I have CrowdSec up and running on my OpnSense instance. My understanding is that CrowdSec is protecting my WebGUi service from Brute Force Attacks.
I had heard CrowdSec was going to release an IP blocklist of their own that OpnSense users could build an Alias for (ie Spamhaus). Ran into this on the CrowdSec website:
sudo apt install crowdsec-blocklist-mirror
Was wondering if I could Somehow build an alias? Any suggestions? It appears CrowdSec is maintaining a blocklist.
Totally wrong about this it appears the CrowdSec plug in I installed also blocks at the FW level
Quote from: andrewoliv on June 01, 2022, 04:15:03 PM
I have CrowdSec up and running on my OpnSense instance. My understanding is that CrowdSec is protecting my WebGUi service from Brute Force Attacks.
I had heard CrowdSec was going to release an IP blocklist of their own that OpnSense users could build an Alias for (ie Spamhaus). Ran into this on the CrowdSec website:
sudo apt install crowdsec-blocklist-mirror
Was wondering if I could Somehow build an alias? Any suggestions? It appears CrowdSec is maintaining a blocklist.
Hello
https://github.com/crowdsecurity/opnsense-plugin-crowdsec
v0.0.6
crowdsec update 1.3.1.r1
bouncer update to 0.0.23.r1
automated creation of Alias and Rule objects
They already have alias.
Quote from: andrewoliv on June 01, 2022, 04:15:03 PM
I had heard CrowdSec was going to release an IP blocklist of their own that OpnSense users could build an Alias for (ie Spamhaus). Ran into this on the CrowdSec website:
sudo apt install crowdsec-blocklist-mirror
Was wondering if I could Somehow build an alias? Any suggestions? It appears CrowdSec is maintaining a blocklist.
You accidently bumped into our new blocklist mirror bouncer :-) The basic idea is that it sets up a basic webserver that exposes a blocklist that can be exported into any firewall. Here's an article on how to use it with pfSense: https://blog.vacum.se/updated-blocklist-export-for-crowdsec/ (https://blog.vacum.se/updated-blocklist-export-for-crowdsec/).
The downside to using this approach with pfSense at least (I assume it would be the same with OPNsense) is that connections that are already established won't be cut off. I am under the impression that can be fixed using pfBlockerNG somehow (without knowing the details).
Being an OPNsense user I would advice you to use the OPNsense port whenever possible as that will give you the best experience - if nothing else just use the pf bouncer package.
Did that answer your question? If not, feel free to ask again
Hello
So CrowdSec is basically a bit like the good old fail2ban with extensible and modular sources? is that it or I'm misunderstanding something?
I would just not open the WebUI to internet at all. Is this to protect against attempts coming from the LAN side or the management interface?
Quote from: spyware-avoidance on June 07, 2022, 12:04:31 AM
So CrowdSec is basically a bit like the good old fail2ban with extensible and modular sources? is that it or I'm misunderstanding something?
Excellent question. The short answer is yes. And no. Read this article I wrote a couple of weeks ago for an elaboration: https://crowdsec.net/blog/crowdsec-not-your-typical-fail2ban-clone/
Let me know if you have further questions.