Crowdsec packages for OpenWrt

erdoukki · January 21, 2022, 9:24am

Thanks...

I will try to enhance with users feedbacks...

Already all the processes you have to do manually was because of some, now fixed, bugs in the firewall package.

Please, keep in mind that all the jobs is done, at free time, when, so, I have some.
It is also the case of the most of the OpenWrt developers, and, I also have to wait for them, when I share my works on CrowdSec.

erdoukki · January 21, 2022, 10:10am

firewall fix PR for master merged !

github.com/openwrt/packages

crowdsec-firewall-bouncer: fix initd script

openwrt:master ← erdoukki:crowdsec-firewall-bouncer-0.0.21-fix

opened 08:25AM - 15 Jan 22 UTC

erdoukki

+5 -5

Maintainer: Gérald Kerma / @erdoukki Compile tested: (aarch64_cortex-a53, espre…ssoBin, OpenWrt master and 21.02) Run tested: (aarch64_cortex-a53, espressoBin, OpenWrt 21.02.x and 19.07.x, tests done) Tests: installation and upgrade: ok ban working: ok service start/restart/stop/status/disable: ok logging: ok detection of firewall (iptables+ipset/nftables): ok OpenWrt Version tested: 21.02.x 19.07.x Description: crowdsec rename the binary from crowdsec-firewall-bouncer to cs-firewall-bouncer the initd need the correct binary name to start the process the link for github source need also to be fixed (only the information one) fix the BuildDate updated copyright ``` root@STARGATE:~# service crowdsec-firewall-bouncer restart iptables found nftables is not present root@STARGATE:~# ps | grep crowd 10051 root 783m S /usr/bin/crowdsec -c /var/etc/crowdsec/config.yaml 15744 root 694m S /usr/bin/cs-firewall-bouncer -c /var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml 15761 root 1228 S grep crowd ``` ``` root@STARGATE:~# cs-firewall-bouncer -V version: v0.0.21-openwrt-0.0.21-2 BuildDate: 2022-01-15_08:15:14 GoVersion: 1.13.8 ``` Signed-off-by: Kerma Gérald <gandalf@gk2.net>

firewall initd fix for 21.02 (PR opened):

github.com/openwrt/packages

[21.02] crowdsec-firewall-bouncer: fix name in initd to start the process

openwrt:openwrt-21.02 ← erdoukki:crowdsec-firewall-bouncer-fix-21.02

opened 10:07AM - 21 Jan 22 UTC

erdoukki

+5 -5

Maintainer: Gérald Kerma / @erdoukki Compile tested: (aarch64_cortex-a53, espre…ssoBin, OpenWrt master and 21.02) Run tested: (aarch64_cortex-a53, espressoBin, OpenWrt 21.02.x, tests done) Tests: OK OpenWrt Version tested: 21.02.x Description: crowdsec rename the binary from crowdsec-firewall-bouncer to cs-firewall-bouncer the initd need the correct binary name to start the process the link for github source need also to be fixed (only the information one) fix the BuildDate updated copyright Signed-off-by: Kerma Gérald <gandalf@gk2.net> (cherry picked from commit d6b116cb43802048d883a13e2d2e95eea76ad565)

will resolve issue:

PRs for lua-cs-bouncer and crowdsec-nginx-bouncer:

github.com/openwrt/packages

lua-cs-bouncer: initial package

openwrt:master ← erdoukki:lua-cs-bouncer

opened 10:07AM - 21 Jan 22 UTC

erdoukki

+93 -0

Maintainer: Gérald Kerma / @erdoukki Compile tested: (aarch64_cortex-a53, espre…ssoBin, OpenWrt master and 21.02) Run tested: (aarch64_cortex-a53, espressoBin, OpenWrt 21.02.x, tests done) Tests: OK OpenWrt Version tested: 21.02.x Description: Lua Crowdsec Bouncer module Lua module to allow ip (or not) from CrowdSec API. https://github.com/crowdsecurity/lua-cs-bouncer required for crowdsec-nginx-bouncer Signed-off-by: Kerma Gérald <gandalf@gk2.net>

github.com/openwrt/packages

crowdsec-nginx-bouncer: initial package

openwrt:master ← erdoukki:crowdsec-nginx-bouncer

opened 10:08AM - 21 Jan 22 UTC

erdoukki

+97 -0

Maintainer: Gérald Kerma / @erdoukki Compile tested: (aarch64_cortex-a53, espre…ssoBin, OpenWrt master and 21.02) Run tested: (aarch64_cortex-a53, espressoBin, OpenWrt 21.02.x, tests done) Tests: OK OpenWrt Version tested: 21.02.x Required: https://github.com/openwrt/packages/pull/17667 Description: nginx bouncer for Crowdsec https://github.com/crowdsecurity/crowdsec-nginx-bouncer Crowdsec bouncer is a lua bouncer for nginx. New/unknown IP are checked against crowdsec API, and if request should be blocked, a 403 is returned to the user, and put in cache. Signed-off-by: Kerma Gérald <gandalf@gk2.net>

...stay tuned !

plikmuny · January 21, 2022, 10:38am

Hi, that means no more fiddling with the setup of Crowdsec and I have to just install Crowdsec and bouncer and the rest works automatically??? Or is it not the case as of now?
As I understand cs-nginx-bouncer is also included in the package or should I install it manually???

Oh, my mistake. I saw just now the package. There once again a72 package is missing for Rpi4. Can you please compile for a72 architecture also? Or tell me which version I should use for my Rpi4 Openwrt.

One more question, post Crowdsec installation, which collections or parsers in addition to Crowdsec should I install??

erdoukki · January 21, 2022, 10:48am

If you need and wand to use only the banip feature of the firewall, just do:
heart component:

opkg install crowdsec

This package will register to the official API and you'll get feed with the community, free, CrowdSec managed IPs list.

ipbans firewalling:

opkg install crowdsec-firewall-bouncer

The community IPs BANs list will be used and managed by OpenWrt System firewall software...

if you need to protect an nginx instance on OpenWrt itself:

opkg install crowdsec-nginx-bouncer

You will then get this specific nginx component for protecting OpenWrt NGINX software.

The component will be available on the official upstream pacakges, when it will be compiled by the buildbots, after developers get review of my PR and they validated it, to be merged in the code...
Each steps require time, to each actor !

If you want more by yourself, give a try to a build of the package.

None / depends of your needs !

If you want more, you may look at the code itself, and then compare at the bouncers list, and also share your results in the wiki, or here...

erdoukki · January 23, 2022, 10:17am

github.com/openwrt/packages

crowdsec/geoipupdate: enhancement request for offline database download

opened 10:36AM - 23 Jan 22 UTC

closed 11:59AM - 02 May 22 UTC

erdoukki

Maintainer: Gérald Kerma / @erdoukki Compile tested: (aarch64_cortex-a53, espre…ssoBin, OpenWrt master and 21.02) Run tested: (aarch64_cortex-a53, espressoBin, OpenWrt 21.02.x, tests done) Description: As refereed in [Idea/GeoIP: offline/update/share database](https://github.com/crowdsecurity/crowdsec/issues/1196) > CrowdSec OpenWrt package is downloading the GeoIP databases at postinstall, this may be a huge download on some users ISP, but it also may not work at all in case users want to integrate the crowdsec package in the OpenWrt firmware image. Thanks to @clayface the package geoipupdate is available since PR: https://github.com/openwrt/packages/pull/17171 The question here is like the same from https://github.com/crowdsecurity/crowdsec/issues/1196 Note: Sorry for crosslink between OpenWrt/CrowdSec but the both communities may be interested

erdoukki · February 5, 2022, 9:03am

upstream topic: https://discourse.crowdsec.net/t/crowdsec-openwrt-21-02-1-iptables-ipset-package-problems/533/5
issue: https://github.com/openwrt/packages/issues/17804
PR: https://github.com/openwrt/packages/pull/17805

erdoukki · February 6, 2022, 3:35pm

github.com/openwrt/packages

crowdsec: install defaults notifications

openwrt:master ← erdoukki:crowdsec-notifications

opened 09:34PM - 05 Feb 22 UTC

erdoukki

+504 -54

Maintainer: Gérald Kerma @erdoukki [gandalf@gk2.net](mailto:gandalf@gk2.net) En…vironment: (all, OpenWrt Master & 21.02.x) Description: https://docs.crowdsec.net/docs/next/notification_plugins/intro > Crowdsec supports notification plugins, meant to be able to push alerts to third party services, for alerting or integration purposes. At the time of writting, plugins exists for [slack](https://docs.crowdsec.net/docs/next/notification_plugins/slack), [splunk](https://docs.crowdsec.net/docs/next/notification_plugins/splunk), and a generic [http push](https://docs.crowdsec.net/docs/next/notification_plugins/http) plugin (allowing to push to services such as [elasticsearch](https://docs.crowdsec.net/docs/next/notification_plugins/elastic)). update crowdsec Makefile to fix plugins notifications build and install: - use correct path in GO_PKG_BUILD_PKG to build plugins - use INSTALL_DATA and INSTALL_BIN instead of CP to install plugins and config other fix: - add bouncers directory - add upstream patches for default data and config directories - rewrote & clean the defaults script (also verified with shellcheck) - rewrote & clean the Makefile - remove useless crowdsec-cli - add configdir to config file - add lapi_host and lapi_port to config file - upgrade missing configs values to defaults in config file at upgrade - add license and copyright - use CWD_VARS for Makefile variables Signed-off-by: Kerma Gérald <gandalf@gk2.net>

github.com/openwrt/packages

crowdsec-firewall-bouncer: fix API error: access forbidden

openwrt:master ← erdoukki:crowdsec-firewall-bouncer-fix-17804

opened 09:00AM - 05 Feb 22 UTC

erdoukki

+37 -11

crowdsec-firewall-bouncer: fix API error: access forbidden when bouncer is not c…orrectly registered #17804 Maintainer: Gérald Kerma @erdoukki [gandalf@gk2.net](mailto:gandalf@gk2.net) Environment: (all, OpenWrt Master & 21.02.x) Issue: https://github.com/openwrt/packages/issues/17804 Initially reported here: https://forum.openwrt.org/t/crowdsec-packages-for-openwrt/102648/25 This fix by checking deeper the bouncer status, re-registering it with force and api key if necessary This PR also fix some ENV names Fix also tests on strings Fix script net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.defaults with spellcheck Fix strings with quotes Removed space before exclamation point Fix typo and replace triple dot by ellipsis Description: I got an issue, which I resolved with as small modification on the script (look from OpenWrt side) While the api_key is already defined in crowdsec-firewall-bouncer.yaml the grep on {API_KEY} will not success. It may be normal behaviour, but in case the bouncer is not actually registered, because of an error or anything out of scope, the results is the bouncer is lost because of noo re-registering ! Actual "initialisation" (at upgrade, install, ...) on OpenWrt, is in the following script: https://github.com/openwrt/packages/blob/2b28e3dfdb14d4bea995181b9f00fc32407c7a73/net/crowdsec-firewall-bouncer/files/crowdsec-firewall-bouncer.defaults If made this fix in; ## Gen&ConfigApiKey which force to re-register with the same api-key ( thanks to PR https://github.com/crowdsecurity/crowdsec/commit/9034bb791926b193f9f3fb73878399568ef656cb ) ! This is now working better, this is an issue we already know on OpenWrt, on reported and the OpenWrt CrowdSec dev topic ... https://forum.openwrt.org/t/crowdsec-packages-for-openwrt/102648/25 and already reported on the CrowdSec forum: https://discourse.crowdsec.net/t/crowdsec-openwrt-21-02-1-iptables-ipset-package-problems/533/2 /var/log/crowdsec-firewall-bouncer.log:time="13-01-2022 15:34:05" level=fatal msg="API error: access forbidden" I will share this resolution tweak in the OpenWrt CrowdSec-Firewall-Bouncer package and made a PR at OpenWrt... REF to issue: https://github.com/openwrt/packages/issues/17804 REF to upstream issue: https://github.com/crowdsecurity/crowdsec/issues/1240 Signed-off-by: Kerma Gérald <gandalf@gk2.net>

plikmuny · February 6, 2022, 4:11pm

Hi, i just want to thank you for your wonderful work on this addon. It's working perfectly. Even then i should change the name backend to iptables... Is it must or it works by leaving it default?

erdoukki · February 6, 2022, 7:41pm

Thanks!

I still had to share some tutorials, the software is really cool and can afford a great enhancement in network security...
Stay tune!

I you have install iptables and ipset without installing also nftables, then all will be automatically detected and the backend will be sets to iptables at services startup.
If you have only nftables, same, but with nftables.

If you have installed both nftables and iptables, then nftables will be selected in priority.

The backend cannot be sets manually on OpenWrt, but I can made a general config if needed, disabling the auto-detect of backend, and using a manual forced backend.
A tweak is also possible with removing the backend tag in the /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml , removing the tag ${BACKEND} which is searched and used in the auto-detect script...

erdoukki · February 6, 2022, 9:44pm

I have start to wrote some notes in the Wiki...
About the upcoming feature of notifications alerts and quick howto with collections from the hub, to protect dockers instance of NextCloud and NginxProxyManager...

https://openwrt.org/docs/guide-user/services/crowdsec#external_tools a new script will be available for external tools contributing to simplify users experience with CrowdSec!

plikmuny · February 7, 2022, 11:16am

Hi erduokki:- i am getting a strange error when i try to list decisions list. This is the error i am getting

root@rpi4-e45f01048a /45# cscli decisions list
FATA[07-02-2022 12:14:48 PM] Unable to list decisions : performing request: Get "http://127.0.0.1:8080/v1/alerts?has_active_decision=true&include_capi=false&limit=100": could not get jwt token: Post "http://127.0.0.1:8080/v1/watchers/login": dial tcp 127.0.0.1:8080: connect: connection refused
what does it really mean ? how do i solve this error ?

erdoukki · February 7, 2022, 11:20am

You have the default port which is already used !
You have to modify port from 8080 to something else... (I personally use 9999)...
Then you must reconfigure the config.yaml and local_api.yaml
This all was partially automated in the latest PR...
A external script now will be usable to reconfigure from /etc/config/crowdsec.

plikmuny · February 7, 2022, 1:03pm

oh ok, can you guide me on how to change the port ?

erdoukki · February 7, 2022, 1:26pm

Next release will add this parameters in cat /etc/config/crowdsec file.

config crowdsec 'crowdsec'
	option data_dir '/srv/crowdsec/data'
	option db_path '/srv/crowdsec/data/crowdsec.db'
	option lapi_host '127.0.0.1'
	option lapi_port '9999'
	option configdir '/etc/crowdsec'

Add them manually and then...
use the script from the PR...
https://raw.githubusercontent.com/openwrt/packages/492699eb8a02e6b15980f1d6bab0d050939018fc/net/crowdsec/files/crowdsec.script
You can try to download it on the OpenWrt target with:
Create the necessary directory for the script;

mkdir -p /usr/lib/crowdsec/scripts

downlaod it and save it in the folder;

wget https://raw.githubusercontent.com/openwrt/packages/492699eb8a02e6b15980f1d6bab0d050939018fc/net/crowdsec/files/crowdsec.script -O /usr/lib/crowdsec/scripts/cs_script.sh

Then you can use it directly (look at the end of the wiki page, already documented partially...) with;

. /usr/lib/crowdsec/scripts/cs_script.sh

a full synchronisation of your modifications from /etc/config/crowdsec can be done; with;

cs_prepare # to check the necessary directories…
cs_init # to prepare the config file with modified settings…
cs_register # to check the LAPI and CAPI registering status and register the local host…
cs_hub # to update hub, install collections from hub, and upgrade from hub…

Then check, as usual, with cscli command line tool and also log files in /var/log/crowdsec*.log
This all will be better handled with more command in next release of the script !

plikmuny · February 7, 2022, 1:41pm

Hi, thanks for your detailed explanation. This is my Output for the cs_hub.

root@rpi4-e45f01048a /42# cs_hub
INFO[07-02-2022 02:39:02 PM] Wrote new 277818 bytes index to /etc/crowdsec/hub/.index.json
WARN[07-02-2022 02:39:02 PM] crowdsecurity/syslog-logs : overwrite
WARN[07-02-2022 02:39:02 PM] crowdsecurity/geoip-enrich : overwrite
WARN[07-02-2022 02:39:02 PM] crowdsecurity/dateparse-enrich : overwrite
WARN[07-02-2022 02:39:02 PM] crowdsecurity/sshd-logs : overwrite
WARN[07-02-2022 02:39:02 PM] crowdsecurity/ssh-bf : overwrite
WARN[07-02-2022 02:39:02 PM] crowdsecurity/ssh-slow-bf : overwrite
WARN[07-02-2022 02:39:02 PM] crowdsecurity/sshd : overwrite
WARN[07-02-2022 02:39:02 PM] crowdsecurity/sshd : overwrite
WARN[07-02-2022 02:39:02 PM] crowdsecurity/linux : overwrite
INFO[07-02-2022 02:39:02 PM] /etc/crowdsec/collections/sshd.yaml already exists.
INFO[07-02-2022 02:39:02 PM] /etc/crowdsec/collections/linux.yaml already exists.
INFO[07-02-2022 02:39:02 PM] Enabled crowdsecurity/linux
INFO[07-02-2022 02:39:02 PM] Run 'sudo systemctl reload crowdsec' for the new configuration to be effective.
INFO[07-02-2022 02:39:02 PM] crowdsecurity/iptables-logs : OK
INFO[07-02-2022 02:39:02 PM] Enabled parsers : crowdsecurity/iptables-logs
INFO[07-02-2022 02:39:02 PM] crowdsecurity/iptables-scan-multi_ports : OK
INFO[07-02-2022 02:39:02 PM] Enabled scenarios : crowdsecurity/iptables-scan-multi_ports
INFO[07-02-2022 02:39:02 PM] crowdsecurity/iptables : OK
INFO[07-02-2022 02:39:02 PM] Enabled collections : crowdsecurity/iptables
INFO[07-02-2022 02:39:02 PM] Enabled crowdsecurity/iptables
INFO[07-02-2022 02:39:02 PM] Run 'sudo systemctl reload crowdsec' for the new configuration to be effective.
WARN[07-02-2022 02:39:03 PM] crowdsecurity/whitelists : overwrite
INFO[07-02-2022 02:39:03 PM] Enabled crowdsecurity/whitelists
INFO[07-02-2022 02:39:03 PM] Run 'sudo systemctl reload crowdsec' for the new configuration to be effective.
INFO[07-02-2022 02:39:03 PM] Upgrading collections
INFO[07-02-2022 02:39:03 PM] crowdsecurity/base-http-scenarios : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/sshd : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/linux : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/iptables : up-to-date
INFO[07-02-2022 02:39:03 PM] All collections are already up-to-date
INFO[07-02-2022 02:39:03 PM] Upgrading parsers
INFO[07-02-2022 02:39:03 PM] crowdsecurity/dateparse-enrich : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/sshd-logs : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/syslog-logs : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/geoip-enrich : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/whitelists : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/http-logs : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/iptables-logs : up-to-date
INFO[07-02-2022 02:39:03 PM] All parsers are already up-to-date
INFO[07-02-2022 02:39:03 PM] Upgrading scenarios
INFO[07-02-2022 02:39:03 PM] crowdsecurity/iptables-scan-multi_ports : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/ssh-slow-bf : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/http-generic-bf : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/http-probing : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/ssh-bf : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/http-sensitive-files : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/http-xss-probing : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/http-backdoors-attempts : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/http-open-proxy : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/http-sqli-probing : up-to-date
INFO[07-02-2022 02:39:03 PM] ltsich/http-w00tw00t : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/http-bad-user-agent : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/http-path-traversal-probing : up-to-date
INFO[07-02-2022 02:39:03 PM] crowdsecurity/http-crawl-non_statics : up-to-date
INFO[07-02-2022 02:39:03 PM] All scenarios are already up-to-date
INFO[07-02-2022 02:39:03 PM] Upgrading postoverflows
INFO[07-02-2022 02:39:03 PM] No postoverflows installed, nothing to upgrade
root@rpi4-e45f01048a /43#

Is it looking healthy ? i mean have i setup the Crowdsec properly? if i have to use nftables, should i uninstall iptables ?

erdoukki · February 7, 2022, 1:59pm

Have you done the others commands ?
Is the log ok also ?
Remember to restart the service with

service crowdsec restart

after such modifications, and when asked by the feedbacks.

If you want to use nftables, just install it !
It will be detected and used in priority by the crowdsec-firewall-bouncer.
Just look at the output when restarting the firewall bouncer service;

service crowdsec-firewall-bouncer restart

I will add a more explicit output, with something like : using the ... backend! in a later PR... may be...

plikmuny · February 7, 2022, 2:03pm

yes i did restart the firewall bouncer and also crowdsec. It says no post overflows installed. Is it normal ? And i have iptables and nftables both installed and it took nftables as default.
But how do i check whether nftables is working ???

erdoukki · February 7, 2022, 2:04pm

Already answered on the wiki!
I am not using nftables, so I do not remember (but wrote it on the wiki already)
overflows are another protection...

use cscli decisions list to see what is used from the central IP share by crowdsec servers !

plikmuny · February 7, 2022, 2:21pm

this is the error i am getting

root@rpi4-e45f01048a /43# cscli decisions list

FATA[07-02-2022 03:21:07 PM] Unable to list decisions : performing request: Get "http://127.0.0.1:9999/v1/alerts?has_active_decision=true&include_capi=false&limit=100": could not get jwt token: Post "http://127.0.0.1:9999/v1/watchers/login": dial tcp 127.0.0.1:9999: connect: connection refused

after restarting the Crowdsec service, i have no active decision !!!

plikmuny · February 7, 2022, 4:14pm

Hi, i used your latest script and i have error output when i type cscli metrics

root@rpi4-e45f01048a /44# cscli metrics
FATA[07-02-2022 05:14:08 PM] failed to fetch prometheus metrics : executing GET request for URL "http://127.0.0.1:6060/metrics" failed: Get "http://127.0.0.1:6060/metrics": dial tcp 127.0.0.1:6060: connect: connection refused

what is wrong with my setup ?