Crowdsec packages for OpenWrt

erdoukki · October 15, 2021, 6:35am

What happen, when network is ok, if you do :

cscli hub update && cscli collections install crowdsecurity/linux && cscli parsers install crowdsecurity/whitelists && cscli hub upgrade

And then service crowdsec restart

anon50098793 · October 15, 2021, 6:37am

of course that will work... the issue i'm bringing to your attention is when your packages are included within peoples images, which is a typical operation for most packages...

it's only feedback... not questions/direct suggestions... code has a wonderful way of making whats important self evident (clear) over time... so feel free to ignore my observations...

how/if/when/whether to address these 'possible' issues are purely up to you...

erdoukki · October 15, 2021, 6:38am

Oups, apologize...
Thanks for your (needed and appreciate) feedbacks !

I am just trying to understand well to make a patch...
No problem from your observations...

erdoukki · October 15, 2021, 6:44am

I don't now if there is any way, without coding, that can check the "online" internet mode ?
Like the hotplug way of the @vgaetera scripts...
It may be simple to check like this way, and let the initscript do the missing firstboot commands...
Or add a test in the default script and postpone the commands...

Same for service init, there is no standard/default way to check online status before do the job or postpone it, AFAIK ?
This is may be a good tweak to add.

update : look like there is no other way than hotplug.
mwan3 already do something like this : https://github.com/openwrt/packages/blob/master/net/mwan3/files/etc/hotplug.d/iface/15-mwan3
I prefer the https://openwrt.org/docs/guide-user/advanced/hotplug_extras script
It will be great to have them in "default" package for OpenWrt and use them as a dependency...

anon50098793 · October 15, 2021, 6:45am

This looks like a wise move to me... ( a few logger messages if someone upgrades without including /srv/crowdsec or similar seem important also - if needed... I did not test for this yet )

( p.s. take your time... you did a good job on this... considering most users will be advanced users anyway... I think pushing it into the repo's in it's current state was a good move... get some exposure, learn how people use it... and tweak based on practical needs, now it's more available... you'll likely get more help over time too! )

edit: looks like crowdsec-firewall-bouncer may have some issues also...

######################## [root@dca632 /usbstick 54°]# cat /var/log/crowdsec-firewall-bouncer.log 
time="17-10-2021 13:27:54" level=info msg="backend type : nftables"
time="17-10-2021 13:27:54" level=info msg="nftables initiated"
time="17-10-2021 13:27:54" level=info msg="Processing new and deleted decisions . . ."
time="17-10-2021 13:27:54" level=fatal msg="API error: access forbidden"

####################### [root@dca632 /usbstick 54°]# cat /var/log/crowdsec_api.log 
time="17-10-2021 13:27:19" level=info msg="127.0.0.1 - [Sun, 17 Oct 2021 13:27:19 AEDT] \"POST /v1/watchers/login HTTP/1.1 200 441.129836ms \"crowdsec/v1.2.0-openwrt-openwrt\" \""
time="17-10-2021 13:27:20" level=info msg="127.0.0.1 - [Sun, 17 Oct 2021 13:27:20 AEDT] \"POST /v1/watchers/login HTTP/1.1 200 408.192168ms \"crowdsec/v1.2.0-openwrt-openwrt\" \""
time="17-10-2021 13:27:54" level=info msg="127.0.0.1 - [Sun, 17 Oct 2021 13:27:54 AEDT] \"GET /v1/decisions/stream?startup=true HTTP/1.1 403 1.60242ms \"crowdsec-firewall-bouncer/v0.0.15-openwrt\" \""

and then fresh install, and manually re-install packages...

main package is ok until install the bouncer... which is now 401 and kills main package

[ /usbstick 55°]# cat /var/log/crowdsec_api.log 
time="17-10-2021 14:35:28" level=info msg="127.0.0.1 - [Sun, 17 Oct 2021 14:35:28 AEDT] \"POST /v1/watchers/login HTTP/1.1 401 1.749092ms \"crowdsec/v1.2.0-openwrt-openwrt\" \""

vgaetera · October 15, 2021, 9:43am

You can use procd interface triggers inside init scripts:
https://openwrt.org/docs/guide-developer/procd-init-scripts#specifying_triggers
But it can be tricky and may need some delay to mitigate tunneling protocols.

jmarcet · October 16, 2021, 3:57pm

How is this supposed to be bootstrapped? I cannot get it to run:

❯ crowdsec
WARN[0000] can't load CAPI credentials from '/etc/crowdsec/online_api_credentials.yaml' (missing field)
INFO[0000] push and pull to Central API disabled
time="16-10-2021 17:55:26" level=fatal msg="starting outputs error : authenticate watcher (): Post \"http://127.0.0.1:8081/v1/watchers/login\": API error: ent: machine not found"

I've changed the port to 8081 since 8080 is used by docker.

I've also tried:

cscli hub update && cscli collections install crowdsecurity/linux && cscli parsers install crowdsecurity/whitelists && cscli hub upgrade

But still I cannot start the service. This is on a just built master x86_64, with data on external storage, a btrfs sub-volume.

What else do I need to run it?

erdoukki · October 16, 2021, 4:04pm

@jmarcet
Can you please, post the content of /etc/crowdsec/online_api_credentials.yaml
The file look to miss a content !?
Can you do a ls on /etc/crowdsec also please ?

You may try cscli -c /etc/crowdsec/config.yaml capi register -f /etc/crowdsec/online_api_credentials.yaml it will reset the register in central API.
Then restart the service with service crowdsec restart and also check the log, if needed, in /var/log/crowdsec...

Stange that the API was not registered at install, may be because of the already used port !
Will check this.
Thanks for the feedback !

erdoukki · October 17, 2021, 3:39am

Do you have Crowdsec working fine ?
Crowdsec-firewall-bouncer needs crowdsec.
Can you share your /etc/crowdsec/config.yaml
And /etc/crowdsec/local_api_credentials.yaml
And /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

Thanks in advance

anon50098793 · October 17, 2021, 3:45am

yes... (but installing/starting the bouncer kills it)

[ /usbstick 54°]# cat /etc/crowdsec/local_api_credentials.yaml
url: http://127.0.0.1:8080
login: d4a17ef423SNIP
password: zDYcdygIqSNIP

[ /usbstick 55°]# cat /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml 
mode: ${BACKEND}
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://localhost:8080/
api_key: ${API_KEY}
disable_ipv6: false
deny_action: DROP
deny_log: false
#to change log prefix
#deny_log_prefix: "crowdsec: "
#if present, insert rule in those chains
iptables_chains:
  - INPUT
  - FORWARD
#  - DOCKER-USER

[ /usbstick 55°]# cat /etc/crowdsec/config.yaml
common:
  daemonize: true
  pid_dir: /var/run/
  log_media: file
  log_level: info
  log_dir: /var/log/
  working_dir: .
config_paths:
  config_dir: /etc/crowdsec/
  data_dir: /srv/crowdsec/data
  simulation_path: /etc/crowdsec/simulation.yaml
  hub_dir: /etc/crowdsec/hub/
  index_path: /etc/crowdsec/hub/.index.json
  notification_dir: /etc/crowdsec/notifications/
  plugin_dir: /usr/local/lib/crowdsec/plugins/
crowdsec_service:
  acquisition_path: /etc/crowdsec/acquis.yaml
  parser_routines: 1
cscli:
  output: human
db_config:
  log_level: info
  type: sqlite
  db_path: /srv/crowdsec/data/crowdsec.db
  #user: 
  #password:
  #db_name:
  #host:
  #port:
  flush:
    max_items: 5000
    max_age: 7d
plugin_config:
  user: nobody # plugin process would be ran on behalf of this user
  group: nogroup # plugin process would be ran on behalf of this group
api:
  client:
    insecure_skip_verify: false
    credentials_path: /etc/crowdsec/local_api_credentials.yaml
  server:
    log_level: info
    listen_uri: 127.0.0.1:8080
    profiles_path: /etc/crowdsec/profiles.yaml
    online_client: # Central API credentials (to push signals and receive bad IPs)
      credentials_path: /etc/crowdsec/online_api_credentials.yaml
#    tls:
#      cert_file: /etc/crowdsec/ssl/cert.pem
#      key_file: /etc/crowdsec/ssl/key.pem
prometheus:
  enabled: true
  level: full
  listen_addr: 127.0.0.1
  listen_port: 6060

some logs indicating it's using ipv6 for localhost... yet the daemon doesn't listen on 8080 ipv6 socket afaik...

[ /usbstick 54°]# cat /var/log/crowdsec-firewall-bouncer.log 

time="17-10-2021 14:57:15" level=info msg="backend type : nftables"
time="17-10-2021 14:57:15" level=info msg="nftables initiated"
time="17-10-2021 14:57:15" level=info msg="Processing new and deleted decisions . . ."
time="17-10-2021 14:57:15" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp [::1]:8080: connect: connection refused"
time="17-10-2021 14:57:15" level=fatal msg="Get \"http://localhost:8080/v1/decisions/stream?startup=true\": dial tcp [::1]:8080: connect: connection refused"
#this crashes main server

[ /usbstick 55°]# lsof -i -nP | grep 8080
crowdsec  5518    root   11u  IPv4  84428      0t0  TCP 127.0.0.1:8080 (LISTEN)

erdoukki · October 17, 2021, 7:23am

okay
thanks
I see where is the problem.
2 variables were not rep'aced at install in your
/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

I will look why.
and also guve you manual step fixes.

can you also provide, after a service crowdsec-bouncer-firewall start, the /var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml ?

thanks

anon50098793 · October 17, 2021, 7:28am

I manually fixed the localhost > '::1' issue as can be seen below

############# [root@dca632 ../_WATCHCATNG 54°] cat /var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
mode: nftables
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://127.0.0.1:8080/
api_key: ${API_KEY}
disable_ipv6: false
deny_action: DROP
deny_log: false
#to change log prefix
#deny_log_prefix: "crowdsec: "
#if present, insert rule in those chains
iptables_chains:
  - INPUT
  - FORWARD
#  - DOCKER-USER

looks like nft got over adds too (but i'd take that upstream if I were you... should validate/cleanup in it's own afaik)


table ip crowdsec {
	set crowdsec_blocklist {
		type ipv4_addr
	}

	chain crowdsec_chain {
		type filter hook input priority filter; policy accept;
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
	}
}
table ip6 crowdsec6 {
	set crowdsec6_blocklist {
		type ipv6_addr
	}

	chain crowdsec6_chain {
		type filter hook input priority filter; policy accept;
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
	}
}
table inet nft-qos-monitor {
	chain upload {
		type filter hook prerouting priority filter; policy accept;
		ip saddr 10.2.3.17 counter packets 0 bytes 0
		ip saddr 10.2.3.205 counter packets 2 bytes 130
		ip saddr 10.2.3.167 counter packets 2 bytes 132
		ip6 saddr 2403:b3a7 counter packets 0 bytes 0
		ip6 saddr 2403:adca counter packets 30 bytes 26215
	}

	chain download {
		type filter hook postrouting priority filter; policy accept;
		ip daddr 10.2.3.17 counter packets 0 bytes 0
		ip daddr 10.2.3.205 counter packets 2 bytes 222
		ip daddr 10.2.3.167 counter packets 0 bytes 0
		ip6 daddr 2403:b3a7 counter packets 0 bytes 0
		ip6 daddr 2403:adca counter packets 19 bytes 5888
	}
}

jmarcet · October 17, 2021, 7:39am

I didn't have /etc/crowdsec/online_api_credentials.yaml. I tried copying the one from the build dir, but it is empty so that's all I have.

After doing cscli -c /etc/crowdsec/config.yaml capi register -f /etc/crowdsec/online_api_credentials.yaml now it has some content:

❯ cat /etc/crowdsec/local_api_credentials.yaml
url: http://127.0.0.1:8081
❯ cat /etc/crowdsec/online_api_credentials.yaml
url: https://api.crowdsec.net/
login: 49584377b2242b45c5e64522616aeb8et6xsGRgAsloMB4Md
password: 1KjbHcCjPUxyabEH9yiKzfolJJ5llIQLzBhae7WRUiX5XHesjmJFp5fdkPnGpD2P
❯ ls -Al /etc/crowdsec
total 21
-rw-r--r-- 1 root root  286 Oct 16 09:45 acquis.yaml
drwxr-xr-x 1 root root 3488 Oct 16 17:45 bouncers
drwxr-xr-x 1 root root 3488 Oct 16 17:51 collections
-rw-r--r-- 1 root root 1413 Oct 16 17:54 config.yaml
-rw-r--r-- 1 root root  969 Oct 16 09:45 dev.yaml
-rw-r--r-- 1 root root   27 Oct 16 17:44 local_api_credentials.yaml
-rw-r--r-- 1 root root  162 Oct 17 09:30 online_api_credentials.yaml
drwxrwxr-x 5 root root 3488 Oct 16 17:51 parsers
drwxr-xr-x 2 root root  374 Oct 16 09:45 patterns
drwxr-xr-x 2 root root    3 Oct 16 09:45 postoverflows
-rw-r--r-- 1 root root  522 Oct 16 09:45 profiles.yaml
drwxr-xr-x 1 root root 3488 Oct 16 17:51 scenarios
-rw-r--r-- 1 root root   57 Oct 16 09:45 simulation.yaml
-rw-r--r-- 1 root root  991 Oct 16 17:44 user.yaml

Running crowdsec directly:

==> /var/log/crowdsec.log <==
time="17-10-2021 09:34:59" level=error msg="Failed to notify(sent: false): <nil>"
time="17-10-2021 09:34:59" level=warning msg="Starting processing data"
time="17-10-2021 09:34:59" level=info msg="Error machine login for  : ent: machine not found "

==> /var/log/crowdsec_api.log <==
time="17-10-2021 09:34:59" level=info msg="127.0.0.1 - [Sun, 17 Oct 2021 09:34:59 CEST] \"POST /v1/watchers/login HTTP/1.1 401 430.383µs \"crowdsec/v1.2.0-openwrt-openwrt\" \""

==> /var/log/crowdsec.log <==
time="17-10-2021 09:34:59" level=fatal msg="starting outputs error : authenticate watcher (): Post \"http://127.0.0.1:8081/v1/watchers/login\": API error: ent: machine not found"

erdoukki · October 17, 2021, 8:19am

Here is the error.
It should have been replaced in the

/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

It is made at install, but looks to have not work.
I have add a pseudo upgrade script to not replace it, but it may have a bug.

erdoukki · October 17, 2021, 8:21am

You may have the service already started and then use cscli command line.
You can then check the registered status and redo it if needed.
I will look to the necessary commands.

jmarcet:

==> /var/log/crowdsec.log <==
time="17-10-2021 09:34:59" level=fatal msg="starting outputs error : authenticate watcher (): Post \"http://127.0.0.1:8081/v1/watchers/login\": API error: ent: machine not found"

You may also need to register your host with:

cscli -c /etc/crowdsec/config.yaml machines add -a -f /etc/crowdsec/local_api_credentials.yaml

I do not get the point why your install script do not execute...

erdoukki · October 17, 2021, 8:28am

cscli may be usefull to check status:
you can check the local API with: cscli lapi status

root@LPM:~# cscli lapi status
INFO[17-10-2021 10:25:20 AM] Loaded credentials from /etc/crowdsec/local_api_credentials.yaml 
INFO[17-10-2021 10:25:20 AM] Trying to authenticate with username xxxxxx on http://0.0.0.0:8080/ 
INFO[17-10-2021 10:25:21 AM] You can successfully interact with Local API (LAPI)

You can see that I have changed the IP to 0.0.0.0 to be able to have remote computers talking with the local API.

you can check the central API with: cscli capi status

root@LPM:~# cscli capi status
INFO[17-10-2021 10:26:30 AM] Loaded credentials from /etc/crowdsec/online_api_credentials.yaml 
INFO[17-10-2021 10:26:30 AM] Trying to authenticate with username xxxxx on https://api.crowdsec.net/ 
INFO[17-10-2021 10:26:31 AM] You can successfully interact with Central API (CAPI)

If the CAPI status is okay, you can use the console in beta available here:
https://app.crowdsec.net

the computers registered with the service can be listed with: cscli machines list

root@LPM:~# cscli machines list
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 NAME                                              IP ADDRESS  LAST UPDATE                STATUS  VERSION                                                                
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 xxxx  127.0.0.1   2021-10-17T10:25:21+02:00  ✔️       v1.2.0-openwrt-openwrt

If all is fine you can check that the collaborative bad IP list is locally apply in the crowdsec-firewall-bouncer
If using iptables, you must have install ipset, and the ipset list command can show you the bad IP.

If you use nftables, you can use specific commands like:

nft list tables
nft list table crowdsec
nft list chains
nft list ruleset

cscli can also be used to check these alerts with: cscli alerts list

root@LPM:~# cscli alerts list
+------+------------------------------+----------------------+---------+----+-----------+--------------------------------+
|  ID  |            VALUE             |        REASON        | COUNTRY | AS | DECISIONS |           CREATED AT           |
+------+------------------------------+----------------------+---------+----+-----------+--------------------------------+
| 1051 | crowdsec/community-blocklist | update : +728/-0 IPs |         |    | ban:728   | 2021-10-17 09:20:26 +0200      |
|      |                              |                      |         |    |           | +0200                          |
| 1050 | crowdsec/community-blocklist | update : +727/-0 IPs |         |    | ban:1     | 2021-10-17 07:20:26 +0200      |
|      |                              |                      |         |    |           | +0200                          |

cscli metrics can shows you a global status health:


root@LPM:~# cscli metrics
INFO[17-10-2021 10:36:19 AM] Local Api Metrics:                           
+----------------------+--------+--------+
|        ROUTE         | METHOD |  HITS  |
+----------------------+--------+--------+
| /v1/alerts           | GET    |      3 |
| /v1/decisions/stream | GET    | 108456 |
| /v1/watchers/login   | POST   |      6 |
+----------------------+--------+--------+
INFO[17-10-2021 10:36:19 AM] Local Api Machines Metrics:                  
+--------------------------------------------------+------------+--------+------+
|                     MACHINE                      |   ROUTE    | METHOD | HITS |
+--------------------------------------------------+------------+--------+------+
| db3e872e345f48848d0d85ab5c529947GWkbyXJtyNnJziiS | /v1/alerts | GET    |    3 |
+--------------------------------------------------+------------+--------+------+
INFO[17-10-2021 10:36:19 AM] Local Api Bouncers Metrics:                  
+------------------------------+----------------------+--------+--------+
|           BOUNCER            |        ROUTE         | METHOD |  HITS  |
+------------------------------+----------------------+--------+--------+
| cs-firewall-bouncer-LeCzIx9V | /v1/decisions/stream | GET    | 108456 |
+------------------------------+----------------------+--------+--------+

Crowdsec has already made some tutorials available here:

erdoukki · October 17, 2021, 8:45am

There is still a lot of work to do for non INTEL/AMD worlds.
Like the dockerisation and the dashboard which actually do not work elsewhere than x86_AMD64.
I already made some POC, but still need to upstream to crowdsec and document for OpenWrt.

Thanks for feedback, testing, report, debug and patience.

jmarcet · October 17, 2021, 11:25am

All right, I get crowdsec to run now. The firewall bouncers gets an access forbidden errror though:

==> /var/log/crowdsec-firewall-bouncer.log <==
time="17-10-2021 13:18:10" level=info msg="backend type : iptables"
time="17-10-2021 13:18:10" level=info msg="iptables for ipv4 initiated"
time="17-10-2021 13:18:10" level=info msg="iptables clean-up : /usr/sbin/iptables -D INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="17-10-2021 13:18:10" level=info msg="iptables clean-up : /usr/sbin/iptables -D FORWARD -m set --match-set crowdsec-blacklists src -j DROP"
time="17-10-2021 13:18:10" level=info msg="ipset clean-up : /usr/sbin/ipset -exist destroy crowdsec-blacklists"
time="17-10-2021 13:18:10" level=info msg="Checking existing set"
time="17-10-2021 13:18:10" level=info msg="ipset set-up : /usr/sbin/ipset -exist create crowdsec-blacklists nethash timeout 300"
time="17-10-2021 13:18:11" level=info msg="Rule doesn't exist (/usr/sbin/iptables -C INPUT -m set --match-set crowdsec-blacklists src -j DROP)"
time="17-10-2021 13:18:11" level=info msg="Rule doesn't exist (/usr/sbin/iptables -C FORWARD -m set --match-set crowdsec-blacklists src -j DROP)"
time="17-10-2021 13:18:11" level=info msg="iptables set-up : /usr/sbin/iptables -I INPUT -m set --match-set crowdsec-blacklists src -j DROP"
time="17-10-2021 13:18:11" level=info msg="iptables set-up : /usr/sbin/iptables -I FORWARD -m set --match-set crowdsec-blacklists src -j DROP"
time="17-10-2021 13:18:11" level=info msg="iptables for ipv6 initiated"
time="17-10-2021 13:18:11" level=info msg="iptables clean-up : /usr/sbin/ip6tables -D INPUT -m set --match-set crowdsec6-blacklists src -j DROP"
time="17-10-2021 13:18:11" level=info msg="iptables clean-up : /usr/sbin/ip6tables -D FORWARD -m set --match-set crowdsec6-blacklists src -j DROP"
time="17-10-2021 13:18:11" level=info msg="ipset clean-up : /usr/sbin/ipset -exist destroy crowdsec6-blacklists"
time="17-10-2021 13:18:11" level=info msg="Checking existing set"
time="17-10-2021 13:18:11" level=info msg="ipset set-up : /usr/sbin/ipset -exist create crowdsec6-blacklists nethash timeout 300 family inet6"
time="17-10-2021 13:18:12" level=warning msg="iptables check command (/usr/sbin/ip6tables -C INPUT -m set --match-set crowdsec6-blacklists src -j DROP) failed : exit status 1"
time="17-10-2021 13:18:12" level=debug msg="output: ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="17-10-2021 13:18:12" level=warning msg="iptables check command (/usr/sbin/ip6tables -C FORWARD -m set --match-set crowdsec6-blacklists src -j DROP) failed : exit status 1"
time="17-10-2021 13:18:12" level=debug msg="output: ip6tables: Bad rule (does a matching rule exist in that chain?).\n"
time="17-10-2021 13:18:12" level=info msg="iptables set-up : /usr/sbin/ip6tables -I INPUT -m set --match-set crowdsec6-blacklists src -j DROP"
time="17-10-2021 13:18:12" level=info msg="iptables set-up : /usr/sbin/ip6tables -I FORWARD -m set --match-set crowdsec6-blacklists src -j DROP"
time="17-10-2021 13:18:12" level=info msg="Processing new and deleted decisions . . ."
time="17-10-2021 13:18:12" level=debug msg="req-api: GET http://localhost:8081/v1/decisions/stream?startup=true"

==> /var/log/crowdsec.log <==
time="17-10-2021 13:18:12" level=error msg="auth api key error: select bouncer: ent: bouncer not found: unable to query"

==> /var/log/crowdsec_api.log <==
time="17-10-2021 13:18:12" level=info msg="127.0.0.1 - [Sun, 17 Oct 2021 13:18:12 CEST] \"GET /v1/decisions/stream?startup=true HTTP/1.1 403 463.318µs \"crowdsec-firewall-bouncer/v0.0.15-openwrt\" \""

==> /var/log/crowdsec-firewall-bouncer.log <==
time="17-10-2021 13:18:12" level=debug msg="resp-api: http 403"
time="17-10-2021 13:18:12" level=fatal msg="API error: access forbidden"

❯ cat /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
mode: iptables
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://localhost:8081/
api_key: ${API_KEY}
disable_ipv6: false
deny_action: DROP
deny_log: false
#to change log prefix
#deny_log_prefix: "crowdsec: "
#if present, insert rule in those chains
iptables_chains:
- INPUT
- FORWARD
#  - DOCKER-USER

I changed ${BACKEND} to iptables or it would not even try to start. I tried replacing ${API_KEY} with the local and the online passwords but those don't seem to be the API key.

How can I find out the correct value? Or what else is wrong?

jmarcet · October 17, 2021, 12:04pm

I got it!.

I got the above mentioned key by adding a bouncer with:

cscli bouncers add myBouncer -l 24

That gave me an API_KEY, I replaced the unescaped var in /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml and now the cs-firewall-bouncer seems to run

I'll keep checking it out, it looks amazing.

Thanks for helping out

erdoukki · October 17, 2021, 3:20pm

Thanks for reports... feedback, debugs, tests ...

Yes, I think also it is a great security tool.

I already made a POC with remote LXC (NGINX PROXY MANAGER and NEXTCLOUD) servers which remotely send their bad access attempt to the central CrowdSec on main OpenWrt Gateway for blacklisting !
I actually moved the servers to Docker for better performances and have some more code/tweak in the pipe for ARM64...
But more simple than a Fail2Ban alternative !

Actually, now that you get a running installation, you can also get help from the CrowdSec community on their discourse https://discourse.crowdsec.net/ !

See you here for OpenWrt feedback and there for CrowdSec...

Take a look to their console actually in beta test.

The metabase based dashboard can also work locally and may be an alternative of the Cloud Console.