CrowdSec

[PIv0]

Hi all!

Version 22.7 has a new plugin CrowdSec.

Unfortunately, there is not enough documentation for it.
I'm primarily interested in how to configure this plugin on the server with "High Availability" enabled and how to add devices using LAPI in this case.

No one will tell?

[mmetc]

Hello PIv0!

We have not written anything about HA with opnsense yet because we have not tested that configuration. Do you have an external LAPI or do you need a LAPI on each firewall instance?

I know some of our users have LAPI HA (without opnsense) and I can reach out, if it can be applied to this case we can consider it for a next release.

Other than that, most of the documentation at https://docs.crowdsec.net/ also applies to the opnsense version.

[PIv0]

We have not written anything about HA with opnsense yet because we have not tested that configuration.

Good afternoon!
Thanks a lot for your answer!
I apologize for the bad English, I use computer translation.

Previously, I protected our servers using a Fail2ban, LogWatch and my own scripts that kept a blacklist, as well as sent the IP of the attackers to AbuseIPDB and blocklist.de.

Your system is built on the same principle, but it is much more advanced and has more features.
Therefore, as soon as your plugin appeared in OPNSense, I decided to switch to it.

In our organization, between an external router with Internet access and servers on the internal network, including the DMZ, there are two OPNSense firewalls operating in the «High Availability» mode. We don't have an external LAPI.

I've installed the CrowdSec plugin on an OPNSense firewall running in Master mode, and I'm setting up two test servers to run everything in multiserver mode.

I registered the OPNSense firewall and servers in the console (https://app.crowdsec.net), the servers were registered in the OPNSense firewall using LAPI. Executed the command on the servers
cscli papi register -u http://10.0.0.1:8080
Run a command in OPNSense
cscli machines check xxxxxxxxx

It remains only to configure the bouncers, but here I have not yet figured out what and how to configure on OPNSense, and what and how to configure on the servers. I would like more detailed instructions than described at https://www.crowdsec.net/blog/multi-server-setup, there is a different network diagram.

I would be grateful to you for instructions on setting up bouncers.
I will also be happy to help you develop and test the CrowdSec plugin in the "High Availability" mode on OPNSense.

With respect

[PIv0]

Hi!

I do not know where to write, so I write here.

In my Firewall:Log Files:Live View, when blocking IP using CrowdSec, a line is displayed indicating only the date and time without any details, and only this is reflected in the details:

__timestamp__   2022-08-10T12:25:00
action   0x0
anchorname   match
dir   
interface   in
interface_name   in
ipversion   240
label   
reason   4
rid   
rulenr   crowdsec
subrulenr   em1

At the same time, it is not clear whether the IP address is blocked or not (action   0x0).

[jclendineng]

Hi!

I do not know where to write, so I write here.

In my Firewall:Log Files:Live View, when blocking IP using CrowdSec, a line is displayed indicating only the date and time without any details, and only this is reflected in the details:

__timestamp__   2022-08-10T12:25:00
action   0x0
anchorname   match
dir   
interface   in
interface_name   in
ipversion   240
label   
reason   4
rid   
rulenr   crowdsec
subrulenr   em1

At the same time, it is not clear whether the IP address is blocked or not (action   0x0).

bumping this - anything blocked via a rule should show up in the firewall logs properly, is this something crowdsec needs to fix? Currently you just have to take its word that its blocking anything.

[mmetc]

Hi!

In the "Plain View" of the logs, you can see the full lines:

2022-08-30T09:33:41   Informational   filterlog   57,,,blocked by crowdsec,vtnet0,match,block,in,4,0x0,,64,36851,0,DF,17,udp,72,192.168.122.1,192.168.122.255,57621,57621,52

I don't know why the live logs don't show the details anymore. I'm pretty sure it worked when I wrote it but I don't have a 22.1 version to check if there is any difference, or if it's something I did.

I have to check, if someone has ideas, my code to register the rules is the following

    add_alias_if_not_exist('crowdsec_blacklists', 'CrowdSec (IPv4)', 'IPv4');

    // https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/library/OPNsense/Firewall/FilterRule.php

    $fw->registerFilterRule(
        1, /* priority */
        array(
            'ipprotocol' => 'inet',
            'descr'      => 'CrowdSec (IPv4)',
            'from'       => '$crowdsec_blacklists',     # $ to reference an alias
            'type'       => 'block',
            'log'        => $rules_log_enabled,
            'tag'        => $rules_tag,
            'label'      => 'blocked by crowdsec',
            'quick'      => true
        ),
        null
    );



(and again for ipv6)

[jclendineng]

Any updates on this? Live logging is still broken in 22.7 :( I'm sure it works great but something is still messed up.

[jclendineng]

22.7.5 that was released today finally fixed the firewall log issue, I can confirm it shows all blocks properly! Nice work Crowdsec!