Protect Pangolin With CrowdSec and Traefik (Complete Setup Guide)
This guide provides an alternative approach to the community guide by using Traefik access logs instead of Syslog or Journalctl. This method allows CrowdSec to analyze requests directly from Traefikโs access log output, which can simplify the setup in containerized environments and avoid relying on host-level logging systems.
1. Make sure Traefik is writing to access.log file
- Open your pangolin's traefik's configuration file, for example mine is
/docker/pangolin/traefik/traefik.yml - Add this block anywhere:
accessLog: filePath: "/var/log/traefik/access.log" bufferingSize: 100 format: common - The block is a first level block, so if you put it near the log block it will look like this:
log: level: INFO format: common accessLog: filePath: "/var/log/traefik/access.log" bufferingSize: 100 format: common - Create the log folder on the host, for example:
sudo mkdir /docker/pangolin/traefik/logs - Then map the folder in Traefik compose:
services: traefik: volumes: - /docker/pangolin/traefik/logs:/var/log/traefik - Redeploy with
sudo docker compose downandsudo docker compose upso the newly mapped folder work in Traefik - Verify logs exist with
sudo docker exec -it traefik ls /var/log/traefikit should returnaccess.log - You can see the logs with
sudo docker exec -it traefik tail -f /var/log/traefik/access.log
2. Install CrowdSec
- Create the neccessary folders (data and config) for CrowdSec, for example
sudo mkdir -p /docker/pangolin/crowdsec/{data,config} - Add CrowdSec to your Pangolin compose stack, do not forget to map the Traefik access.log location:
services: crowdsec: image: crowdsecurity/crowdsec:latest-debian container_name: crowdsec restart: unless-stopped environment: COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/linux crowdsecurity/iptables ACQUIRE_FILES: /var/log/traefik/access.log volumes: - /docker/pangolin/crowdsec/data:/var/lib/crowdsec/data - /docker/pangolin/crowdsec/config:/etc/crowdsec - /docker/pangolin/traefik/logs:/var/log/traefik:ro # this is the trafik log location - Run it using
sudo docker compose downandsudo docker compose up
๐ก
At this stage, CrowdSec does not see Traefik's traffic just yet. We need it running so it generate the necessary files.
3. Allow CrowdSec to acquire and parse Traefik log file
- Stop CrowdSec container
- Edit the acquis.yaml file in
/docker/pangolin/crowdsec/acquis.yaml - Remove (or comment out) everything then add this:
filenames: - /var/log/traefik/access.log labels: type: traefik - Restart Traefik container
- Check if the metrics works:
sudo docker exec -it crowdsec cscli metrics - You should see something like this:
Acquisition Metrics โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโ โ Source โ Lines โ Parsed โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโค โ /var/log/traefik/access.log โ 1500 โ 1500 โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโ
4. Connect Traefik with CrowdSec
- Stop Traefik container
- Add CrowdSec bouncer to Traefik static file in
/docker/pangolin/traefik/traefik.yml:experimental: plugins: badger: moduleName: github.com/fosrl/badger version: v1.3.1 crowdsec-bouncer: moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin version: v1.5.1 # <<<<< latest version when I wrote this guide - Also add CrowdSec middleware to the static file in the websecure entrypoint:
entryPoints: web: address: ':80' websecure: address: ':443' transport: respondingTimeouts: readTimeout: 30m http: tls: certResolver: cloudflare middlewares: # <<<<< add here - crowdsec@file - Get a CrowdSec api key for Traefik by running this:
sudo docker exec -it crowdsec cscli bouncers add traefik - Add CrowdSec bouncer to Traefik's dynamic config, mine is in
/docker/pangolin/traefik/rules/dynamic_config.yml:http: middlewares: crowdsec: plugin: crowdsec-bouncer: enabled: true crowdsecLapiKey: YOUR_API_KEY crowdsecLapiHost: crowdsec:8080 - Restart them all with
sudo docker compose downandsudo docker compose up
5. Testing time!
- Test bans with
sudo docker exec -it crowdsec cscli decisions list - You will start seeing IP bans like this:
โญโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโฎ โ ID โ Source โ Scope:Value โ Reason โ Action โ Country โ AS โ Events โ expiration โ Alert ID โ โโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโค โ 6 โ crowdsec โ Ip:4.204.200.32 โ crowdsecurity/http-probing โ ban โ CA โ 8075 MICROSOFT-CORP-MSN-AS-BLOCK โ 11 โ 3h59m46s โ 6 โ โ 5 โ crowdsec โ Ip:136.0.213.103 โ crowdsecurity/http-probing โ ban โ US โ โ 11 โ 3h58m48s โ 5 โ โ 1 โ crowdsec โ Ip:151.145.54.165 โ crowdsecurity/http-admin-interface-probing โ ban โ CA โ 31898 ORACLE-BMC-31898 โ 3 โ 3h19m33s โ 1 โ โฐโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโฏ - Try to add your own IP from access, first get your own IP in sites like https://whatismyipaddress.com/
- Add your IP to temporary ban:
sudo docker exec crowdsec cscli decisions add --ip YOUR_IP_HERE -d 5m - You can check that your IP have been added to the ban list with
sudo docker exec -it crowdsec cscli decisions list, it should look like this:โญโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโฌโโโโโโโโโโโโโฌโโโโโโโโโโโฎ โ ID โ Source โ Scope:Value โ Reason โ Action โ Country โ AS โ Events โ expiration โ Alert ID โ โโโโโโโผโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโผโโโโโโโโโโโโโผโโโโโโโโโโโค โ 182 โ cscli โ Ip:YOUR_IP_HERE โ manual 'ban' from 'localhost' โ ban โ โ โ 1 โ 4m54s โ 182 โ โฐโโโโโโดโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโดโโโโโโโโโโโโโดโโโโโโโโโโโฏ - Now your ip is banned for the next 5 minutes. If you open a private browser and try to access any of your subdomain you will get a 403 error.
