crowdsecurity/crowdsec v1.0.0

on GitHub

Changes from v0.3.X to v1.0.0

Local API

• Crowdsec now expose an API. Crowdsec will send Alerts (triggered scenarios) to this API, which will handle decisions (with profiles). All bouncers will have to query this API to know if an IP should be blocked or not.
• This change brings the following possibilities:
  • Multiple crowdsec can share their decisions by sending their alerts to the same API endpoint, instead of using a network database.
  • Bouncers will now have to only make a HTTP request to know if an IP is blocked or not, instead of supporting all kind of databases.
  • The pull of bad IPs from Crowdsec Central API will now be done periodically by the API in the background, instead of being done in a cronjob.
• Local & Central API documentation

Journald

• Crowdsec supports journald datasource (via journalctl_filter)

cscli

• we now follow the cscli <domain> <action> logic :

cscli install scenario crowdsecurity/ssh-bf becomes cscli scenarios install crowdsecurity/ssh-bf

• new commands have been added

  • bouncers : Manage bouncers. You will have to use this command to generate an API Token for your bouncer or list bouncers.
  • capi : To register/check status to Central Crowdsec API.
  • hub : To update the hub cache, and see installed configurations from the hub.
  • lapi : To register/check status to a crowdsec API.
  • machines : Manage machines registered to the API. Create/Delete/List machines.

• You can now see more information about an Alert with cscli alerts inspect <alert_id>:

Runtime Object changes

• SignalOccurences and ban are replaced by Alerts and Decisions :
  • Alert : An alert generated by a triggered scenario (for history)
  • Decision : A remediation (ban, captcha, mfa ...) to apply during a period defined in the profile configuration

Note: The object exposed in the profile.yaml (Sig) become Alert

Improvements

• Improve dashboard management. Now username and password are stored locally so you don't have to recreate the dashboard if you lost your password
• Improve dashboards and their graph
• Better handling of stack trace
• Usage of pagination for database interaction (create, select ...) for better performance and to avoid SQL errors
• cscli alerts list (previous cscli ban list) is now faster with big database

Bug fixes

• Parser node evaluation order, where sub node were evaluated before the root one.
• Crowdsec exited when the geoip enrichment failed
• Fix a bug in cscli inspect <scenario> where the scenario belong to multiple collections
• Fix range deletion with cscli

Changes from last release candidate

• change the hub branch for the upcoming release (#513) @buixor
• improve docs (#511) @AlteredCoder
• cscli: fix bug in restore command (#510) @erenJag
• update prometheus doc (#509) @erenJag
• Faq metabase (#508) @AlteredCoder
• Add ci docker push (#504) @erenJag
• rename username by machine (#506) @AlteredCoder
• Fix a crash (#503) @registergoofy
• allow to specify username when register to lapi (#505) @AlteredCoder
• fix cscli remove (#501) @erenJag

Geolite2 notice

This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.

Migration

Have a look at the migration tutorial !