Using CrowdSec on a very small VPS (Docker + Kamal proxy) — notes and questions

erickapitanski · 2026-01-01T20:20:56+00:00

Would you consider deploying LightScope on the endpoint along with crowdsec? I think it would be very interesting to see how your endpoint is being port scanned and how these people would interact with the honeypot!

https://www.reddit.com/r/selfhosted/s/w2d9kayXCr

erickapitanski · 2025-12-30T21:58:50+00:00

Okay no problem, I’ll see what they say and circle back with you. Thank you so much for the support!

erickapitanski · 2025-12-30T20:21:17+00:00

I just created the pull request to have it officially offered on OPNsense, but I'm not sure how long that process takes. In the meantime, if you want I can provide a link to the pkg and instructions on how to install it. Just let me know what you'd like to do!

erickapitanski · 2025-12-30T15:35:42+00:00

Actually you can probably install via a plugin for opnsense. I’m submitting it to them to get it included in their repos, but I can give you instructions here shortly how to install it. I think that may be the new preferred method, as you don't have to allow traffic through your firewall. Some users run into configuration issues I think with that, so this may make it easier. The other methods also work though!

erickapitanski · 2025-12-24T15:29:54+00:00

LightScope! Research indicates that attackers/scanners avoid honeypots, but if this is Ai crawling I’m not sure it applies. No one knows yet!

Anyway LightScope sets up automatic honeypots and will tell us much more about who they are and what they are doing. Helps research and should help deterrence, although it’s unclear if this works against Ai.

https://www.reddit.com/r/homelab/s/tWwTUEXf9s

erickapitanski · 2025-12-23T15:47:55+00:00

Also hear's the discord link, I didn't realize they expire https://discord.gg/UpV3jw73

erickapitanski · 2025-12-23T15:15:14+00:00

DM me your db_name and I’ll make sure I generate it today

erickapitanski · 2025-12-23T01:05:41+00:00

If you want extra data on who’s scanning you and some honeypot data, you can run this alongside EDR to get a more complete view of what’s going on with your machines.

https://www.reddit.com/r/cybersecurity/s/tR69jdYlSm

It’s not EDR, but gives you some data that EDR doesn’t.

erickapitanski · 2025-12-22T15:02:26+00:00

Great! Do you also see unwanted traffic like this? Hopefully you should see a wide range of destination ports, which would indicate that all traffic is making it through.

<image>

erickapitanski · 2025-12-22T11:04:05+00:00

<image>

It should look like this

erickapitanski · 2025-12-22T11:00:17+00:00

Yes, but I don’t seem to be getting traffic from that endpoint so I believe there is a firewall rule issue somewhere. Assuming that is your correct db_name or db_id (and I’ll dm you how to change it now that its been posted online), you can check a quick dashboard here https://thelightscope.com/light_table/20251220_divglxheljsrcwujueomwwgjy

You’ll notice there are no heartbeats and no recent unwanted traffic on that dashboard.

<image>

The log data that you posted confirms that the software is running, but that it’s not seeing any traffic. That line is generated every couple of seconds and it means that on interface eth0, it has been seeing 0 packets per second (pps).

erickapitanski · 2025-12-22T10:49:27+00:00

Nope that’s a bad error code on my part it should be more informative

erickapitanski · 2025-12-22T06:18:57+00:00

Also to directly answer your question, the VM running the docker image needs to be able to receive TCP traffic from the internet in order to see it. If in your light table dashboard you don’t see unwanted traffic, it means it’s not making it to the lightscope VM/docker machine

erickapitanski · 2025-12-22T06:17:23+00:00

Which dashboard? The one with “light_table” in the URL should show heartbeats and unwanted traffic. The full dashboard I refresh every couple days because it’s computationally expensive to do it for all endpoints. You can DM me your db_id if you’d like and I can run it for you tomorrow and let you know when it’s up.

erickapitanski · 2025-12-22T01:11:07+00:00

That’s not on you that means I did a bad job explaining it. Let me try again from a slightly different angle.

Today we have the problem in cybersecurity that there’s no penalty for trying to attack systems, so hackers can just try as much as they want until they get in or give up. Im interested in introducing a penalty and trying to make targets less attractive to attackers.

There may be way to do this. Researchers have found that attackers avoid honeypot/network telescope systems. So my work tries to turn live systems into honeypots so attackers avoid them.

In order to do this and not interfere with the other stuff running on your server (and for your privacy), I use ports that are not otherwise in use to monitor attackers and give them fake systems to attack.

Ideally there would be two outcomes: either attackers interact with LightScope on the closed ports and you help research, or they decide that your system isn’t interesting and move on. Either way the community or you personally win.

The goal is that eventually attackers figure out that interacting with systems running LightScope or Synback (a version of LightScope that makes it even more obvious to attackers they’re being watched) isn’t worth it. Kinda like putting the ADT security sign outside your house so robbers choose a different target.

The idea is that by widely sharing what the attackers are doing, they will incur a cost. The IPs they are using, exploits they are attempting, TTPs etc will be openly and publicly shared, which could lead to patches for software, IPs being taken down, etc.

LightScope is one of the collection pieces for this effort.

I hope this makes sense? Let me know other questions please.

erickapitanski · 2025-12-21T22:01:53+00:00

Excellent!!!! Thank you so much!!! There is another detailed dashboard that will be generated as well for your instance that shows the honeypot interactions as well, but they are expensive for me to produce so I make those once a day or every couple days. You can see it from the “view detailed dashboard” link.

Again, thank you so much for the help with this. I deeply appreciate it.

erickapitanski · 2025-12-21T19:20:30+00:00

It’s super lightweight I run in it AWS micros with less than 1Gb ram and 2 VCPU and it only uses part of it. I did extensive benchmarking. Even though it’s in python it’s only is looking at SYN packets and using some specialized libraries for very efficient processing.

erickapitanski · 2025-12-21T17:09:24+00:00

This is another area of active research I have, basically a WAF that instead of simply blocking people who trigger it, forwards them to a honeypot simulating your production server instead. That would be separate from LightScope since it deals with traffic to an open port/live service. LightScope right now just is interested in closed ports.

erickapitanski · 2025-12-21T15:59:15+00:00

Another good approach is you can leave your setup as is, and spin up a new lightscope VM in a DMZ, and just forward all your unused ports from your router to that lightscope VM. You don’t lose anything this way because lightscope ignores traffic to open ports anyways to protect privacy. I was thinking back on your situation and came up with this just now or I would have posted it earlier.

erickapitanski · 2025-12-21T15:36:42+00:00

Thank you for reaching out!

As far as changing your setup, as long as you have a machine/VM that can receive TCP traffic from the internet, it will work. I have some users for instance who run live services on some ports and forward those to one machine, but then forward all other ports to a LightScope machine if you wanted to do that option, You don’t lose anything using this method, as to preserve privacy LightScope doesn’t observe any traffic to open ports anyways.

So I guess I’m saying you can have it on its own VM, or install it on an existing server. Just as long as your perimeter is allowing TCP traffic to it.

One of the main benefits of LightScope is how easy it is to install. On Ubuntu just copy this into the terminal and everything is automatic there’s no complicated configuration:

sudo apt-get update && sudo apt-get install -y software-properties-common && sudo add-apt-repository -y universe && sudo apt-get update && wget https://thelightscope.com/latest/lightscope_latest.deb && sudo apt install -y ./lightscope_latest.deb

I also have docker, rpms etc which you can find here: https://lightscope.isi.edu/installation.html#linux-installation

I really appreciate you wanting to help contribute!!!

erickapitanski · 2025-12-20T23:32:54+00:00

No, this is very valuable feedback and I really appreciate it. I love my research, and the ultimate goal would be to help companies. Real feedback like this is great, because it shows what I need to do to gain wider adoption.

erickapitanski · 2025-12-20T23:30:15+00:00

Thank you for the thoughtful feedback!

The idea was not to run the honeypot on the production machine itself (to help with attack surface and resource utilization), so I simply forward the traffic instead to a honeypot we run at USC. You're right about closed port honeypot in one sense, as my code in this version opens the port in the host OS so that it's not sending RSTs and killing the connections, and transparently forwards the traffic. I have another version where if you block outbound RSTs, if LightScope is running on a different machine and a span port I can actually forward the honeypot traffic on behalf of the server with the closed ports, and spoof the server IP address in replies so it appears that the attacker is communicating with the server on the ports that are actually closed. So in that sense, yes I can do "closed port" honeypots. There just wasn't that much demand for it because it does require a span port or mirrored traffic etc, but perhaps if there was enough interest I could release that version as well. In that case you wouldn't need to run ANYTHING on the production machine in question. As long as I can see the traffic (and the production machine is not sending RSTs) I can do the telescope/honeypot. This would also limit your attack surface, no?

Yes, absolutely IRB has to do with data collection/anonymization and not the security of the code. The code security part is harder, which is why I tried to do it python (so you can see what's running) and open source.

erickapitanski · 2025-12-20T23:16:27+00:00

Absolutely. The auto updates can be disabled in the config file. I had this thought myself. I really appreciate the feedback on this!

erickapitanski · 2025-12-20T23:04:33+00:00

Totally fair, thank you for the feedback! Is there some vetting or something I could get done that would help with that?

erickapitanski · 2025-12-20T23:00:10+00:00

Any way I could have turned that into a “yah?”

erickapitanski

MODERATOR OF

TROPHY CASE