🛡️ CrowdSec - 3 Bouncers + Nginx Lua
Sistema de deteção de intrusões com múltiplos bouncers
📋 Índice
- Instalação CrowdSec
- Firewall Bouncer
- Cloudflare Bouncer
- Nginx Lua Bouncer
- Configuração e Monitorização
- Referências
📥 Instalação CrowdSec
# Adicionar repositório
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
# Instalar
sudo apt install -y crowdsec
# Versão: v1.7.3
sudo cscli version
Configurar Aquisição de Logs
sudo nano /etc/crowdsec/acquis.yaml
---
filenames:
- /var/log/nginx/access.log
- /var/log/nginx/*_access.log
labels:
type: nginx
---
filenames:
- /var/log/nginx/error.log
- /var/log/nginx/*_error.log
labels:
type: nginx-error
---
filenames:
- /var/log/auth.log
labels:
type: syslog
Instalar Collections
sudo cscli collections install crowdsecurity/nginx
sudo cscli collections install crowdsecurity/linux
sudo cscli collections install crowdsecurity/base-http-scenarios
sudo cscli scenarios install crowdsecurity/http-sensitive-files
sudo cscli scenarios install crowdsecurity/http-probing
sudo cscli scenarios install crowdsecurity/http-crawl-non_statics
sudo systemctl restart crowdsec
🔥 Firewall Bouncer
Instalação
sudo apt install -y crowdsec-firewall-bouncer-iptables
# Versão: v0.0.34
Configuração
sudo nano /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
mode: iptables
pid_dir: /var/run/
update_frequency: 10s
api_url: http://localhost:8080
api_key: <auto_generated>
deny_action: DROP
deny_log: false
iptables_chains:
- INPUT
- FORWARD
Verificar
sudo systemctl status crowdsec-firewall-bouncer
sudo iptables -L crowdsec-chain -n -v
☁️ Cloudflare Bouncer
Instalação
# Download
wget https://github.com/crowdsecurity/cs-cloudflare-bouncer/releases/download/v0.3.0/crowdsec-cloudflare-bouncer_0.3.0_linux_amd64.tar.gz
# Extrair
tar -xzf crowdsec-cloudflare-bouncer_0.3.0_linux_amd64.tar.gz
sudo mv crowdsec-cloudflare-bouncer /usr/local/bin/
# Criar service
sudo nano /etc/systemd/system/crowdsec-cloudflare-bouncer.service
[Unit]
Description=CrowdSec Cloudflare Bouncer
After=crowdsec.service
[Service]
ExecStart=/usr/local/bin/crowdsec-cloudflare-bouncer -c /etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml
Restart=always
User=root
[Install]
WantedBy=multi-user.target
Configuração
# Gerar API key
sudo cscli bouncers add cloudflare-bouncer
sudo nano /etc/crowdsec/bouncers/crowdsec-cloudflare-bouncer.yaml
crowdsec_api_url: http://localhost:8080
crowdsec_api_key: <generated_key>
cloudflare_token: <cloudflare_api_token>
cloudflare_zone_id: <zone_id>
update_frequency: 10s
Iniciar
sudo systemctl daemon-reload
sudo systemctl enable crowdsec-cloudflare-bouncer
sudo systemctl start crowdsec-cloudflare-bouncer
🌐 Nginx Lua Bouncer
Instalação
# Instalar dependências Lua
sudo apt install -y libnginx-mod-http-lua lua-cjson
# Instalar bouncer
sudo apt install -y crowdsec-nginx-bouncer
# Versão: v1.1.3
Configuração Nginx
Adicionar ao nginx.conf:
sudo nano /etc/nginx/nginx.conf
http {
# CrowdSec Lua
lua_shared_dict crowdsec_cache 50m;
init_by_lua_block {
cs = require "crowdsec"
local ok, err = cs.init("/etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf", "crowdsec-nginx-bouncer")
if ok == nil then
ngx.log(ngx.ERR, "[Crowdsec] " .. err)
end
}
access_by_lua_block {
local cs = require "crowdsec"
cs.Allow(ngx.var.remote_addr)
}
# ... resto da configuração
}
Configuração do Bouncer
sudo nano /etc/crowdsec/bouncers/crowdsec-nginx-bouncer.conf
ENABLED=true
API_URL=http://localhost:8080
API_KEY=<generated_key>
MODE=stream
UPDATE_FREQUENCY=10
BAN_TEMPLATE_PATH=/etc/crowdsec/bouncers/templates/ban.html
Gerar API Key
sudo cscli bouncers add nginx-bouncer
Reiniciar Nginx
sudo nginx -t
sudo systemctl restart nginx
📊 Configuração e Monitorização
Ver Decisões Ativas
# Todas as decisões
sudo cscli decisions list
# Por bouncer
sudo cscli decisions list --origin crowdsec
sudo cscli decisions list --origin capi
Ver Alertas
# Alertas recentes
sudo cscli alerts list
# Por tipo
sudo cscli alerts list --ip 1.2.3.4
sudo cscli alerts list --scenario crowdsecurity/http-probing
Métricas
# Métricas gerais
sudo cscli metrics
# Bouncers ativos
sudo cscli bouncers list
# Máquinas
sudo cscli machines list
Logs
# CrowdSec
sudo tail -f /var/log/crowdsec.log
# Firewall Bouncer
sudo tail -f /var/log/crowdsec-firewall-bouncer.log
# Cloudflare Bouncer
sudo journalctl -u crowdsec-cloudflare-bouncer -f
🎯 Resumo dos 3 Bouncers
| Bouncer | Versão | Função | Layer |
|---|---|---|---|
| Firewall | v0.0.34 | iptables DROP | L3/L4 |
| Cloudflare | v0.3.0 | WAF block | Edge |
| Nginx Lua | v1.1.3 | HTTP block | L7 |
Fluxo de Proteção
Internet → Cloudflare (Edge) → pfSense → iptables (Firewall Bouncer)
→ Nginx (Lua Bouncer) → Backend
📝 Checklist
- CrowdSec v1.7.3 instalado
- Logs Nginx configurados
- Collections instaladas (nginx, linux, http)
- Firewall bouncer v0.0.34 ativo
- Cloudflare bouncer v0.3.0 ativo
- Nginx Lua bouncer v1.1.3 ativo
- 3 bouncers funcionando em paralelo
- CAPI registado
📖 Referências
**[⬅️ Voltar: DNS Cloudflare](/fsociety-infrastructure/06-webserver/08-dns-cloudflare.html)** | **[Próximo: Manutenção ➡️](/fsociety-infrastructure/06-webserver/10-manutencao.html)**
Última atualização: Dezembro 2025