Zenarmor(Sensei) VS. SURICATA VS. Crowdsec

[lilsense]

As title states, now that we have another IDP/IPS, can someone provide when one should use one vs another?

[klausagnoletti]

Hi I am head of community and being a user of Zenarmor and having some experience with Suricata I can at least tell you what CrowdSec is (or rather isn't) compared to them.

In it's essense, CrowdSec reads logs (not just files but also different types of streams), parses them to find patterns (of attacks, typically) and reacts upon those (typically by blocking a connection either on firewall level or in an application like NGINX, Wordpress or even Cloudflare).
So to say it more clear: If you are internet exposing some kind of application or service, CrowdSec can probably help you protect it.

Zenarmor and Suricata looks at the network traffic and reacts upon that. So as you can see, a completely different application.

If you want to know more about CrowdSec feel free to watch the talk I did at BSides London a couple of months ago.

[RamSense]

Thank you for explaining and for the video link.
It all looks very interesting and promising. The crowdsec console looks like it is running online and not locally on our opnsense box? Or is it possible to have this running only locally?

And when running a wordpress site on a machine behind open sense /reverse proxy, does crowdsec protects this wordpress site or must crowdsec also been installed on this separate wordpress website server behind opnense?

[klausagnoletti]

No problem. Glad you liked it.

It all looks very interesting and promising. The crowdsec console looks like it is running online and not locally on our opnsense box? Or is it possible to have this running only locally?

It does indeed run online. That's our SaaS solution that's free to use (unless you're a large, enterprise user with a need for enterprise fetures). If that's a no-go for you there are plenty of selfhosted options to get nice graphs using Metabase or Grafana via Prometheus.

And when running a wordpress site on a machine behind open sense /reverse proxy, does crowdsec protects this wordpress site or must crowdsec also been installed on this separate wordpress website server behind opnense?

CrowdSec consists of two parts: the agent and the bouncer. The agent parses logs and detects attacks whereas the bouncer mitigates threats. In this setup there's two bouncers in play: a firewall bouncer on your fw and a wordpress bouncer that mitigates threats within wordpress. The latter is way more flexible and is capable of forcing users to use captcha rather than just block and risk a false positive.

All components of the CrowdSec stack communicates via rest api so you only need one agent to parse all log in your network from all the services you want CrowdSec to protect. And given firewalls are rarely the most CPU powered devices I would probably run the CrowdSec agent on your server either as a native install or a Docker container and then use one of the two bouncers I mentioned. Using both wouldn't make sense.

I hope that answered your questions. If not, feel free to ask again.

[lilsense]

Are there any ports that need to be opened for the local parser/bouncer to talk to SaaS/Crowdsec?

[RamSense]

klausagnoletti: I have it up and running. Now lets see how this functions.
Would be great to have this implemented in the opnsense plugins and not having to go to the terminal.

p.s. just added the crowdsec WordPress plugin (wordpress running on synology nas) and used LAPI URL: http://192.168.1.1:8080
(opnsense with crowdsec running on 192.168.1.1)
I don't think this is working. Do I have to make a fw rule for it to run or something else, e.g. how to check if it works?
In opnsense crowdsec - wordpress-bouncer showing Last Api Pull 4 hours ago (the time after the Bouncer API key creation)

[klausagnoletti]

Are there any ports that need to be opened for the local parser/bouncer to talk to SaaS/Crowdsec?

Could you elaborate a bit on where there's not open access and where you need to specifically open ports?
By default the bouncer needs access to the agent on port 8080. The agent needs to talk to api.crowdsec.net on port 8080 as well. As far as I know that's all it needs access to.

[klausagnoletti]

klausagnoletti: I have it up and running. Now lets see how this functions.
Would be great to have this implemented in the opnsense plugins and not having to go to the terminal.

Yes of course. It will be part of the standard opnsense repo as soon as we release port officially (that's the plan, at least).

p.s. just added the crowdsec WordPress plugin (wordpress running on synology nas) and used LAPI URL: http://192.168.1.1:8080
(opnsense with crowdsec running on 192.168.1.1)
I don't think this is working. Do I have to make a fw rule for it to run or something else, e.g. how to check if it works?
In opnsense crowdsec - wordpress-bouncer showing Last Api Pull 4 hours ago (the time after the Bouncer API key creation)

Last API pull sounds reasonably enough. It will check for relevant (as in which scenarios you installed) blocklists every couple of hours or something like that. This happens automatically. the bouncer will connect to the agent via lapi as you say.

For everything to work optimally you need to send logs to the agent for it to parse so it can detect local attacks. You will also need to install the wordpress collection (more info on https://hub.crowdsec.net/author/crowdsecurity/collections/wordpress) so CrowdSec can parse logs and detect the right attacks.

Having a Synology NAS it would be possible for you either to run the CrowdSec agent natively (https://github.com/crowdsecurity/spksrc-crowdsec/releases - agent is out in an alphaish release) or via Docker. The agent is rather ressource demanding so maybe you don't want to run it on your fw. So, depending on what else you plan to do, it's not certain you would even need the OPNsense port - CrowdSec is able to run highly distributed and is pretty api-centric so there's a lot of possibilities.

You might want to watch my talk from BSides London on https://www.youtube.com/watch?v=4QD9c3sOUd8&ab_channel=SecurityBSidesLondon for a better understanding of CrowdSec in general.

Let me know if you have more questions :-)

[RamSense]

I'm still trying to get wordpress connected, last API pull now 11 hours.

when in wordpress plugin, settings advanced - Enable the "Stream" mode - enabled and save. Than I get a critical error in wordpress.
So I think it can not connect to opnsense-crowdsec. is there a way to verify this? calling the api from terminal on the NAS?

Code: [Select]

Found the logfile in wordpress crowdsec and things like this show up:
2022-03-13T07:15:18.904168+00:00|300|{"type":"NON_AUTHORIZED_X_FORWARDED_FOR_USAGE","original_ip":"192.168.1.1","x_forwarded_for_ip":"2001:xx:xxxx:xxxx::xxxx"}
2022-03-13T07:15:19.906514+00:00|300|{"type":"UNKNOWN_EXCEPTION_WHILE_BOUNCING","ip":"192.168.1.1","message":"file_get_contents(http://192.168.1.1:8080/v1/decisions?ip=192.168.1.1): failed to open stream: Connection timed out","code":2,"file":"/volume1/web/Annemarie/wordpress/wp-content/plugins/crowdsec/vendor/crowdsec/bouncer/src/RestClient.php","line":105}

[RamSense]

the problem described below is fixed: see under post:

I have installed docker crowdsec on synology, connected the wordpress plugin, that seems to work.

Now I have removed the crowdsec on opsnense

Code: [Select]

pkg remove crowdsec crowdsec-firewall-bouncer
rm -rf /var/log/crowdsec /usr/local/etc/crowdsec
than reinstalled it to make a fresh start.

Code: [Select]

# pkg add ./crowdsec-1.3.1.r1.txz
...
# pkg add ./crowdsec-firewall-bouncer-0.0.23.r2.txz
...
# pkg add ./os-crowdsec-0.0.7.txz
...
but with the second package to install - pkg add ./crowdsec-firewall-bouncer-0.0.23.r2.txz
it states that it is already installed ?

when finished an starting crowdsec from opnsense gui it does not run
crowdsec overview: Service status: crowdsec  XX  firewall bouncer running

from terminal:
# sudo service crowdsec reload
crowdsec not running? (check /var/run/crowdsec.pid).

I think this command (before I deleted crowdsec and tried to install it again) made this error, how to undo? and get CrowdSec on OPNsense working again?
cscli lapi register -u <api_url>

Fix: I had to manually remove the machine, than restarted and the machine was added again automatically and crowdsec is running again on opnsense

[RamSense]

So now:

I have an agent on opnsense with bouncers for opnsense and nginx
I have an agent on Synology Docker with wordpress bouncer and wordpress plugin on wordpress running on synology

Question:
Can I, and how to, let Opnsense Crowdsec know the alerts from crowdsec Synology Docker so I have all the alerts visible in opnsense?

question2:
with nginx collection:

Code: [Select]

1 Ip:2a02:4780:3:3:d4c9:b6fc:4a99:44a crowdsecurity/http-probing LT Hostinger International Limited ban:1
15 hours ago
10 Ip:2a02:4780:3:3:d4c9:b6fc:4a99:44a crowdsecurity/http-sensitive-files LT Hostinger International Limited ban:1
15 hours agowould be great to bounce this on opnsense

[lilsense]

1st, you should have created your thread rather than taking over someone else's.

2nd, CrowdSec is designed for the system it runs on not another system as I understand it.