Introduction
Server security is a critically important aspect of any web project. In this article we'll explain which tools we use to protect our clients' infrastructure: CrowdSec, Fail2Ban, Grafana, and Podman.
CrowdSec: Collective Defense
CrowdSec is a modern, open-source intrusion detection system (IDS). Its key feature is collective intelligence: when one participant in the network detects a threat, information about the attacking IP is shared with all users.
Advantages of CrowdSec
- Collective blocklist — protection against known attackers
- Low resource consumption — written in Go
- Flexible scenarios — easily configurable detection rules
- Integration with any service — nginx, Apache, SSH, and more
- Free — open source with an optional paid console
What CrowdSec Can Detect
- Brute-force attacks on SSH and web forms
- Vulnerability scanning
- SQL injection attempts
- Attacks on WordPress and other CMSes
- Application-layer DDoS attacks
Fail2Ban: A Proven Classic
Fail2Ban is a utility for protecting Linux servers against brute-force attacks. It monitors logs and bans IP addresses that show suspicious activity.
How Fail2Ban Works
- Analyzes log files in real time
- Finds patterns of failed login attempts
- Adds iptables rules to block them
- Automatically unbans after the timeout expires
Typical Jails (Rules)
- sshd — protecting SSH against password guessing
- nginx-http-auth — protecting basic auth
- nginx-botsearch — blocking scanners
- postfix — protecting the mail server
Fail2Ban vs CrowdSec
We use both tools together. Fail2Ban is local protection, CrowdSec is global intelligence. Together they provide multi-layered security.
Grafana: Monitoring Everything
Grafana is a platform for visualizing metrics and logs. We use it to monitor our entire infrastructure.
What We Monitor
- Server load — CPU, RAM, disk, network
- Service availability — uptime, response time
- Request volume — RPS, 4xx/5xx errors
- Security — blocked IPs, intrusion attempts
- Business metrics — sign-ups, orders, conversions
Pairing With Other Tools
- Prometheus — collecting metrics
- Loki — aggregating logs
- AlertManager — notifications to Telegram/Slack
Why Grafana
- Beautiful dashboards out of the box
- A flexible alerting system
- Support for many data sources
- Open source and self-hosted
- A huge community and ready-made dashboards
Podman: Secure Container Deployment
Podman is a Docker replacement without a daemon. Its main advantage is rootless mode, which significantly increases security.
Advantages of Podman Over Docker
- Rootless — containers run without root privileges
- Daemonless — there's no constantly running daemon
- Docker compatibility — the same commands and images
- Systemd integration — generating unit files
- Pod concept — grouping containers like in Kubernetes
Podman Security
In rootless mode, even if an attacker breaks out of a container, they won't have root access to the host. This is critically important for production.
How We Use Podman
- Deploying applications via podman-compose
- Generating systemd services for auto-start
- Isolating services from one another
- Automatic image updates
Our Security Stack
Here's what a typical server setup for a client looks like:
- Firewall — UFW or firewalld with a minimum of open ports
- CrowdSec — collective protection against known threats
- Fail2Ban — local protection against brute force
- Podman — isolating applications in containers
- Grafana + Prometheus — monitoring and alerts
- Regular backups — daily snapshots
Security Recommendations
The basic rules we follow:
- Disabling root login over SSH
- Using SSH keys instead of passwords
- Regular system updates
- The principle of least privilege
- Monitoring and alerts on suspicious activity
- Regular configuration audits
Conclusion
Security is a process, not a product. The combination of CrowdSec, Fail2Ban, Grafana, and Podman provides reliable protection at minimal cost. All of these tools are free and open source.
Want to set up secure infrastructure for your project? We'll help you choose the optimal stack and configure monitoring for your needs.