Hi all!
I’ll try to be quick but I apologise first as I am pretty new to security stuff and my questions might be obvious to the more experts.
I have a VPS (hetzner) set up with docker, caddy for the reverse proxy, and authentik as the only login method for a couple of services (hedgedoc and forgejo). Since most of these has to be available and accessible on the internet, I also setup crowdsec and built caddy with the relevant bouncer. This allows crowdsec to inspect the caddy logs for all the services I am serving through it and act accordingly. Edit: all the services are in docker containers.
So far, so good. However, I also saw that crowdsec can directly monitor container logs with the docker integration or through container labels. Also, I saw a couple of collections on crowdsec hub specifically for Authentik and Gitea.
I feel I am missing something so my question are:
- Would it be useful to monitor container logs given my setup or would it be redundant?
- Should I add the app-specific collections, or would docker logs monitoring be enough?
My current crowdsec collections
- crowdsecurity/linux
- crowdsecurity/appsec-generic-rules
- crowdsecurity/caddy
- crowdsecurity/whitelist-good-actors
- crowdsecurity/http-cve
- crowdsecurity/iptables
Edit: bonus question, does someone know if the Gitea collection would be useful for Forgejo after it being a hard-fork now?
You can easily create custom rules and bouncers if needed for something specific as well. They’re templatized for the most part. Possibly even something a stupid AI could kick out, but make sure you know what it’s doing, and don’t trust it outright.
Thanks for the input, yes I was mostly thinking about hedgedoc, that doesn’t have parsers or anything. I need to delve more into crowdsec logic and rules before trying to do my own thing, for sure. Thanks a lot tough, I followed your advice and I got Crowdsec working on both Authentik and Forgejo :)