Guide to CrowdSec Console Enrollment for Pangolin Users

Networking
1

Guide to CrowdSec Console Enrollment for Pangolin Users

-Full Recording
https://asciinema.org/a/O1npXCmaicVdGF5fNkNDqGxkh

image
image1563×964 32.4 KB

Introduction

Pangolin’s network security capabilities are enhanced by its integration with CrowdSec, a collaborative cybersecurity platform. By enrolling your CrowdSec instance with the CrowdSec Console, you gain access to a centralized management interface and benefit from the collective threat intelligence of the entire CrowdSec community. This guide will walk you through the process of connecting your Pangolin deployment’s CrowdSec instance to the CrowdSec Console using an automated enrollment script.

What is CrowdSec and Why Enroll with the Console?

CrowdSec functions as a modern, collaborative Intrusion Prevention System (IPS) that protects your services by detecting and responding to malicious activity. When you connect your local CrowdSec instance to the CrowdSec Console, you unlock several powerful advantages:

  1. Centralized Management: Monitor and manage multiple CrowdSec instances from a single interface.
  2. Enhanced Threat Intelligence: Benefit from threat data gathered by the entire CrowdSec community.
  3. Advanced Analytics: Access detailed visualizations and analytics about attacks against your infrastructure.
  4. Collaborative Security: Contribute your own threat intelligence to strengthen the community defense.
  5. Automated Decision Distribution: Receive and apply security decisions from the Console across your instances.

Prerequisites

Before beginning the enrollment process, ensure that:

  1. Your Pangolin deployment is up and running
  2. The CrowdSec container is active within your Pangolin deployment
  3. You have created an account on the CrowdSec Console
  4. You have terminal access to the server hosting your Pangolin deployment

Step-by-Step Enrollment Process

1. Download the Enrollment Script

Connect to your server via SSH and download the script using curl:

curl -o enroll-crowdsec.sh https://gist.githubusercontent.com/hhftechnology/17fbc56e200c901d99adc718bd923305/raw/6325ae78834026c2e672f2f514f38a4e065c5988/enroll-crowdsec.sh

2. Make the Script Executable

Change the permissions to make the script executable:

chmod +x enroll-crowdsec.sh

3. Obtain Your Enrollment Key

  1. Log in to your CrowdSec Console account

  2. Navigate to the “Add an Instance” section

  3. Look for the “Connect with the Console” section

    image
    image1426×578 88.4 KB

  4. You’ll see a command containing your unique enrollment key that looks like: cscli console enroll YOUR_ENROLLMENT_KEY

  5. Note down this key; you’ll need it when running the script

4. Run the Enrollment Script

Execute the script with root privileges:

sudo ./enroll-crowdsec.sh

5. Follow the Prompts

The script will:

  1. Verify that Docker and CrowdSec are running
  2. Prompt you for your enrollment key (paste the key when requested)
  3. Execute the enrollment process
  4. Restart the CrowdSec container to apply changes
  5. Enable additional console features:
    • Context forwarding: Sends detailed context with alerts
    • Console management: Allows receiving decisions from the Console
  6. Instruct you to accept the instance in your Console dashboard

6. Accept the Instance in the Console

After running the script, you’ll need to:

  1. Return to the CrowdSec Console

  2. Look for a notification about a new instance named “pangolin-crowdsec”

  3. Accept this instance to complete the enrollment process

    image
    image1432×474 63.8 KB

  4. Return to the terminal and press Enter to continue the script

7. Verification

The script will display the status of your Console connection, showing which features are enabled. A successful enrollment will display a table like this:

+--------------------+-----------+------------------------------------------------------+
| Option Name        | Activated | Description                                          |
+--------------------+-----------+------------------------------------------------------+
| custom             | ✅        | Forward alerts from custom scenarios to the console  |
| manual             | ✅        | Forward manual decisions to the console              |
| tainted            | ✅        | Forward alerts from tainted scenarios to the console |
| context            | ✅        | Forward context with alerts to the console           |
| console_management | ✅        | Receive decisions from console                       |
+--------------------+-----------+------------------------------------------------------+

Understanding the CrowdSec Integration in Pangolin

Your Pangolin deployment’s docker-compose configuration already includes the necessary setup for CrowdSec, including:

  1. Collections: Pre-configured rulesets for detecting threats:

    • crowdsecurity/traefik: Rules for detecting attacks against your Traefik proxy
    • crowdsecurity/appsec-virtual-patching: Virtual patching for known vulnerabilities
    • crowdsecurity/appsec-generic-rules: Generic application security rules

  2. Log Acquisition: CrowdSec monitors Traefik logs for suspicious activity

  3. Instance Naming: Your instance is named “pangolin-crowdsec” with the “docker” tag for easy identification in the Console

Troubleshooting

Common Issues and Solutions

  1. Docker Not Running

    • Error: “Docker is not running”
    • Solution: Start Docker with sudo systemctl start docker

  2. CrowdSec Container Not Running

    • Error: “CrowdSec container is not running”
    • Solution: Check container status with docker ps | grep crowdsec and start it if needed

  3. Invalid Enrollment Key

    • Error: “Error while enrolling the instance”
    • Solution: Double-check the key copied from the Console

  4. Network Connectivity Issues

    • Error: Connection timeout or network errors
    • Solution: Verify your server has internet access and can reach app.crowdsec.net

  5. Instance Already Enrolled

    • Symptom: Enrollment fails with a conflict message
    • Solution: You can unenroll first with docker exec crowdsec cscli console unenroll and then try again

Monitoring and Management

After successful enrollment, you can:

  1. View Alerts: Check detected threats with docker exec crowdsec cscli alerts list

  2. View Decisions: See active decisions with docker exec crowdsec cscli decisions list

  3. Check Console Status: Verify console connection with docker exec crowdsec cscli console status

  4. Explore the Console Dashboard: Log in to app.crowdsec.net to access:

    • Real-time attack visualizations
    • Geographic attack distribution
    • Threat timelines
    • Decision management
    • Scenario configuration

Benefits for Pangolin Users

With CrowdSec Console enrollment, your Pangolin deployment gains:

  1. Enhanced Security: Immediate access to threat intelligence from thousands of other CrowdSec instances worldwide

  2. Simplified Management: Monitor and manage security from a user-friendly web interface

  3. Better Visibility: Detailed analytics help you understand your threat landscape

  4. Community Participation: Your instance contributes to the global threat intelligence network, strengthening security for everyone

  5. Streamlined Operations: Central decision management eliminates the need to configure each instance separately

Conclusion

By enrolling your Pangolin deployment’s CrowdSec instance with the CrowdSec Console, you’ve significantly enhanced your security posture. The collaborative nature of CrowdSec means your defenses will continuously improve as the community grows and more threat intelligence is shared. Regular monitoring of your Console dashboard will provide valuable insights into your security situation and help you maintain a robust defense against evolving threats.

For further assistance or to learn more about CrowdSec capabilities, visit the CrowdSec documentation.

3 Likes