CrowdSec

[klausagnoletti]

Thanks for helping out @sorano.

Yes, we literally just upgraded our entire documentation to a better platform and also the content was improved.

@mimugmail: Let me know if you have any questions.

Have a great day and thanks for helping out!

/k

[andreaslink]

Out of curiosity, is there any update here? I cannot yet find an official package/plugin in the repo, can I?
And can I (later) use CrowdSec next to surricata as an IPS system or am I mixing things up here?

[lfirewall1243]

Out of curiosity, is there any update here? I cannot yet find an official package/plugin in the repo, can I?
And can I (later) use CrowdSec next to surricata as an IPS system or am I mixing things up here?

There will be a Plugin in the next time

https://twitter.com/Crowd_Security/status/1480530170595450882?t=7T6R3KHoi56UdDaWWIjy3g&s=19

[RamSense]

yeah I saw that on twitter also. Looks very promising and I like the concept.
I am also wondering if it could be running side by side with Suricata / Zenarmor

[klausagnoletti]

Yes we plan to release a use-at-your-own-risk version of the addon as soon as we have fixed the bug that cuts of internet access to my LAN when I install the current build :-)

It will be available in the github repor which we then are making public. If you want to know when it's ready send me a mail at klaus at crowdsec dot net.

/k

[klausagnoletti]

That day is today! CrowdSec for OPNsense is available in public beta today. Get it from https://github.com/crowdsecurity/opnsense-plugin-crowdsec and try it out at your own risk.

If you run into any problems a good place to ask is in the CrowdSec Discord at https://discord.gg/wGN7ShmEE8.

Have fun!

[mmetc]

Quick update.

We (CrowdSec) have uploaded a prerelease of the OPNsense plugin here: https://github.com/crowdsecurity/opnsense-plugin-crowdsec

I have not submitted it yet for inclusion in OPNsense because I prefer to have some feedback first, but mostly because the plugin depends on versions of the FreeBSD packages that are still not available in the upstream repository (I have submitted them, just not accepted/built yet). If you don't feel comfortable installing binaries, you can build your own from:

Agent and firewall => https://github.com/crowdsecurity/packaging-freebsd/tree/v1.2.3_1-v0.0.22_1/security

OS plugin => https://github.com/crowdsecurity/opnsense-plugin-crowdsec/tree/v0.0.3

The feature set is pretty complete for the agent and firewall, and the UI of the plugin is minimal but it's a start.
Feel free to ask in the GitHub issues, we need to have a sense of your priorities.

The agent and firewall can work without OPNsense, in that case you just have to enable/start them as directed in the post-install message. The only other configuration required is the creation of an anchor in /etc/pf.conf.

Any suggestion is welcome.

[cookiemonster]

thanks for this. New development often leaves freebsd-based unloved. Top marks to crowdsec for not doing that.

[cookiemonster]

I'm willing to do some testing for you. I've installed it and will be feeding back on github. It was surprisingly easy to install.
Just the execute error at the end but that might be benign.

Code Select Expand

me@OPNsense:/tmp % sudo pkg add crowdsec-1.2.3_1.txz
Password:
Installing crowdsec-1.2.3_1...
Extracting crowdsec-1.2.3_1: 100%
=====
Message from crowdsec-1.2.3_1:

--
crowdsec is installed.

You need to check/edit the following files in /usr/local/etc/crowdsec as described in https://doc.crowdsec.net/docs/configuration/crowdsec_configuration

- config.yaml: main configuration
- acquis.yaml: where to find logs to parse (this port does not include automatic discovery of the running services)
- profiles.yaml: remediation policies (ban, duration, etc)

Then you can enable the daemon via sysrc and run it.

# sysrc crowdsec_enable="YES"
crowdsec_enable: NO -> YES
# service crowdsec start

-------
me@OPNsense:/tmp % sudo pkg add crowdsec-firewall-bouncer-0.0.22_1.txz
Installing crowdsec-firewall-bouncer-0.0.22_1...
Extracting crowdsec-firewall-bouncer-0.0.22_1: 100%
=====
Message from crowdsec-firewall-bouncer-0.0.22_1:

--
crowdsec-firewall-bouncer is installed.

The bouncer should register itself but you may want to check the
configuration file, which is now in /usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
(for consistency with the other platforms).

In previous versions, the configuration was in /usr/local/etc/crowdsec-firewall-bouncer, you may need
to check if you made any changes there.

This package depends on the Packet Filter service.
To make sure it's active:

----------
# sysrc pf_enable=YES
pf_enable: NO -> YES
# service pf start
Enabling pf.
----------

Add the following in /etc/pf.conf to create the firewall tables and rules:

----------
anchor crowdsec
----------

To apply the file:

# pfctl -f /etc/pf.conf

Then activate the bouncer via sysrc and run it:

----------
# sysrc crowdsec_firewall_enable="YES"
crowdsec_firewall_enable: NO -> YES
# service crowdsec_firewall start
----------

--------------

me@OPNsense:/tmp % sudo pkg add os-crowdsec-0.0.3.txz
Installing os-crowdsec-0.0.3...
Extracting os-crowdsec-0.0.3: 100%
Stopping configd...done
Starting configd.
Migrated OPNsense\CrowdSec\General from 0.0.0 to 0.0.2
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/CrowdSec: OK
Execute error

[mmetc]

> I'm willing to do some testing for you. I've installed it and will be feeding back on github. It was surprisingly easy to install.
> Just the execute error at the end but that might be benign.

It probably is, you can grep for crowdsec under /var/log/configd/ to find the reason.
From what I see, the error should come from "configctl crowdsec reconfigure" which can be executed again with no harm.

It can be something as trivial as "asked service to stop when it was not running" .. I'll watch again, thanks

[cookiemonster]

Upgraded the firewall today from 21.7.8 to 22.1
The cowdsec plugin appeared as misconfigured, after a "resolve confilcts" action it is now in an orphaned state. The reason given is "unknown-repository".
Is there a way to re-add the repository to solve, or is it a re-installation, but I imagine the id on the crowdsec console will need to change.

[mmetc]

Upgraded the firewall today from 21.7.8 to 22.1
The cowdsec plugin appeared as misconfigured, after a "resolve confilcts" action it is now in an orphaned state. The reason given is "unknown-repository".
Is there a way to re-add the repository to solve, or is it a re-installation, but I imagine the id on the crowdsec console will need to change.

The plugin is orphaned because it has been installed by hand and I suppose misconfigured because it was built under 21.7.
All three packages (crowdsec, firewall bouncer and plugin) can be safely uninstalled/reinstalled.
The configuration files are not overwritten and the machine id stays the same. Just make sure not to remove anything by hand, under /usr/local/etc/crowdsec and /var/db/crowdsec.
You need to install from the appropriate archive from the Releases page, I put a version for 22.1 / freebsd 13.

Thanks for testing!

[mimugmail]

You might manually reinstall packages as pkg ABI changed

[cookiemonster]

Thank you both. I reinstalled by uninstalling the plugin from the UI then downloaded and installed from the txzs for 22.1.
It recognised both packages rowdsec-1.2.3_1.txz and crowdsec-firewall-bouncer-0.0.22_1.txz were already installed. I probably should have rehashed after removing from UI, no problem really.
Then installaed os-crowdsec-0.0.3.txz and that went through fine.
All good, thanks.

[zz00mm]

Crowdsec has been installed, what should be done with the message that v1.3 is available?