How to Install and Configure CrowdSec on OPNsense?

[beki]

Dear Beloved Zenarmor Users,

CrowdSec is a lightweight, open-source program that identifies individuals exhibiting violent tendencies and prevents them from accessing your systems. The design of the system is user-friendly and provides easy access while still offering strong security measures.

In its most fundamental configuration, the CrowdSec module functions exclusively on a single server, safeguarding only the services hosted on the OPNsense system. Furthermore, it restricts the barring of malicious IP addresses, which are curated by the CrowdSec community.

In this tutorial, we will do basic CrowdSec installation on a single OPNsense system.

https://www.zenarmor.com/docs/network-security-tutorials/how-to-install-and-configure-crowdsec-on-opnsense

Best Regards,

Zenarmor Team

[mimugmail]

Wonderful guide, really useful :)

[tangofan]

[...]

In this tutorial, we will do basic CrowdSec installation on a single OPNsense system.

https://www.zenarmor.com/docs/network-security-tutorials/how-to-install-and-configure-crowdsec-on-opnsense

Best Regards,

Zenarmor Team

Hi @beki,

Thanks so much for providing this guide, it has been really helpful.

I do believe though that there might be a small error in the guide, in the section "Adding firewall rules". In that section you create a rule to stop traffic originating in the LAN that has malevolent IP addresses as destination.

The problem is that this rule uses the direction "out" on a LAN interface. It is my understanding that this rule should have direction "in" on a LAN interface (or "out" on the WAN interface, though my understanding is that blocking this on the LAN interface is preferred).

[Baender]

It is my understanding that this rule should have direction "in" on a LAN interface (or "out" on the WAN interface, though my understanding is that blocking this on the LAN interface is preferred).

You are correct with the direction. I guess that most pfsense guides state "out" as the direction. It could be an idea to write, that one can add every interface there, that should be protected with CrowdSec. Mind you, for connections to the outside world.

[Crocogator]

It's lightweight and easy to use, and it blocks malicious IPs based on community input. It does what I need it to do.

[flushell]

I installed it, but I get the feeling that something is not right in the tutorial under the Firewall rules: https://www.zenarmor.com/docs/network-security-tutorials/how-to-install-and-configure-crowdsec-on-opnsense#adding-firewall-rules

Should the Direction not be "in" instead of the stated "out" here in the floating rules? It doesn't make sense to me. The rule as stated in the tutorial seems to do nothing, but it makes sense to flip it to "in": It is working when I test it then. You can simply test it by pinging one of the IP's in the blacklist.

EDIT: I see someone else has made this remark already. Read too fast. They should correct it. I will contact them.

[Greg_E]

By default the Crowdsec software should be blocking all incoming that match their list, the advise to set up floating rules was for out going traffic. This can be important if you get a virus or malware that uses a "command and control" server to download additional payload and instructions. I need to go through the above guide in more detail and make some changes in my Crowdsec deployment.

For a company that markets their own products, they sure do spend a lot of resources on writing guides for other things. Not sure if they understand how much some of us appreciate this info, I've used several of their guides and read the getting started with OPNsense book while I was migrating from PF to OPN. There's some good work on their site and I have a bunch of it stored offline on my ereader for use when needed.

For those not on the mailing list, they have an interesting "book" on SASE, and unlike most "books" that companies release, this is plugged full of definitions and facts, not just a big sales pitch. I skimmed it and only saw Zenarmor once or twice, and it wasn't even referred to in a way of advertising, just listed as one option among several choices. I was impressed with this because most of these types of documents are filled with the targeted product and hard to get real info on a technique.