From 6c7253f51ca6ff01490ef8e8d971e99d121f5085 Mon Sep 17 00:00:00 2001
From: Christian Kampka <christian@kampka.net>
Date: Wed, 20 Mar 2024 18:08:24 +0100
Subject: [PATCH] Document example for protecting local SSH

---
 README.md | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/README.md b/README.md
index 665aa57..0dc1939 100644
--- a/README.md
+++ b/README.md
@@ -130,3 +130,39 @@ Depending on your security requirements and secrets management, this process is
 }
 
 ```
+
+## Examples
+
+### Local SSHd with systemd-journal
+
+This scenario is probably the most common scenario when getting started with Crowdsec.
+It configures the engine to parse logs from the systems local systemd-journal for
+failed SSH authentications and blocks IPs trying to brute-force the SSH key.
+
+```nix
+{
+  services.crowdsec = let
+    yaml = (pkgs.formats.yaml {}).generate;
+    acquisitions_file = yaml "acquisitions.yaml" {
+      source = "journalctl";
+      journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
+      labels.type = "syslog";
+    };
+  in {
+    enable = true;
+    allowLocalJournalAccess = true;
+    settings = {
+      crowdsec_service.acquisition_path = acquisitions_file;
+    };
+  };
+}
+```
+
+Then, install a scenario to act on your logs. The [crowdsecurity/linux](https://app.crowdsec.net/hub/author/crowdsecurity/collections/linux)
+collection provides a good base collection to get started.
+
+```shell
+  cscli collections install crowdsecurity/linux
+```
+
+This can be automated using eg. `ExecStartPre` scripts. See some example in this README for inspiration.