Boosting your Linux Server Security with CrowdSec

Originally published at: Boosting your Linux Server Security with CrowdSec – LearnLinuxTV

CrowdSec is a cutting-edge security solution for your Linux servers. As an intrusion prevention system, its goal is to stop unauthorized access and prevent attacks. But unlike other IPS solutions, it does it a different way - by using knowledge as power. CrowdSec was covered on this channel before, but in this video, you’ll see an updated look complete with an overview of how to set up protection for Wordpress as well.


I have the following configuration for my website running on Apache web server:

<Directory /var/www/wp-admin>
        Header unset Content-Security-Policy
        AuthType Basic
        AuthName "Unauthorized access is strictly prohibited. This website is the property of Grayson Peddie. Anyone attempting access to the server will be subjected to prosecution upon the full extent of the law. All authorized and unauthorized activities are monitored."
        AuthUserFile /etc/apache2/.htpasswd
        require valid-user

Is it possible for Crowdsec to guard against basic HTTP authentication? I have a ClassicPress website and I have HTTPS setup. I have two forms of usernames and passwords.

For those wanting to learn more about ClassicPress:

In general, ClassicPress is a fork of WordPress 4.9 but with security in mind.

I wonder if the Wordpress bouncer would be able to work here, if the plugin is supported. I would think that CrowdSec should be able to do what you want. But I’m more of a fan of testing scenarios in a sample setup to see what happens. For example, if your server is a VM, clone it, give it a different IP, and try hammering it with invalid passwords on purpose to see exactly what it does or doesn’t do. Only then can you truly know, and I usually place custom tests like that in a higher regard than documentation - the docs might claim that it supports something, but you’ll never truly know unless you see it work for yourself.

The <Directory ...> part is web application-agnostic, so that has nothing to do with WordPress but for Apache web server.