Skip to content

The eclean network map

This page provides an in-depth description of eclean's network design and architecture. Engineers working on our systems must understand our network architecture in order to diagnose, deploy, and make informed system design decisions.

The following are visual representations and descriptions of the key components of our network, their linkages, and how they all contribute to the delivery of our services. We regularly update this documentation to reflect the current state of our network.

Security reminders

While this diagram provides a high-level overview, some security-sensitive information has been intentionally omitted. For more extensive network details, please refer to our secure internal documentation or contact the infrastructure team.

Network Security Overview

Our network security is put up on multiple levels, giving us "defence in depth":

flowchart TB
    Internet((Internet)) -->|Incoming Traffic| CF[Cloudflare Layer]

    subgraph CF[Cloudflare Protection]
        DDOS1[DDoS Mitigation] --> SSL[SSL/TLS Encryption]
        SSL --> RATE1[Rate Limiting]
        RATE1 --> REP[IP Reputation Filtering]
    end

    REP --> RH[RoyaleHosting Protection]

    subgraph RH[RoyaleHosting DDoS]
        DDOS2[Network DDoS Mitigation] --> PROTO[Protocol Validation]
        PROTO --> SCRUB[Traffic Scrubbing]
        SCRUB --> BLACK[Auto Blacklisting]
    end

    BLACK --> SRV[Server Security]

    subgraph SRV[Server-level Security]
        CROWD[CrowdSec Security]
        FW[Firewall Configuration]
        CROWD --> FW
    end

    FW --> APP[Application Security]

    subgraph APP[Container Security]
        ISO[Container Isolation] --> ACC[Access Control]
        ACC --> POL[Network Policies]
        POL --> LEAST[Least Privilege]
    end

Layers of Cloudflare Security

Our network is safeguarded by Cloudflare's protective layer, which filters known malicious IP addresses, enforces HTTPS with modern cypher suites for SSL/TLS encryption, restricts request rates per IP address to prevent abuse, and mitigates distributed denial of service attacks.

Strong DDoS Protection from RoyaleHosting

Following Cloudflare, RoyaleHosting's DDoS protection goes a step further by automatically blacklisting attack sources, cleaning traffic to remove malicious packets, validating protocols to ensure only legal TCP/UDP traffic, and blocking volumetric attacks.

Secure Server Access

CrowdSec provides real-time threat detection and response, which is an essential component of our server security. It has an IP reputation database and immediately prevents any questionable activity. Furthermore, it protects API endpoints and prevents brute-force attacks. Furthermore, our firewall rules meticulously manage connection tracking and state, impose rate limits, expose only appropriate ports, and enforce a strict iptables configuration.

Application Security

In our containerised environment, we strengthen security by implementing container isolation, which includes network namespace separation, resource limitations, restricted capabilities, and, when possible, a read-only root filesystem. Access control is carefully enforced by applying the concept of least privilege, implementing network limitations, and limiting intercontainer communication.

This sophisticated, multilevel security system provides robust defence at all levels. Regular security audits and updates improve the effectiveness of these measures.

CrowdSec Integration and Communications

CrowdSec plays an important role in our server-level security, interacting with numerous system services to improve security measures. The diagram below shows how CrowdSec interacts with various system components to detect threats and enforce security regulations.

flowchart TB
    TRAFFIC((Incoming Traffic)) -->|Passes through| FW

    subgraph FW[Firewall]
        IPT[iptables-bouncer]
    end

    subgraph CS[CrowdSec Engine]
        ACQU[(Acquisition: Logs)] -->|Parses| PARSER[Parser Service]
        PARSER -->|Enriches| SCENARIOS[Scenarios Engine]
        SCENARIOS -->|Triggers| DECISIONS[(Local Decisions DB)]
    end

    subgraph CAPI[CrowdSec Central API]
        CTI[Threat Intelligence] -->|Share New Threats| COMMUNITY[(Community Signals)]
        COMMUNITY -->|Receive Known Threats| CTI
    end

    DECISIONS -->|Report Attacks| CTI
    CTI -->|Update Blocklists| DECISIONS
    DECISIONS -->|Pushes| IPT

CrowdSec Operation Details

  • Acquisition: Gathers data from a variety of sources.
    • Journalctl logs
    • Nginx access logs
    • System authentication logs
    • Custom data sources
  • Parser Services: Converts raw data into standardised CrowdSec events
  • Scenarios Engine: Evaluates events against security scenarios (yaml-based rules).
  • Local decisions: Stores and manages decisions (IP bans, captchas, etc.).
  • iptables-bouncer: Official bouncer that enforces choices like Iptables rules.
  • Central API (CAPI or CTI):
    • Shares discovered attacks with the CrowdSec community.
    • Gets real-time threat intelligence from other CrowdSec instances.
    • Updates local blocklists with community-validated threats.
    • Provides reputation score for IPs based on worldwide data. This connection ensures real-time threat detection and response, utilising both local and community intelligence to keep the system secure.

This connection ensures real-time threat detection and response, utilising both local and community intelligence to keep the system secure.