Hi all!
I’ll try to be quick but I apologise first as I am pretty new to security stuff and my questions might be obvious to the more experts.
I have a VPS (hetzner) set up with docker, caddy for the reverse proxy, and authentik as the only login method for a couple of services (hedgedoc and forgejo). Since most of these has to be available and accessible on the internet, I also setup crowdsec and built caddy with the relevant bouncer. This allows crowdsec to inspect the caddy logs for all the services I am serving through it and act accordingly. Edit: all the services are in docker containers.
So far, so good. However, I also saw that crowdsec can directly monitor container logs with the docker integration or through container labels. Also, I saw a couple of collections on crowdsec hub specifically for Authentik and Gitea.
I feel I am missing something so my question are:
- Would it be useful to monitor container logs given my setup or would it be redundant?
- Should I add the app-specific collections, or would docker logs monitoring be enough?
My current crowdsec collections
- crowdsecurity/linux
- crowdsecurity/appsec-generic-rules
- crowdsecurity/caddy
- crowdsecurity/whitelist-good-actors
- crowdsecurity/http-cve
- crowdsecurity/iptables
Edit: bonus question, does someone know if the Gitea collection would be useful for Forgejo after it being a hard-fork now?