OPNsense Forum
English Forums => General Discussion => Topic started by: Georges on November 20, 2020, 06:53:44 pm
-
Hello,
I just discover this.
"CrowdSec is a security automation engine, using both local IP behavior detection & our community-driven IP reputation database."
https://crowdsec.net
Still in beta but this will power OPNsense into a new level with a plugin like this 0.0
What do you think?
-
Looks interesting.
But i think its not legal (without certain contracts) because of Privacy Stuff in some countrys
-
looks nice, but it has no FreeBSD port which would be required to get into OPNsense
-
Hi guys, Philippe from the CrowdSec team.
We're glad you show interest in the product.
Currently, we are finalizing the v1.0 and packaging for debian.
A container will also soon be available, as well as a CentOS package.
As you can guess, we had queries for ports on a lot of OS & distros and we will have hard time to produce them all in a timely manner. What we can offer though is a repo on our site or Github to provide community compiled packages or ports, and we'll be more than happy to. If the team needs to support a community build, it will to the best of its time and capacities. that being said, we chose Golang also because of its very high portability.
As for privacy, we are based in France. To put it mildly, we are under one of the strictest data privacy regulations on earth. We are currently feeding the paperwork beast with all the proper processes, forms, applications, tools, declarations and all that jazz. Takes a bit of time and a lot of money for the lawyers, but be sure that we are working on it.
To put it short, we don't export your logs and no data of yours. To benefit from the network reputation system for free, you have to share your own findings. When you block one IP because of a bad behavior, 3 things and only those 3 are sent back to us: 1/ The timestamp 2/ Offending IP 3/ Scenario it triggered.
Hope this brings some answers to your legitimate concerns.
-
The v1.0 is out :)
https://crowdsec.net/2020/12/07/crowdsec-v-1-0-is-out/
If i was a dev i will definitly do something to put it in OPNsense, but i'm not :/
-
There is no FreeBSD port ...
-
The v1.0 is out :)
https://crowdsec.net/2020/12/07/crowdsec-v-1-0-is-out/
If i was a dev i will definitly do something to put it in OPNsense, but i'm not :/
Don't forget to tell us if your are doing a FreeBSD version :)
-
Yeh!!!!!
https://github.com/mimugmail/opn-repo/issues/4
"It's now in community repo:
pkg install crowdsec
If you tell me something about config and syntax I can try to build a plugin
"
-
Anyone using Crowdsec yet?
I installed it, but it says
crowdsec is installed.
You need to edit the agent config file /usr/local/etc/crowdsec/crowdsec.yaml and
enable rc via sysrc.
# sysrc crowdsec_enable="YES"
root@OPNsense:~ # sysrc crowdsec_enable="YES"
awk: can't open file /etc/rc.conf
I am not sure what I need to place in the yaml file.
-
Create a file /etc/rc.conf.d/crowdsec and place the content there ...
-
Hi
I am with CrowdSec and admittedly we don't have a dedicated package of CrowdSec for OPNsense (yet).
As far as I know there's this maintained by @mimugmail (and thanks a lot for your work here). Also it's available in the official port tree.
The result is the same, though. They are made from the upstream source made for FreeBSD. I tried installing them this weekend on my two OPNsense boxes and they don't work right out of the box. I couldn't make the agent read ssh logs (and report on bruteforcing). I haven't found out why. And the bouncer is not available in @mimugmail's repo but it probably wouldn't work anyway.
State of the FreeBSD port is that it works. At least on FreeBSD - but it shows that it's a new port that we haven't gotten much user feedback on so it's not particularly mature as an easy to use product. And since FreeBSD != OPNsense it will work less good. Log file locations and -formats differs.
However, at CrowdSec we are very interested in making our tool available in an easy to use format across many platforms, so we really want to make a package for OPNsense that just works. If you're interested in helping us out by testing and reporting bugs to us directly or submitting patches, ping me at klaus (at) crowdsec (dot) net.
Thanks for wanting to try out CrowdSec. We really appreciate it!
/klaus
-
Klaus, do you have a quick guide for vanilla FreeBSD? Maybe I can have a shot for a basic plugin.
-
Here you go:
https://doc.crowdsec.net/Crowdsec/v1/user_tutorial/crowdsec_firewall_on_freebsd/
Following that I managed to get things working on my droplet on digiocean.
You might want to install the crowdsecurity/geoip-enrich parser if you manage to get it working. That's enabled by default on Linux and nice if you add your box to the web console (which is currently in private beta but provides a very nice overview of who's bfing your firewall).
While you're at it please add crowdsec-firewall-bouncer to your repo. Could be fun to see if I could make it work as well :-)
Thanks
/k
-
Sorry, the link doesn't work (anymore?)
-
Sorry, the link doesn't work (anymore?)
https://doc.crowdsec.net/blog/crowdsec_firewall_freebsd
-
Thanks for helping out @sorano.
Yes, we literally just upgraded our entire documentation to a better platform and also the content was improved.
@mimugmail: Let me know if you have any questions.
Have a great day and thanks for helping out!
/k
-
Out of curiosity, is there any update here? I cannot yet find an official package/plugin in the repo, can I?
And can I (later) use CrowdSec next to surricata as an IPS system or am I mixing things up here?
-
Out of curiosity, is there any update here? I cannot yet find an official package/plugin in the repo, can I?
And can I (later) use CrowdSec next to surricata as an IPS system or am I mixing things up here?
There will be a Plugin in the next time
https://twitter.com/Crowd_Security/status/1480530170595450882?t=7T6R3KHoi56UdDaWWIjy3g&s=19
-
yeah I saw that on twitter also. Looks very promising and I like the concept.
I am also wondering if it could be running side by side with Suricata / Zenarmor
-
Yes we plan to release a use-at-your-own-risk version of the addon as soon as we have fixed the bug that cuts of internet access to my LAN when I install the current build :-)
It will be available in the github repor which we then are making public. If you want to know when it's ready send me a mail at klaus at crowdsec dot net.
/k
-
That day is today! CrowdSec for OPNsense is available in public beta today. Get it from https://github.com/crowdsecurity/opnsense-plugin-crowdsec and try it out at your own risk.
If you run into any problems a good place to ask is in the CrowdSec Discord at https://discord.gg/wGN7ShmEE8 (https://discord.gg/wGN7ShmEE8).
Have fun!
-
Quick update.
We (CrowdSec) have uploaded a prerelease of the OPNsense plugin here: https://github.com/crowdsecurity/opnsense-plugin-crowdsec
I have not submitted it yet for inclusion in OPNsense because I prefer to have some feedback first, but mostly because the plugin depends on versions of the FreeBSD packages that are still not available in the upstream repository (I have submitted them, just not accepted/built yet). If you don't feel comfortable installing binaries, you can build your own from:
Agent and firewall => https://github.com/crowdsecurity/packaging-freebsd/tree/v1.2.3_1-v0.0.22_1/security
OS plugin => https://github.com/crowdsecurity/opnsense-plugin-crowdsec/tree/v0.0.3
The feature set is pretty complete for the agent and firewall, and the UI of the plugin is minimal but it's a start.
Feel free to ask in the GitHub issues, we need to have a sense of your priorities.
The agent and firewall can work without OPNsense, in that case you just have to enable/start them as directed in the post-install message. The only other configuration required is the creation of an anchor in /etc/pf.conf.
Any suggestion is welcome.
-
thanks for this. New development often leaves freebsd-based unloved. Top marks to crowdsec for not doing that.
-
I'm willing to do some testing for you. I've installed it and will be feeding back on github. It was surprisingly easy to install.
Just the execute error at the end but that might be benign.
me@OPNsense:/tmp % sudo pkg add crowdsec-1.2.3_1.txz
Password:
Installing crowdsec-1.2.3_1...
Extracting crowdsec-1.2.3_1: 100%
=====
Message from crowdsec-1.2.3_1:
--
crowdsec is installed.
You need to check/edit the following files in /usr/local/etc/crowdsec as described in https://doc.crowdsec.net/docs/configuration/crowdsec_configuration
- config.yaml: main configuration
- acquis.yaml: where to find logs to parse (this port does not include automatic discovery of the running services)
- profiles.yaml: remediation policies (ban, duration, etc)
Then you can enable the daemon via sysrc and run it.
# sysrc crowdsec_enable="YES"
crowdsec_enable: NO -> YES
# service crowdsec start
-------
me@OPNsense:/tmp % sudo pkg add crowdsec-firewall-bouncer-0.0.22_1.txz
Installing crowdsec-firewall-bouncer-0.0.22_1...
Extracting crowdsec-firewall-bouncer-0.0.22_1: 100%
=====
Message from crowdsec-firewall-bouncer-0.0.22_1:
--
crowdsec-firewall-bouncer is installed.
The bouncer should register itself but you may want to check the
configuration file, which is now in /usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
(for consistency with the other platforms).
In previous versions, the configuration was in /usr/local/etc/crowdsec-firewall-bouncer, you may need
to check if you made any changes there.
This package depends on the Packet Filter service.
To make sure it's active:
----------
# sysrc pf_enable=YES
pf_enable: NO -> YES
# service pf start
Enabling pf.
----------
Add the following in /etc/pf.conf to create the firewall tables and rules:
----------
anchor crowdsec
----------
To apply the file:
# pfctl -f /etc/pf.conf
Then activate the bouncer via sysrc and run it:
----------
# sysrc crowdsec_firewall_enable="YES"
crowdsec_firewall_enable: NO -> YES
# service crowdsec_firewall start
----------
--------------
me@OPNsense:/tmp % sudo pkg add os-crowdsec-0.0.3.txz
Installing os-crowdsec-0.0.3...
Extracting os-crowdsec-0.0.3: 100%
Stopping configd...done
Starting configd.
Migrated OPNsense\CrowdSec\General from 0.0.0 to 0.0.2
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/CrowdSec: OK
Execute error
-
> I'm willing to do some testing for you. I've installed it and will be feeding back on github. It was surprisingly easy to install.
> Just the execute error at the end but that might be benign.
It probably is, you can grep for crowdsec under /var/log/configd/ to find the reason.
From what I see, the error should come from "configctl crowdsec reconfigure" which can be executed again with no harm.
It can be something as trivial as "asked service to stop when it was not running" .. I'll watch again, thanks
-
Upgraded the firewall today from 21.7.8 to 22.1
The cowdsec plugin appeared as misconfigured, after a "resolve confilcts" action it is now in an orphaned state. The reason given is "unknown-repository".
Is there a way to re-add the repository to solve, or is it a re-installation, but I imagine the id on the crowdsec console will need to change.
-
Upgraded the firewall today from 21.7.8 to 22.1
The cowdsec plugin appeared as misconfigured, after a "resolve confilcts" action it is now in an orphaned state. The reason given is "unknown-repository".
Is there a way to re-add the repository to solve, or is it a re-installation, but I imagine the id on the crowdsec console will need to change.
The plugin is orphaned because it has been installed by hand and I suppose misconfigured because it was built under 21.7.
All three packages (crowdsec, firewall bouncer and plugin) can be safely uninstalled/reinstalled.
The configuration files are not overwritten and the machine id stays the same. Just make sure not to remove anything by hand, under /usr/local/etc/crowdsec and /var/db/crowdsec.
You need to install from the appropriate archive from the Releases page, I put a version for 22.1 / freebsd 13.
Thanks for testing!
-
You might manually reinstall packages as pkg ABI changed
-
Thank you both. I reinstalled by uninstalling the plugin from the UI then downloaded and installed from the txzs for 22.1.
It recognised both packages rowdsec-1.2.3_1.txz and crowdsec-firewall-bouncer-0.0.22_1.txz were already installed. I probably should have rehashed after removing from UI, no problem really.
Then installaed os-crowdsec-0.0.3.txz and that went through fine.
All good, thanks.
-
Crowdsec has been installed, what should be done with the message that v1.3 is available?
-
"misconfigured" means the plugin was installed by console and was not registered in the config.xml. As long as there is no upstream repo for it that situation will be normal but not affect operation at all (same as "orphaned").
Cheers,
Franco
-
Crowdsec has been installed, what should be done with the message that v1.3 is available?
I'm wondering the same thing. There's no binary for it I can find in github and the instructions that I can find don't include updates, which I find odd. Early days I suppose.
-
firewall has been updated to build 005 which contains v1.3 of the crowdsec engine. The crowdsec portal has updated itself and shows the correct versions.
-
thanks for posting, yes a new version is available now.
-
CrowdSec arrives on OPNsense (https://crowdsec.net/blog/crowdsec-arrives-on-opnsense/)
-
Would someone elaborate on the Zenarmor/Suricata and Crowdsec? should all of them be used all together/separate or not at all?
-
you can run them together if you like and build some multi layer of protection.
For those who also want to start with crowdsec but don't know how, I just found a nicely written guide for you:
https://homenetworkguy.com/how-to/install-and-configure-crowdsec-on-opnsense/ (https://homenetworkguy.com/how-to/install-and-configure-crowdsec-on-opnsense/)
-
Sorry if I'm missing something obvious, but I just installed it and the two aliases crowdsec_blacklists and crowdsec6_blacklists are empty ?
I thought they'd contain the URLs where they'd take the bad IPs from ?
-
Also, just noticed in system -> firmware the cowdsec plugin is listed as misconfigured - but I didn't errors during the installation, any suggestions?
Tia.
-
Also, just noticed in system -> firmware the cowdsec plugin is listed as misconfigured - but I didn't errors during the installation, any suggestions?
Tia.
"misconfigured" means the plugin was installed by console and was not registered in the config.xml. As long as there is no upstream repo for it that situation will be normal but not affect operation at all (same as "orphaned").
Cheers,
Franco
-
Sorry if I'm missing something obvious, but I just installed it and the two aliases crowdsec_blacklists and crowdsec6_blacklists are empty ?
I thought they'd contain the URLs where they'd take the bad IPs from ?
It looks like they get pulled every two hours by default according to the "Alerts" tab on the plugin UI. I don't remember if they got populated immediately at installation time though. I'd give it a little time, like two hours max or check the docs.
-
Sorry if I'm missing something obvious, but I just installed it and the two aliases crowdsec_blacklists and crowdsec6_blacklists are empty ?
I thought they'd contain the URLs where they'd take the bad IPs from ?
It looks like they get pulled every two hours by default according to the "Alerts" tab on the plugin UI. I don't remember if they got populated immediately at installation time though. I'd give it a little time, like two hours max or check the docs.
Confirmed that they get populated automatically after some time (2h sounds about right).
-
Having a similar issue. I've been running crowdsec since yesterday and the crowdsec6_blacklists also remains empty. Adding one manually using cscli decisions add --ip xxxx --duration 1m works, but none are added automatically. No problem with the ipv4 crowdsec_blacklists though.
-
It didn't work for me, for some reason: after 3 days blacklists were still empty so I removed it...
-
Did you install it in the given order? https://github.com/crowdsecurity/opnsense-plugin-crowdsec/ (https://github.com/crowdsecurity/opnsense-plugin-crowdsec/)
Copy them to your firewall instance with scp, then install the packages in the following order but do not enable them like the post-install messages say. These instruction are for using them without OPNsense.
# pkg add ./crowdsec-1.3.2.txz
...
# pkg add ./crowdsec-firewall-bouncer-0.0.23.r2.txz
...
# pkg add ./os-crowdsec-0.0.7.txz
...
-
Yes, I followed the instructions on https://github.com/crowdsecurity/opnsense-plugin-crowdsec
Tried removing and reinstalling too, with the same result, nothing in the IPv6 blacklist.
-
It looks like the default scenarios don't have ipv6's in them: https://github.com/crowdsecurity/crowdsec/issues/1512
So, working as intended...
-
My crowdsec had some ipv6 in the list:
crowdsec6_blacklists External (advanced) CrowdSec (IPv6) 77
But have now this problem:
I just updated opnsense to 22.1.7
and noticed:
Installed packages to be DOWNGRADED:
crowdsec: 1.3.2 -> 1.2.3 [mimugmail]
now crowdsec does not start... Others having this also? Should I try to install the latest version?
Answer: Updated to crowdsec - os-crowdsec-0.1.txz - and it is up and running again.
-
RamSense, what does it say in the plug-in section about the os-crowdsec plugin? Does the plug-in stop working after while? Have you gotten any DHCPD problems now?
-
My crowdsec had some ipv6 in the list:
crowdsec6_blacklists External (advanced) CrowdSec (IPv6) 77
But have now this problem:
I just updated opnsense to 22.1.7
and noticed:
Installed packages to be DOWNGRADED:
crowdsec: 1.3.2 -> 1.2.3 [mimugmail]
now crowdsec does not start... Others having this also? Should I try to install the latest version?
Answer: Updated to crowdsec - os-crowdsec-0.1.txz - and it is up and running again.
I removed the pkg, should be gone now
-
RamSense, what does it say in the plug-in section about the os-crowdsec plugin? Does the plug-in stop working after while? Have you gotten any DHCPD problems now?
it states:
os-crowdsec (misconfigured) 0.1 61.8KiB unknown-repository Lightweight and collaborative security engine
because it is installed manually it says (misconfigured), and no problems with DHCPD or the plugin stopping after awhile. It keeps on running like it should.
-
Misconfigured means it was installed from the command line without the GUI. That's all really.
Cheers,
Franco