HomeBlog › Windows 11

Windows 11

A Comprehensive Guide to Installing and Using CrowdSec on Windows for Effective Threat Blocking

CrowdSec is an open-source security engine designed to analyze server logs and detect suspicious activity such as password brute-forcing and port scanning. Originally developed for Linux systems, it is now available for Windows, providing effective protection against threats like RDP and SMB brute-force attacks.

Installing CrowdSec Security Engine on Windows

To set up CrowdSec on Windows, follow these prerequisites:

  1. Install .NET 6.0 Desktop Runtime: Utilize the WinGet package manager for the installation:

    winget install Microsoft.DotNet.DesktopRuntime.6
  2. Ensure TCP port 8080 is free: Verify that this port is not used by other applications.

  3. Enable Windows Logon Audit Policy: Open secpol.msc, go to Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff. Check the Audit Logon policy for Failure.

  4. Configuration file adjustments: Modify the default configuration to use 127.0.0.1 instead of localhost to prevent IPv6 issues during local API interactions.

Next, you can install CrowdSec:

winget install -e --id CrowdSecurity.CrowdSec

Then install the crowdsec-firewall-bouncer to manage automatic blocking:

winget install -e --id CrowdSecurity.CrowdSecWindowsFirewallBouncer

After installations, start the services:

Get-Service Crowdsec, cs-windows-firewall-bouncer | Start-Service -Verbose

Configuring CrowdSec

Check that the firewall bouncer is registered:

cscli bouncers list

Next, ensure the Windows collection is installed, which includes valuable scenarios for defending against attacks:

cscli collections install crowdsecurity/windowscscli scenarios install crowdsecurity/windows-bf

Using CrowdSec for Attack Prevention

Once installed, CrowdSec will automatically monitor defined security logs for failed log-in events. You can simulate failed login attempts to observe how the system reacts:

cscli decisions list

To check alerts or list all blocked IP addresses:

cscli alerts list

To manually manage IP addresses, you can add or remove entries from the blocklist:

cscli decisions delete --ip 192.168.123.4cscli decisions add --ip 192.168.123.4 --reason "manually BAN IP"

For real-time logging updates, use PowerShell:

Get-Content C:ProgramDataCrowdSeclogcrowdsec.log -Wait -Tail 30

Customizing Detection Settings

Adjust the detection threshold and conditions by editing the scenario file:

  1. Modify brute force detection thresholds in C:ProgramDataCrowdSecconfigscenarioswindows-bf.yaml:

    capacity: 5leakspeed: 10s
  2. Specify IP blacklisting duration in C:ProgramDataCrowdSecconfigprofiles.yaml:

    Duration: 4h

Whitelisting Trusted IPs

To exempt certain IP addresses from being blocked by CrowdSec, create a whitelists.yaml file and add the relevant configurations:

name: crowdsecurity/whitelistsdescription: "Whitelist my office IPs"whitelist:  reason: "CORP trusted IP addresses"  ip:  - "192.168.123.1"  cidr:  - "192.168.15.0/24"

Conclusion

CrowdSec’s capabilities extend beyond brute force detection, offering features to protect against port scans and manage web server logs. It also provides integration with various notification methods like email and Slack for alerting purposes. For advanced network protection, you can register for the CrowdSec Cloud Console to gain insights and manage global block lists effectively.

For further details, refer to the official CrowdSec documentation at app.crowdsec.net.

Put this guide to work on a fast VPS

Deploy a pure-NVMe Windows or Linux VPS in minutes — full admin access, instant setup, from $6/mo.