About Client
CrowdSec is a hyper growth cybersecurity company with 300k+ installations. According to G2 it’s a market leader in 8+ categories.
Problem Statement
CrowdSec offers their users an open source threat detection engine. This engine reads logs and other data sources to detect malicious IPs. Users can then use various remediation componenets provided by CrowdSec to act upon these IPs at various levels. In addition to this, the malicious IPs are sent to CrowdSec. CrowdSec then aggregates this data, applies lot of rules and provides it back to the users in the form of a IP blocklist. So users can block these IPs before even getting attacked.
One of CrowdSec’s large enterprise customers wanted to use CrowdSec to protect their Stormshield firewalls. Stormshield is a popular firewall used by many enterprises. CrowdSec did not have a remediation component for Stormshield. Thus the customer was not able to use CrowdSec to protect their firewalls.
Solution
We decided to build a Stormshield remediation component for CrowdSec. This component would sync malicious IPs from CrowdSec, with a Stormshield block list. It would create a firewall rule in Stormshield to perform user configured actions(block, log etc) on IPs originating from this block list.
Implementation
We used Python to implement the remediation component, because Stormshield and CrowdSec provide a Python API library. It has been packaged as a Docker image. The remediation component includes utilities to cleanup everything it creates and to generate the Stormshield configuration in a single command.
The remediation component polls the CrowdSec API every update_frequency interval.
It will then fetch the list of IP bans and sync them with the Stormshield’s appliance’s black list
Since CrowdSec provides huge number of banned IPs, using the Stormshield API solely is not possible. The API only allows adding one IP at a time to blacklist directly. Which is extremely slow.
To overcome this limitation, the remediation component uses SSH to connect to the firewall appliance to:
- Create 2 groups 1.Crowdsec and 2.CrowdsecDeleteGroup
- Create objects for all the new banned IPs and expired bans.
- Add all the banned IPs to the CrowdSec group. Add all the expired bans to the CrowdsecDeleteGroup. This is done by modifying the
/data/Main/ConfigFiles/objectgroupand/data/Main/ConfigFiles/objectfiles
Then the remediation component will use the Stormshield API to:
- Add the CrowdSec group to the blacklist.
- Remove the CrowdsecDeleteGroup from the blacklist.
Finally remediation component empties the CrowdsecDeleteGroup using ssh.
This process is repeated every update_frequency interval.
Challenges
The documentation for Stormshield is not very good. We had to inspect the API calls made by the Stormshield web interface to understand how to use the API.
We also had to use SSH to add the IPs to the blacklist. This is because the Stormshield API does not allow adding multiple IPs to the blacklist at once. This approach is undocumented and stumbled upon it by accident. After consulting with Stormshield, we found out that this is the only way to add multiple IPs to the blacklist.
We tested this with 100k IPs and it worked fine.
Results
The remediation component is open source and available on GitHub