to name a few (out of many) possibilities.

All in all this is great advice. I'd like to recommend considering CrowdSec instead of fail2ban and general protection of internet exposed services. Basically CrowdSec is a modern version of fail2ban - free, open source crowdsourced threat intelligence (meaning that all users share information on attacks they're seeing in almost real time; users thereby help each otherblock the bad guys). CrowdSec's able to detect attacks more intelligently. on ssh ot can detect slow-bf and on http it can detect bot scrapers, xss, sqli etc as well as DDoS attacks (and mitigate them for free using Cloudflare or Fastly). Those are just a few examples. Much more is supported, among others nginx, traefik, Docker, k8s, etc etc.

I would consider something like CrowdSec which is basically a modern and more intelligent version of fail2ban which is being suggested elsewhere by u/aadpstech. Also it's free, open source and uses crowdsourced threat intelligence which means that all users are helping each other out by sharing information (anonymously!) about current attacks in near realtime with other users. It's more intelligent than f2b in that it's able to detect attacks like bot scraping or whatever it is your client is experiencing. There's even support directly in Wordpress where one can choose to cut just the bots out by forcing access through CAPTCHA if suspicious behavior is detected. This is also free and really easy to configure :-)

Disclaimer: I am head of community at CrowdSec and an eager user myself. If you're interested in knowing more you should watch the talk I did at ShellCon a couple of months ago. And if you have any questions or comments feel free to let me know :-)

I can only recommend checking out CrowdSec to see if that would fit the task better. It's free and open source and works as a fast, modern, distributed and crowdsourced version of fail2ban capable of making much more advanced decisions and detect much more advanced attacks on a large (and growing) number of services and layers (firewall vs application). Crowdsourcing in this context means that all users share data on attacks, thereby helping each other out. Check out my comment elsewhere in this thread and feel free to reach out if you want to hear more.

After reading through some of the comments and reflecting a bit about it myself I would say that security is layered (not that that is new knowledge).

You can't do just one thing to prevent bf (or other attacks). But to minimize user impact (and workload while trying to protect all infrastructure at once) tooling and automation is the way to go. Someone suggest fail2ban which is not a bad idea at all. I would do something else though.

I would go with a more modern tool like CrowdSec; it's free, open source and crowdsourced threat intelligence and made to protect services against all sorts of attacks. It more or less autoconfigures for the most simple setups (like ssh). It's superior to fail2ban in a number of ways: first of all, as I said above, it bases upon crowdsourced CTI. This means that all users help each other out by anonymously sharing information about attacks so users can block attackers before they start attacking you), it's capable of detecting more advanced attacks like slow, distributed bf, L7 DDoS attacks and all sorts of resource abuse, it's fast (written in Go), it scales and is distributed so all your perimeter can be managed centrally. It supports a long range of technologies to simple ssh to Cloudflare, Fastly, AWS, nginx, traefik, Wordpress, Magento and much more. So check it out, join the crowd!

As the head of community for another open source project CrowdSec that's crowdsourced threat intelligence (think a modern version of fail2ban where all users help each other by sharing inteligence about the cyberattacks they're seeing - and much more cool stuff) I would be interested in the part that involves community building and communication with users and how to get dedicated usres more involved in e.g. contributing.

Brilliant tool - but old, slow and doesn't use any kind of networked, single point of administration or anything. Also it isn't capable of taking very advanced decisions compared to a tool like CrowdSec which is fast, more advanced in the decisions it's capable to take and detect slow bf and various kinds of ressource abuse. Furthermore it's crowdsourced, meaning that all users share information on the attacks that is being discovered with other users. Pretty innovative!

Why not help everyone out (yourself included) by automatically sharing who attacks you with others, thereby helping out? That's what CrowdSec does. Kinda like advanced fail2ban - free, open source crod woursed threat intelligence.

Yes. We have a dockerized version of the CrowdSec agent (not bouncers) as well as helms charts for k8s. A few weeks ago we did the first part of a two-part article - and the second part is out soon.

So is CrowdSec with Wordpress plugin enabled. Free, open source crowd sourced security protecting Wordpress (backend included) against a large number of attacks.

Hey, cool setup! Did you consider using CrowdSec instead of fail2ban? It free, open sourced and crowdsourced threat intelligence in the sense that users share information about relevant attacks and works somewhat similar to f2b - but more advanced, modern and faster. On top of that I heard that they plan to collaborate with 3. party CTI suppliers - in this case the planned collaboration with ledger.io would be relevant. Ledger collects CTI on attacks related to crypto currency and plans to share those with CrowdSec. Pretty neat!

I am head of community at CrowdSec so I do have some insider information available :-) Also I do talks on CrowdSec so if you're interested in knowing more I did a talk at ShellCon a couple of months ago that could be relevant if you're interested in learning more.

Assuming you're on Linux or FreeBSD you could use something like CrowdSec. It works a bit like fail2ban but more intelligently in that you very precisely can define scenarios that are unacceptable and which are (if standard scenarios who protects against a long range of attacks out of the box). Those not accepted will be blocked, either via integration with your host firewall or via a custom script that will add the malevolent ips to an acl and block it via Apache itself.

CrowdSec is free, open source and crowdsourced ids/ips and more. I am head of community so let me know if you need any help or join our Discourse. If you are looking to learn more about CrowdSec you should check out my talk from ShellCon.

Hey, I like your project. I don't know much about blockchain, smart contracts or ASA though. But I am slowly learning :-)

I'd like you to consider the use of CrowdSec to mitigate both the risk of bots catching/scraping airdrops and for protecting your servers. CrowdSec is free, open source, crowdsourced threat intelligence. One way to see the project is to call it a modern fail2ban. While not being untruthful it's not quite spot on because so much more is possible than just protecting ssh against brute force attacks and sharing the information about those attacks in an anonymous manner to other CrowdSec users, thereby standing together and helping each other to protect against attacks. It's also an intelligent mechanism that can parse any kind of datastream for patterns and react on those. This means that CrowdSec is capable of detecting L7 DDoS attacks, bot scraping, credit card harvesting, data exfiltration and probably also bots scanning for airdrops (without really knowing how and where these are stored. I know that CrowdSec is already in place on the ticketselling website of a large european football club to prevent automatic hoarding of tickets. So that is just one example.

I am head of community at CrowdSec so if you're interested in knowing more I can get you in contact with our CTO so you can talk about the possibility of fitting CrowdSec into the airsho infrastructure. If you want to know more about CrowdSec in general you should watch my talk from ShellCon. And if you have questions feel free to ask; I'll be happy to help!

Thanks. That makes perfect sense. Many others seems to be switching for the same reasons. I did the switch too some years ago and I’ve never regretted it. Upgrades never fails and menu options are more or less the same. So I am happy. Also, there seems to be other interesting open source projects making themselves available on OPNsense, among others CrowdSec.

I think you should know about CrowdSec (free, open source crowdsourced threat intelligence + tools) and the ability to protect any PHP site against a number of security vulnerabilities (Also it can also replace fail2ban and is quite easy to configure..)

Happy to hear that :-) How long time have you been a happy user? And are you using it for other stuff as well? Did you try out the log4j scenario (if nothing else then just to report bad guys and be part of the fancy looking stats :-)

Thanks a lot. I am head of community at CrowdSec. Is it ok we share this if we give you credit?

Also, I don't disagree that it's worth paying security vendors good money for CTI but you could consider CrowdSec as an alternative: Unlike other security products all CTI comes from CrowdSec users; by default CrowdSec agents (which is installed on real production systems around the world across industries and private people) shares threat data anonymously with other users. Data is validated centrally; this is how this list came to.

Unfortunately we don't support Palo Alto (among others because it takes a lot of time to get collaboration going with large commercial companies) but we do support many other technologies. If you want to know more about the software you should check out my talk from ShellCon. And if you have any questions, feel free to ask. I'll be happy to help!

I would suggest CrowdSec instead of fail2ban. You could see it as a modern version of Fail2Ban. It's free, open source and crowdsourced in the sense that users share (anonymous!) information about the attacks they're seeing, the crowd verifies the data - in that way everyone is helping each other out. Also it's different compared to Fail2Ban that it's capable of taking much more advanced decision and detect more advanced attacks like resource abuse, data exfiltration and more.

Dislaimer: I am head of community at CrowdSec and a dedicated user myself. If you're interested in knowing more about CrowdSec (this is the short and overly simplified version) I did at talk at ShellCon I'll recommend. Also if you have any questions I'll be happy to answer them and help you out in any way I can.

I wouldn't recommend both fail2ban and CrowdSec. I can't rule out that they mess each other up - this is currently untested (mostly because why would you? ).

For those who are unaware, CrowdSec is free, open source and crowdsourced threat intelligence where users helps each other out by sharing intelligence of the attacks they're undergoing in an anonymous way. Kinda like fail2ban but different in a large number of ways. Watch this talk for more information.

Thanks! And if you're interested in knowing more about CrowdSec and the crowdsourced approach these TTPs came to, take a look here. Or watch the talk from ShellCon that explains what CrowdSec is really about.

Not snake oil. These are verified ips that does log4j exploitation. If you need a temp fix real quick, the list is better than not doing anything.

Of course the best solution would be to patch and install CrowdSec so you be a part of the CTI network that shares information (anonymously) about attacks thus helping each other out.

Thanks! One could also look at CrowdSecfrom which the data comes from. CrowdSec is free, open sourced crowdsourced threat intelligence in the sense that information about attacks are anonymously shared among users and auto blocked so that everyone is effectively helping each other out in an automated way.

I am head of community at CrowdSec and if you want to know more, I recommend the talk I did at ShellCon a few months back. If there's any questions please don't hesitate to reach out.

Yes, if you use CrowdSec and has it set up correctly then those ips are blocked automatically (and any others that may show up).

Fail2ban would work fine - but you could also consider CrowdSec. See it as a more modern version of fail2ban where users share data on the attacks they're undergoing (anonymously). Also it's capable of detecting attackts that are way more advanced. It's free and open source like f2b.

Disclaimer: I am head of community at CrowdSec and an engaged user myself. If you want to know more about the idea behind CrowdSec and some technical details etc you should see my talk from ShellCon. And if you have any questions please let me know :-)

I agree with the other posters that it's no big deal what you're seeing - as long as they hit something which isn't there. But if you want to block it anyway (or just wants to make sure future attempts of more nasty attacks will be blocked), I'd do it with CrowdSec which would watch the nginx log and block those attemps when it sees them (if they aren't blocked already based on signals from the crowd - meaning that the same ip already attacked other users. In that case it would be blocked in your instance as well as every other relevant user's)

Well you're getting it because one of their VPS customers are doing something shady. Every cloudprovider and ISP has those. That is literally the background noise of the internet. And I would definately advise against a headleass ban of an entire cloud provider. Of course depending on who has a legitimate need of any of your internet exposed services. If noone needs it, firewall it :)

Assuming you do need services that are internet exposed I would do a more intelligent filtering like what CrowdSec does. It's an advanced and crowdsourced version of fail2ban that is quite good at detecting and blocking even quite advanced attacks - and sharing information about those with all other users so that this ip from Digital Ocean and who else is doing shady stuff is blocked everywhere where CrowdSec is in use. To me that's the way to go; to share intelligence and block everybody who's trying to mess up.

To mitigate I would go with CrowdSec. In that it can work as a modern, crowdsourced version of fail2ban it would block the attacker before they get a chance to attack if it's from an ip already known in the CTI network. Also CrowdSec is able to detect attacks that are way more advanced, such as slow bf.

Old article but great to see that some advice still makes sense today. I would, however, suggest CrowdSec over Fail2Ban. It's free, open source crowdsourced threat intelligence. Think of it as a modern version of f2b. Most notably is the fact that it's distributed, can run from one central installation and shares data of attacks among users (hence the crowdsourced part). Furthermore it's capable of taking much more advanced decisions and detect much more advanced attacks ranging from slow bf, L7 DDoS, Credit card stuffing, scalping, data exfiltration and much more.

Disclaimer: I am head of community at CrowdSec and an engaged user myself. If you want to know more I suggest that you watch the talk I did a couple of months ago at ShellCon that provides background, overview and technical details. And if there's any questions, please let me know. I'll be happy to help.

P.S. Next tuesday we're doing our first webcast - sign up here.

Let me elaborate on this. First and foremost: I am sorry the cookie manager-thingy is in french only. I don't speak french so it's a pain for me as well. We will be fixing that.

Secondly, and I don't know how to emphasize this enough: We do not sell data!

Here's the legal notices to prove that. If we sold data it would be stated here. We're in the EU so we need to comply with GDPR (which we do, of course).

To put an extra layer of security on top I would recommend CrowdSec. Free, open source and crowdsourced threat intelligence. Crowdsourced here means that users share information about attacks and helps each other out against the cyber criminals so to speak. It has many applications; one if them being an advanced fail2ban protecting ssh and haproxy by using intelligence from the crowd and detecting more advanced attacks than fail2ban is capable of. It blocks malicious traffic on either network- or application layer; in nginx, wordpress, traefik, Cloudflare or more. In these case traffic would be blocked on firewall level for both service.

Dislaimer: I am head of community at CrowdSec and an engaged user of the software myself. If you're interested in knowing more details, I can recommend the talk I did back in october at ShellCon. If you have any questions or comments please let me know. I'd be happy to help!

I would recommend trying out CrowdSec over Fail2ban. CrowdSec is free, open source crowd sourced threat intelligence with a large number of applications. Crowdsourced basically means that information on attacks are shared between users so that all users helps each other out against cyber criminals. One of many applications is a modern fail2ban, capable of detecting more advanced attacks and blocking them in a number of ways either on firewall- or application level directly in, say, nginx, wordpress, traefik or even Cloudflare - and more. Obviously it works for ssh too. And very easy to use; installed services are being autodetected upon installation and configured automatically.

Disclaimer: I am head of community and an excited and engaged user myself. If you want a more nuanced idea of what CrowdSec can do, I recommend the talk I did at ShellCon in october. And if you have any questions or comments please let me know. I'd be happy to help.

In this scenario I would suggest a more intelligent tool like CrowdSec. It's free, open source crowd sourced threat intelligence and works (very simplified put) as a modern, distributed version of Fail2Ban. Distributed in this sense means that one central 'brain' that also receives threat intelligence from other users, controls the access to all services. That's an advantage since it can see across all devices in the perimeter and shut down them all from all ips at once. In my mind that creates a more secure perimeter.

Disclaimer: I'm head of community at CrowdSec and a passionate user myself. If you want to know more, watch the talk I did at ShellCon in October. And if you have any questions or comments I'll be happy to help.

I would suggest trying out CrowdSec. It's free, open source crowd sourced threat intelligence. In this context you can see it as a modern, easily configurable version of Fail2Ban that shares (anonymized) data on attacks with other users. It's capable of detecting more advanced attacks - and it can do so much more. And it's available for OpenWRT.

Disclaimer: I am head of community at CrowdSec and an excited user myself. in October I did a talk at ShellCon on CrowdSec that both gives the overview and goes into techincal details. Obviously the explainer above is very simplified.

If you have any questions or comments I'll be happy to help!

I am working on integrating CrowdSec more specifically the nginx-part. To begin with I'll just extend the npm Docker container with CrowdSec's install instructions and see how it goes

I would advise you to take a look at CrowdSec; a modern version of fail2ban using crowdsourced threat intelligence in the sense that all users share information about attacks thereby protecting each other. It protects ssh and nginx (I am guessing it might be what you use as reverse proxy. All parts of the software is communicating via http(s) rest api so you would need only one agent talking to bouncers and mitigating attacks via bouncers on whichever VM.

Disclaimer: I am head of community at CrowdSec and an avid user myself. If you want to know more I suggest you watch my talk from ShellCon last month. If you have any questions or comments I’ll be happy to help.

I can totally relate to that as I also work at an open source project called CrowdSec. I really find it satisfying to support the community by giving them a good tool for free, no strings attached.

Hey - thanks for liking my post :-)

Datapoisioning is a totally legitimate thing to ask about. Actually it's typically among the two questions people always ask the first time they hear about CrowdSec (The other one is how we make money when eveything's free. I can elaborate on that later if you are curious).

To answer your question from the end: Yes, this IS a concern. Luckily whe've been taking it into consideration from the very beginning. The key to this is our trust ranking system. Our network of honeypots plays a crucial role here. Those are for verifying the crowdsourced data. Honeypots have trustrank 100. All others are ranked based on their trustwortiness over time - up to 99. And when ips are 'voted' bad it takes a certain amount of points to do so, based on the trust rank from the host that claims a certain ip is bad. This means that if you want to poison the CrowdSec database it's perfectly possible, yes. But very time consuming and expensive. And on top of that there are certain ips that can't be banned, like Google's DNS, SEO bots, CDN network ips etc. We've written about it here.

I hope this makes sense. If not - or if you have more questions - feel free to ask.

Instead of Fail2Ban I'd suggest CrowdSec. To put it shortly without really saying what it is, it's free, open source and crowdsourced threat intelligence - as well as an IDS, IPS and more. For now, think of it as a modern and improved version of Fail2Ban.

In this context crowdsourced means that it shares threat intelligence with other users; think of it as the Waze of cyber security. So not only does it protect you from all the bad guys that attacks others in the ecosystem, it's also capable of taking way more advanced decisions than f2b can. This means that it can detect and mitigate all sorts of resource abuse such as L7 DDoS on Cloudflare, bot scraping credit card stuffing, data exfiltration etc.

The really big idea behind making CrowdSec crowdsourced is that it's a tool that can help ordinary, decent people to stand together against those cyber criminals who are really having a good time attacking ordinary people like you and me for money. The really scarce resource on the internet are IPv4 ips. So if CrowdSec can block 90% of the ips they use, it's going to be harder and more expensive; the playfield is being levelelled. And the more users of CrowdSec, the harder a time they'll have. So not only is the power of the crowd way more powerful than being on your own, you also help big bad guys on a large scale.

Disclaimer: I am head of community at CrowdSec and an avid user myself. If I have woken your curiousity, take a look at our doc site or check out the talk I did last month at ShellCon. If you have any questions or comments, please let me know. I'll be happy to help!

That’s a matter of basic philosophy, I guess. Whenever I am looking to buy something just a little expensive, I spend hours looking at reviews to make sure whatever I get is the best. Same thing here - even though money is not in the question. If I can only run one tool, I want it to be the best.

But I get it - fail2ban is what everyone has been using for the last close to 20 years. Not nescessarily because it is the best tool (even though it’s awesome) but because it’s the tool one knows, what can be googled and it does what it says on the tin. I am not asking for everyone to switch to CrowdSec today (although that would be great! :-)) but now you know about it and can do a qualified decision.

Regarding crowdsourcing there’s many ways to do that, I guess. CrowdSec has pretty advanced mechanisms to protect against poisioning and false positives. It’s all in the advanced consensus engine. I don’t know how Wordfence works or how big their CTI network is, but even though CrowdSec is not at all as large as we want it to be, we’re already the largest CTI network in the world. I guess that must count for something, right? And speaking of Wordpress there’s also support for that :-)

Would you consider installing CrowdSec on your Amazon VPS instead? I ask because CrowdSec's using crowdsourced threat intelligence (and is free, open source and basically works as a modern and more advanced version of fail2ban) so I would really want you to donate your attack data. That could be really useful to the project.

I am head of community and the most important task I have is to get the community to grow so the threat intelligence gets better for the benefit of everyone. If you want to know more I suggest you read the docs and watch my talk from ShellCon last month. And feel free to reach out if you have questions or comments. I would be delighted to help you out :-)

Depending on what you want to do with your VPS, it might make sense to take a look at CrowdSec, which is free, open source, crowdsourced threat intelligence. Think of it as an improved and modern version of fail2ban (even though it can do so much more). The really cool thing about it is that is (anonymously) shares threat intelligence from all users so that attackers attacking others in the ecosystem will be automatically blocked. It does what you would expect fail2ban to do but has much more advanced logic and is capable of detecting abnormal behavior (using rulebased approach, no AI/ML ftw). That is a bit fluffy but it means that exfiltrating data, botscraping, DDoS and much more can also be detected and blocked either on L3 via host firewall (iptables, nftables or pf) or on L7 via nginx, cloudflare, wordpress, any php app and more.

Disclaimer: I am head of community at CrowdSec and an avid user myself. If you're interested in knowing more, take a look at our doc site or watch the talk I did last month at ShellCon. If you have any questions or comments feel free to leave them here and I'll do my best to help you out.

I would say it depends on your threat analysis. If you’re afraid of anyone abusing your sendmail for spamming purposes I would say that you’re good to go. If you want to protect it towards a number of other threats, exploiting and god knows what you need something else, for instance CrowdSec which is a modern version of f2b using crowdsourced threat intelligence (and being way more advanced). Parsing postfix logs are supported out of the box (spammers are detected too) - so is blocking abuse via the host firewall on Linux and FreeBSD. Disclaimer: I am head of community at CrowdSec and an avid user myself. If you’re interested and wants to know more, please let me know. I’ll be more than happy to help you out in any way I can.

I would also recommend CrowdSec with a Wordpress bouncer. I am head of community at CrowdSec and an avid user myself. CrowdSec is free, open source crowd sourced threat intelligence and meant to be a modern version of fail2Ban but ended up being so much more - among others native support for Wordpress, free to use.

If you're interested in learning more I did a talk at ShellCon last month which I can recommend. Also feel free to ask any questions or provide any comments. I would be happy to help out.

You mean that I got upset? Not really I just feel it’s a shame that the OP has settled on what to do and muted the discussion before I joined the discussion and provided the absolutely best solution ever (allright, I’m biased) :-)

In terms of testing, we did an article on anti-DDoS with Cloudflare (which you can find here). The service we used for that is Str3ssed. It worked like a charm so we can only recommend it.

Thanks for mentioning CrowdSec here :-) It happens more and more so I guess we're doing something right.

I am head of Community at CrowdSec and an avid user myself and I can confirm that CrowdSec would be a good choice for this. Also better than nginx plus as OP seems to have settled on. The thing with CrowdSec is that it's crowd sourced threat intelligence; so we already know a number of bad guys doing DDoS attacks which will be blocked by default by using CrowdSec. Also all the stuff you have configure yourself with nginx plus in terms of which thresholds are acceptable etc are done by default.

Feel free to try it out and ping me if you need help or have any questions. I'll be happy to help.

On top of these great suggestions I would also suggest using CrowdSec instead of f2b. CrowdSec is free, open source crowd sourced threat intelligence.

In this scenario CrowdSec does what f2b can - and more. It protects ssh, nginx out of the box - and on top of that it can protect against L7 DDoS attacks via Cloudflare (yes, Cloudflare has built-in anti-DDoS also but that sure ain't free :-)

In this context crowdsourced means that CrowdSec detects attacks from logs and shares them (anonymously!) with other CrowdSec users so that a number of threat actors are blocked by default.

Disclaimer: I am head of community at CrowdSec and an avid user myself. If you want to know more (admitted, this was the very fast version) you should check out my talk from ShellCon a few weeks ago.

If you have any further questions, comments or problems getting CrowdSec to work after reading this and wanting to try it out, please let me know.

Instead of installing f2b which - as you point out - is a bit outdated, I recommend CrowdSecinstead. It's free, open source crowd sourced threat intelligence and started out to be a modern version of f2b but has ended up being so much more. The main reason why it would protect better against botnet is the threat intelligence it gets from other members of the CrowdSec network so that all those botnets are always banned as long as they're updated in the database. On top of that there's a more advanced decision engine that will e.g. ban an entire ip class if 5 are already banned (default but this can be customized).

CrowdSec consists of two parts: an agent and a so-called bouncer. The agent parses logs and detects attacks. Also it sends (anonymized!) logs to CrowdSec's consensus engine which determines, based on a number of factors, if the ip should be globally banned and gets block lists. The bouncer controls traffic based on those blocklists and can do this both on L3 and L7 by using firewall bouncers (iptables, nftables or pf), nginx bouncer, php bouncer, wordpress bouncer - there's even one for Cloudflare. Development is happening quite fast!

On top of that there's also a free to use web console that can show a number of fancy graphs and usefule stats.

Disclaimer: I am head of community at CrowdSec and an avid user myself. If you're interested in learning more (this is the really short version and doesn't cover everything - not even close) you can see a talk I did at ShellCon a few weeks ago here. Let me know what you think - also I'll be happy to answer any questions and help you out as much as I can.

Great to hear that you have focus on security. Kudos, my friend! :-)

To be completely honest I am not that big an f2b expert. Part of that is that I am involved in a free, open source project called CrowdSec that has evolved to be a more modern and advanced version of f2b (and using crowdsourced threat intelligence). I know by default that it would be able to parse apache logs and block a number of attacks by default; sqli, xss etc. So obviously I would recommend doing that if you want to protect your vps. CrowdSec would protect ssh against brute-force attacks by default as well. It has a number of other funky features (not counting the crowd-srouced part that in itself is lightyears ahead of f2b). If you're interested you can see a talk I did at ShellCon a few weeks ago here. Let me know what you think - also I'll be happy to answer any questions and help you out as much as I can.

On top of the firewall I would proxy all the mentioned services via said vps with nginx and CrowdSec, which is meant as a modern version of fail2ban - this means that it can also protect ssh out of the box.

CrowdSec is free, open source, crowd sourced threat intelligence meaning that all users of the software (anonymously) transmits intelligence on who's attacking them to a central database where it's determined whether a given ip is malevolent or not.

When CrowdSec is setup to protect nginx as described above it also effectively works as a L7 anti-DDoS mechanism as well as working as a sort of firewall within nginx thereby protection from a variety of attacks.

On top of that it's possible to keep track of the attacks that's going on via fancy graphs in the free to use console.

Disclaimer: I am head of community at CrowdSec and an avid user myself.

These are just some of the things Crowdsec can do and a very short explanation of what it is and what it can do. It's new software in a rapid development with a userbase that's growing quite fast. I did a rather technical talk last week at ShellCon that will give an overview of the possibilities. Check it out here. Let me know what you think - also I'll be happy to answer any questions and help you out as much as I can.

For a more modern alternative to Fail2Ban I would consider CrowdSec which is open source and free to use. Installed on Linux it protects ssh by default so it really is quite easy to get up and running. On top of that it can do a number of other interesting tricks in that it has a crowdsourced nature, meaning that all install of the CrowdSec agent are reporting (anonymized) data on current attacks on its host (it detects these by parsing the log) to a central db. On top of that it can protect a number of services and take more advanced decisions such as detecting malevolent behavior based on a large number of criteria and much more. It even has a free to use web console.

Disclaimer: I am head of community at CrowdSec and an avid user myself. I recently did a relatively technical talk on how CrowdSec and how it works at ShellCon. See the recording here. If you have any questions or comments feel free to let me know.

How was your site hacked? Did the attacker brute force wp-admin?

Either way, I'd suggest you to install CrowdSec if you can. This is basically crowdsourced threat intelligence (free, open source). I bring this up in a Wordpress context because there's a wordpress plugins that uses the CrowdSec built-in mechanisms (both the ability to detect malevolent traffic and the crowd sourced threat intelligence) to protect any Wordpress site including wp-admin. There's an article on how it works and how to install it here.

Except just protecting Wordpress, CrowdSec can protect any service. See it as a modern version of Fail2Ban but with a much more sofisticated decision engine. It can protect ssh, your reverse proxy, your website in Cloudflare, any PHP site and a lot more. It is relatively young software but the foundation is there to do great - like using the power of the crowd to fight against cyber criminals.

Disclaimer: I am head of community at CrowdSec and an avid user of the software myself. Last week I did a 40 min technical deep dive into CrowdSec at ShellCon. Watch my talk here. Let me know if there's any questions or comments. Happy to help!

I'd like to suggest CrowdSec. This is basically crowdsourced threat intelligence (free, open source). I bring this up in a Wordpress context because there's a wordpress plugins that uses the CrowdSec built-in mechanisms (both the ability to detect malevolent traffic and the crowd sourced threat intelligence) to protect any Wordpress site including wp-admin. There's an article on how it works and how to install it here.

To me it would make great sense to install this (once you've taken care of host security, obviously).

Except just protecting Wordpress, CrowdSec can protect any service. See it as a modern version of Fail2Ban but with a much more sofisticated decision engine. It can protect ssh, your reverse proxy, your website in Cloudflare, any PHP site and a lot more. It is relatively young software but the foundation is there to do great - like using the power of the crowd to fight against cyber criminals.

Disclaimer: I am head of community at CrowdSec and an avid user of the software myself. Last week I did a 40 min technical deep dive into CrowdSec at ShellCon. Watch my talk here. Let me know if there's any questions or comments. Happy to help!

I'd like to point the attention towards CrowdSec. This is basically crowdsourced threat intelligence (free, open source). I bring this up in a Wordpress context because there's a wordpress plugins that uses the CrowdSec built-in mechanisms (both the ability to detect malevolent traffic and the crowd sourced threat intelligence) to protect any Wordpress site including wp-admin. There's an article on how it works and how to install it here.

Except just protecting Wordpress, CrowdSec can protect any service. See it as a modern version of Fail2Ban but with a much more sofisticated decision engine. It can protect ssh, your reverse proxy, your website in Cloudflare, any PHP site and a lot more. It is relatively young software but the foundation is there to do great - like using the power of the crowd to fight against cyber criminals.

Disclaimer: I am head of community at CrowdSec and an avid user of the software myself. Last week I did a 40 min technical deep dive into CrowdSec at ShellCon. Watch my talk here. Let me know if there's any questions or comments. Happy to help!

It sure does. I don’t know much about it but this is pretty effective; in our testing we were capable of killing a DDoS attack on a WooCommerce sites within five minutes (and two of those are lag from when you order a blocking via API until it’s implemented). Also, as I said, it just doesn’t do hard blocking but can force users through a CAPTCHA so just bots are killed off. Details are in https://crowdsec.net/how-to-beat-application-ddos/ (where there’s also a video demo).

CrowdSec is planning on doing a Windows version of their agent and firewall bouncer. Nothing is public yet but plans are to have it ready in Q1 2022. More info on CrowdSec in general at https://crowdsec.net/. Disclaimer: I am community manager at CrowdSec so if you have questions, please let me know. CrowdSec is free and oss and primarily on Linux and FreeBSD. But plans are to support way more environments over time.