Messages

Allright, that makes sense. In that way I can fix the broken raid as well..

Thanks!

/k

I was running behind on updates on my firewall because of some restarting issues and it being remote etc. So I ended up doing a 5-6 upgrades in a row.

That turned out to be a little problematic as I experienced weird errors like forgetting default route (which sucks on a remote firewall), deciding to ignore geom raid and just use one disk instead..

All of thouse are manageable so don't worry. The reason why I'm posting is that I can't upgrade to 24.7. I get the following message in the console after the upgrade has been initiated:

Code Select Expand

Version number mismatch, aborting.
Kernel: 13.2
Base: 14

After that, the box boots up and keeps spitting out error messages like these:

Code Select Expand

KLD nullfs.ko: depends on kernel - not available or version mismatch
linker_load_file: /boot/kernel/nullfs.ko - unsupported file type
KLD nullfs.ko: depends on kernel - not available or version mismatch
linker_load_file: /boot/kernel/nullfs.ko - unsupported file type

Fortunately, after a while where it keeps saying that another process is trying to update the repositry, it downgrades and the kernel/userland mismatch errormessages stop and my firewall is working as it should(ish). And if I restart the upgrade, the same happens.

So unfortunately rolling back doesn't solve the problem.

Any ideas? I understand the problem but not why it has surfaced or how I should fix it.

I have a video that shows the entire boot proces, screenshots of the error messages etc if needed.

Thanks

No obviously you can't fix an RFC :-)

Fixing is in terms of removing the stuff from the log files. Surely that can't be deliberate. And if so, why is it not on all log files then? I guess there's a underlying cause that needs to be fixed, right?

Thanks but what does that mean in practice? Can it be fixed? If so, how?

/k

I have two OPNsense firewalls. One is 22.1.8_1 and one is 21.7.8. On the first one my OpenVPN logs are prepended with <29>1 if I ssh to it and prints the file raw. On the other one there's nothing weird looking with any of the log files. Why? And how do I fix it? I need my log files parsed by CrowdSec as I am building a parser for those files and looking like that they won't parse.

<29>1 2022-06-15T00:00:51+02:00 fw.agnoletti.net openvpn 56743 - [meta sequenceId="1"] MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
<29>1 2022-06-15T00:00:51+02:00 fw.agnoletti.net openvpn 56743 - [meta sequenceId="2"] MANAGEMENT: CMD 'status 2'
<29>1 2022-06-15T00:00:52+02:00 fw.agnoletti.net openvpn 56743 - [meta sequenceId="3"] MANAGEMENT: CMD 'quit'
<29>1 2022-06-15T00:00:52+02:00 fw.agnoletti.net openvpn 56743 - [meta sequenceId="4"] MANAGEMENT: Client disconnected
<29>1 2022-06-15T00:01:54+02:00 fw.agnoletti.net openvpn 56743 - [meta sequenceId="1"] MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock

Thanks for any help.

So CrowdSec is basically a bit like the good old fail2ban with extensible and modular sources? is that it or I'm misunderstanding something?

Excellent question. The short answer is yes. And no. Read this article I wrote a couple of weeks ago for an elaboration: https://crowdsec.net/blog/crowdsec-not-your-typical-fail2ban-clone/

Let me know if you have further questions.

My understanding from reading the above is that i have all I need from CrowdSec. At the firewall level bad IPs will be blocked irregardless if they are attacking the WebGUI or not.  Is this correct? or is there more I need to do?

No problem! Thanks for installing CrowdSec and for joining the community.

You have what you need just by installing the OPNsense package - assuming that you just want to protect your OPNsense firewall. If you want to do more, that's another story and we can talk about that later :-)

To try and answer some of your comments: In this case the LAPI is part of the agent. It is possible to run it separately if you have a large infrastructure but by default they're the same. The agent does the log parsing and detection of attacks and orchestrate bouncer(s). By default there's only one; the one that you installed on OPNsense.

I hope my replies has made you understand the CrowdSec stack better. If not, please join our Discord at https://discord.gg/crowdsec and sign up for the beginner workshops we do ca every other week (we do it this week, I just created a poll for people to vote on when it suits them best). That will give you a better understanding of the stack and the possibilities. Obviously protecting OPNsense is just one of many - some that are way more advanced and cool.

If CrowdSec ever releases a block list I will build an alias and floating rule for that as well

Could you please elaborate what you mean? We (I am head of community at CrowdSec) just released a bouncer that acts as a simple webserver that exposes the blocklists in a format that any firewall that supports external blocklists could use (at least in theory). You can read about how to use it here: https://blog.vacum.se/updated-blocklist-export-for-crowdsec/

Is that what you're missing?

/klaus

I had heard CrowdSec was going to release an IP blocklist of their own that OpnSense users could build an Alias for (ie Spamhaus). Ran into this on the CrowdSec website:

sudo apt install crowdsec-blocklist-mirror

Was wondering if I could Somehow build an alias? Any suggestions? It appears CrowdSec is maintaining a blocklist.

You accidently bumped into our new blocklist mirror bouncer :-) The basic idea is that it sets up a basic webserver that exposes a blocklist that can be exported into any firewall. Here's an article on how to use it with pfSense: https://blog.vacum.se/updated-blocklist-export-for-crowdsec/.

The downside to using this approach with pfSense at least (I assume it would be the same with OPNsense) is that connections that are already established won't be cut off. I am under the impression that can be fixed using pfBlockerNG somehow (without knowing the details).

Being an OPNsense user I would advice you to use the OPNsense port whenever possible as that will give you the best experience - if nothing else just use the pf bouncer package.

Did that answer your question? If not, feel free to ask again

klausagnoletti: I have it up and running. Now lets see how this functions.
Would be great to have this implemented in the opnsense plugins and not having to go to the terminal.

Yes of course. It will be part of the standard opnsense repo as soon as we release port officially (that's the plan, at least).

p.s. just added the crowdsec WordPress plugin (wordpress running on synology nas) and used LAPI URL: http://192.168.1.1:8080
(opnsense with crowdsec running on 192.168.1.1)
I don't think this is working. Do I have to make a fw rule for it to run or something else, e.g. how to check if it works?
In opnsense crowdsec - wordpress-bouncer showing Last Api Pull 4 hours ago (the time after the Bouncer API key creation)

Last API pull sounds reasonably enough. It will check for relevant (as in which scenarios you installed) blocklists every couple of hours or something like that. This happens automatically. the bouncer will connect to the agent via lapi as you say.

For everything to work optimally you need to send logs to the agent for it to parse so it can detect local attacks. You will also need to install the wordpress collection (more info on https://hub.crowdsec.net/author/crowdsecurity/collections/wordpress) so CrowdSec can parse logs and detect the right attacks.

Having a Synology NAS it would be possible for you either to run the CrowdSec agent natively (https://github.com/crowdsecurity/spksrc-crowdsec/releases - agent is out in an alphaish release) or via Docker. The agent is rather ressource demanding so maybe you don't want to run it on your fw. So, depending on what else you plan to do, it's not certain you would even need the OPNsense port - CrowdSec is able to run highly distributed and is pretty api-centric so there's a lot of possibilities.

You might want to watch my talk from BSides London on https://www.youtube.com/watch?v=4QD9c3sOUd8&ab_channel=SecurityBSidesLondon for a better understanding of CrowdSec in general.

Let me know if you have more questions :-)

Are there any ports that need to be opened for the local parser/bouncer to talk to SaaS/Crowdsec?

Could you elaborate a bit on where there's not open access and where you need to specifically open ports?
By default the bouncer needs access to the agent on port 8080. The agent needs to talk to api.crowdsec.net on port 8080 as well. As far as I know that's all it needs access to.

No problem. Glad you liked it.

It all looks very interesting and promising. The crowdsec console looks like it is running online and not locally on our opnsense box? Or is it possible to have this running only locally?

It does indeed run online. That's our SaaS solution that's free to use (unless you're a large, enterprise user with a need for enterprise fetures). If that's a no-go for you there are plenty of selfhosted options to get nice graphs using Metabase or Grafana via Prometheus.

And when running a wordpress site on a machine behind open sense /reverse proxy, does crowdsec protects this wordpress site or must crowdsec also been installed on this separate wordpress website server behind opnense?

CrowdSec consists of two parts: the agent and the bouncer. The agent parses logs and detects attacks whereas the bouncer mitigates threats. In this setup there's two bouncers in play: a firewall bouncer on your fw and a wordpress bouncer that mitigates threats within wordpress. The latter is way more flexible and is capable of forcing users to use captcha rather than just block and risk a false positive.

All components of the CrowdSec stack communicates via rest api so you only need one agent to parse all log in your network from all the services you want CrowdSec to protect. And given firewalls are rarely the most CPU powered devices I would probably run the CrowdSec agent on your server either as a native install or a Docker container and then use one of the two bouncers I mentioned. Using both wouldn't make sense.

I hope that answered your questions. If not, feel free to ask again.

Hi I am head of community and being a user of Zenarmor and having some experience with Suricata I can at least tell you what CrowdSec is (or rather isn't) compared to them.

In it's essense, CrowdSec reads logs (not just files but also different types of streams), parses them to find patterns (of attacks, typically) and reacts upon those (typically by blocking a connection either on firewall level or in an application like NGINX, Wordpress or even Cloudflare).
So to say it more clear: If you are internet exposing some kind of application or service, CrowdSec can probably help you protect it.

Zenarmor and Suricata looks at the network traffic and reacts upon that. So as you can see, a completely different application.

If you want to know more about CrowdSec feel free to watch the talk I did at BSides London a couple of months ago.

Hey Franco

Great - thanks a lot!

/k

I guess this is unrelated to which version of OPNsense but I want to know how I can ssh using ssh key to OPNSense in a persistent way.

When I copy the public key via ssh-copy-id it stops working at some point; sometimes after an upgrade - other times right away. And I simply don't get it.

What do I do?

Thanks

/klaus