Crowdsec packages for OpenWrt

What's the deal with Firewall4 and Crowsec, shoud we use lua-cs-bouncer instead firewall-bouncer ?
For me there was an error while installing , but the crowdsec kinda managed to install and connect with app.crowdsec.net, but it dosn't respond on 192.168.1.1:8080 is shoud be happenning ?
Also i'am using Nginx-ssl 1.21.3

TP-Link Archer A7 v5
OpenWrt SNAPSHOT r19656-0ffb6deaaa / LuCI Master git-22.126.42175-8583efb
5.10.115

1: nl80211_recv_beacons->nl_recvmsgs failed: -5
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.527740] cscli invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=0
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.537689] CPU: 0 PID: 5182 Comm: cscli Not tainted 5.10.115 #0
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.544059] Stack : 807e0000 806d64dc 00000000 00000000 822dfbfc 80920000 80760000 806aefb0
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.552825]         824f2c20 8075fe47 809232d0 0000143e 00000000 00000001 822dfbb0 06bfcf56
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.561480]         00000000 00000000 806aefb0 822dfa50 ffffefff 00000000 00000000 ffffffea
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.570179]         000000f5 822dfa5c 000000f5 80765a68 80000000 822dfd34 824f0520 00000000
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.578889]         00000000 00000000 00100cca 00000840 00000018 8038df84 00000000 80920000
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.587764]         ...
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.590662] Call Trace:
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.593267] [<80066ea4>] show_stack+0x30/0x100
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.597895] [<80154b6c>] dump_header+0x58/0x1b8
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.602994] [<801553f8>] oom_kill_process+0x1b8/0x1c0
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.608455] [<80155da4>] out_of_memory+0x20c/0x394
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.613627] [<80198a60>] __alloc_pages_nodemask+0x8e4/0xc7c
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.619395] [<80151774>] pagecache_get_page+0x148/0x438
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.624831] [<80153584>] filemap_fault+0x7a0/0x968
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.630049] [<819ad978>] ext4_filemap_fault+0x34/0xa48 [ext4]
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.636296] [<8017d6c8>] __do_fault+0x3c/0x150
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.640954] [<80182d34>] handle_mm_fault+0x828/0xdec
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.646150] [<80070384>] do_page_fault+0x104/0x4ac
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.651112] [<8007580c>] tlb_do_page_fault_0+0x10c/0x114
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.656872]
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.658468] Mem-Info:
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.661032] active_anon:4131 inactive_anon:12451 isolated_anon:0
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.661032]  active_file:10 inactive_file:285 isolated_file:19
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.661032]  unevictable:0 dirty:0 writeback:0
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.661032]  slab_reclaimable:358 slab_unreclaimable:2080
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.661032]  mapped:2 shmem:4231 pagetables:157 bounce:0
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.661032]  free:4017 free_pcp:0 free_cma:0
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.693775] Node 0 active_anon:16524kB inactive_anon:49804kB active_file:40kB inactive_file:1140kB unevictable:0kB isolated(anon):0kB isolated(file):76kB mapped:8kB dirty:0kB writeback:0kB shmem:16924kB writeback_tmp:0kB kernel_stack:560kB all_unreclaimable? yes
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.718358] Normal free:16036kB min:16384kB low:20480kB high:24576kB reserved_highatomic:0KB active_anon:16524kB inactive_anon:49804kB active_file:40kB inactive_file:1140kB unevictable:0kB writepending:0kB present:131072kB managed:121796kB mlocked:0kB pagetables:628kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.747914] lowmem_reserve[]: 0 0
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.751354] Normal: 189*4kB (UME) 66*8kB (UME) 52*16kB (UME) 26*32kB (ME) 8*64kB (ME) 14*128kB (UME) 4*256kB (UM) 1*512kB (U) 7*1024kB (UME) 1*2048kB (U) 0*4096kB = 16004kB
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.767768] 4545 total pagecache pages
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.771649] 0 pages in swap cache
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.775101] Swap cache stats: add 0, delete 0, find 0/0
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.780882] Free swap  = 0kB
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.783898] Total swap = 0kB
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.786870] 32768 pages RAM
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.789774] 0 pages HighMem/MovableOnly
Fri May 20 19:14:09 2022 kern.warn kernel: [38705.794324] 2319 pages reserved
Fri May 20 19:14:09 2022 kern.info kernel: [38705.797578] Tasks state (memory values in pages):
Fri May 20 19:14:09 2022 kern.info kernel: [38705.802481] [  pid  ]   uid  tgid total_vm      rss pgtables_bytes swapents oom_score_adj name
Fri May 20 19:14:09 2022 kern.info kernel: [38705.811982] [    653]    81   653      333       25    20480        0             0 ubusd
Fri May 20 19:14:09 2022 kern.info kernel: [38705.821168] [    654]     0   654      249       10    20480        0             0 askfirst
Fri May 20 19:14:09 2022 kern.info kernel: [38705.829943] [    690]     0   690      277       14    16384        0             0 urngd
Fri May 20 19:14:09 2022 kern.info kernel: [38705.838884] [   1263]   514  1263      335       37    20480        0             0 logd
Fri May 20 19:14:09 2022 kern.info kernel: [38705.847476] [   1317]     0  1317      582       76    20480        0             0 rpcd
Fri May 20 19:14:09 2022 kern.info kernel: [38705.855983] [   1382]     0  1382      302       12    20480        0             0 dropbear
Fri May 20 19:14:09 2022 kern.info kernel: [38705.864763] [   1538]     0  1538      664       25    16384        0             0 hostapd
Fri May 20 19:14:09 2022 kern.info kernel: [38705.873414] [   1539]     0  1539      664       25    16384        0             0 wpa_supplicant
Fri May 20 19:14:09 2022 kern.info kernel: [38705.882693] [   1564]   101  1564     1130       64    24576        0             0 hostapd
Fri May 20 19:14:09 2022 kern.info kernel: [38705.891318] [   1565]   101  1565     1095       28    24576        0             0 wpa_supplicant
Fri May 20 19:14:09 2022 kern.info kernel: [38705.901033] [   1605]     0  1605      458       46    20480        0             0 netifd
Fri May 20 19:14:09 2022 kern.info kernel: [38705.910019] [   1663]     0  1663      385       28    20480        0             0 odhcpd
Fri May 20 19:14:09 2022 kern.info kernel: [38705.919146] [   1726]     0  1726      329       14    20480        0             0 crond
Fri May 20 19:14:09 2022 kern.info kernel: [38705.928266] [   1797]     0  1797     1031       50    20480        0             0 uhttpd
Fri May 20 19:14:09 2022 kern.info kernel: [38705.937096] [   2228]     0  2228      327       11    16384        0             0 udhcpc
Fri May 20 19:14:09 2022 kern.info kernel: [38705.946041] [   2229]     0  2229      281       14    16384        0             0 odhcp6c
Fri May 20 19:14:09 2022 kern.info kernel: [38705.955227] [   2256]     0  2256      664       26    20480        0             0 ntpd
Fri May 20 19:14:09 2022 kern.info kernel: [38705.964026] [   2262]   123  2262      327       11    16384        0             0 ntpd
Fri May 20 19:14:09 2022 kern.info kernel: [38705.972619] [   3671] 65536  3671     3703     1691    32768        0             0 unbound
Fri May 20 19:14:09 2022 kern.info kernel: [38705.981255] [   4898]     0  4898      307       15    16384        0             0 dropbear
Fri May 20 19:14:09 2022 kern.info kernel: [38705.990169] [   4899]     0  4899      328       12    20480        0             0 ash
Fri May 20 19:14:09 2022 kern.info kernel: [38705.998853] [   5089]     0  5089      337       21    20480        0             0 opkg-call
Fri May 20 19:14:09 2022 kern.info kernel: [38706.007886] [   5090]     0  5090      337       21    20480        0             0 opkg-call
Fri May 20 19:14:09 2022 kern.info kernel: [38706.017163] [   5092]     0  5092      527      233    16384        0             0 opkg
Fri May 20 19:14:09 2022 kern.info kernel: [38706.025589] [   5152]     0  5152      349       32    20480        0             0 crowdsec.postin
Fri May 20 19:14:09 2022 kern.info kernel: [38706.034955] [   5159]     0  5159      349       32    20480        0             0 crowdsec.postin
Fri May 20 19:14:09 2022 kern.info kernel: [38706.044660] [   5181]     0  5181   171608     9780    90112        0             0 cscli
Fri May 20 19:14:09 2022 kern.info kernel: [38706.053289] [   5189]     0  5189      327       10    16384        0             0 uname
Fri May 20 19:14:09 2022 kern.info kernel: [38706.061848] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),global_oom,task_memcg=/,task=cscli,pid=5181,uid=0
Fri May 20 19:14:09 2022 kern.err kernel: [38706.072541] Out of memory: Killed process 5181 (cscli) total-vm:686432kB, anon-rss:39116kB, file-rss:4kB, shmem-rss:0kB, UID:0 pgtables:88kB oom_score_adj:0

root@xXX:~# cscli console enroll ***************************************
INFO[20-05-2022 04:16:09 PM] custom already set to true
INFO[20-05-2022 04:16:09 PM] manual set to true
INFO[20-05-2022 04:16:09 PM] tainted already set to true
INFO[20-05-2022 04:16:09 PM] Enabled tainted&manual alerts sharing, see 'cscli console status'.
INFO[20-05-2022 04:16:09 PM] Watcher successfully enrolled. Visit https://app.crowdsec.net to acce                                              pt it.
INFO[20-05-2022 04:16:09 PM] Please restart crowdsec after accepting the enrollment.
root@xXX:~# service crowdsec restart
root@xXX:~# cscli version
2022/05/20 16:28:04 version: v1.3.0-openwrt-1.3.0-3
2022/05/20 16:28:04 Codename: alphaga
2022/05/20 16:28:04 BuildDate: 2022-05-19_14:47:46
2022/05/20 16:28:04 GoVersion:
2022/05/20 16:28:04 Constraint_parser: >= 1.0, <= 2.0
2022/05/20 16:28:04 Constraint_scenario: >= 1.0, < 3.0
2022/05/20 16:28:04 Constraint_api: v1
2022/05/20 16:28:04 Constraint_acquis: >= 1.0, < 2.0
root@xXX:~# cscli metrics
INFO[20-05-2022 04:28:22 PM] Local Api Metrics:
+--------------------+--------+------+
|       ROUTE        | METHOD | HITS |
+--------------------+--------+------+
| /v1/watchers/login | POST   |    2 |

cscli parsers list
WARN[20-05-2022 05:17:08 PM] Crowdsec is not the latest version. Current version is 'v1.3.0' and the latest stable version is 'v1.3.4'. Please update it!
WARN[20-05-2022 05:17:08 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.3.4
PARSERS

Hi xkpx,

I didn't install Crowsec on my router so I can't confirm it works or not. It does not work for me personally, as it just fills up my space and fails to install.
I have Crowdsec instance installed in a docker and firewall bouncer installed on the router.

hope it helps.

Cheers
Leor

Sorry about this, the problem is known and I have already proposed a lot of fixes that was refused by the developers...
It become complicate to offer free time and huge amount of works for so little code fixes !
Always "titling positive style" and "code justification" !
I am feeling very far from TECHNICAL aspects only...
And common Solutions become HUGE problems !
The unfix-able behavior is more a life style in nowadays !
Like my CAPS and ! which are "offensive way" ; Not at all, it's an accented proposal ...
Not any neutral could help a world to become better !!!
It is also a criticize about people not liking bad words but still excuse bad actions !...
I will try again to propose something !
One day ?!
May be...
Because Life is more important than Helping bad to become better...

All tips are available on my github or in the PR tried.
The data is because of GEOIP downloading which was forced by default...

Have a nice day...
Mine may be better, long far way from computers...

– Gandalf (from “The Conjurers”) © 1982-2022
@CYBERMIND.FR

Does the openwrt bouncer block the IP's? Mine gets all IP's from my local API and adds them to the nftable table, but they are not bloqued at all.

Hi Enfermera,
I no longer use OpenWRT so I can't confirm. The way I understand the bouncer adds them into nftable and it is the firewall's responsibility to block those IP addresses. Hope that helps.
Cheers,

Leor

Hi @erdoukki
I startet to create my own crowdsec bouncer package based on what discussed here.
May I ask how far your work is with a crowdsec uci configuration and maybe luci?

My bouncer package will only support fw4 / nftables and only include a bouncer and an uci configuration file. Maybe we should share our work?

The user guide has some error:
is 'hub', not 'hup'

And I am new user, I can not install parsers:dropbear-logs:
cscli parsers install crowdsecurity/dropbear-logs
resultWARN[17-02-2023 03:31:50 AM] Crowdsec is not the latest version. Current version is 'v1.3.0' and the latest stable version is 'v1.4.6'. Please update it! WARN[17-02-2023 03:31:50 AM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.4.6 FATA[17-02-2023 03:31:50 AM] unable to retrieve item : crowdsecurity/dropbear-logs
Need help, please!

You have crowdsec-firewall-bouncer_0.0.25-1 on official repo.
.
Here you have the latest crowdsec version if you have an arm router:
crowdsec-1.4.6-r1.apk
.

I am run crowdsec on x86/64, and OpenWrt version is 21.02.5, so i need to compile new version with x86/64 SDK?

or I just copy binary from Manjaro(in my lan), the version is 1.4.6

You can try and see if it works for you

no crowdsec-firewall-bouncer_0.0.25-1 on x86_64 official repo:
https://downloads.openwrt.org/releases/21.02.5/packages/x86_64/packages/
still crowdsec-firewall-bouncer_0.0.21-3
even no on crowdsec-firewall-bouncer
on
https://downloads.openwrt.org/releases/22.03.3/packages/x86_64/packages/

I think the latest version still has problems with openwrt, use banip now, and test if I can compile new version and test them on VirtualBox.

It is here:
https://downloads.openwrt.org/snapshots/packages/x86_64/packages/

BOUNCER
crowdsec-firewall-bouncer_0.0.25-1_x86_64.ipk
CROWDSEC
crowdsec_1.3.0-3_x86_64.ipk

Good luck

A PR for updating crowdsec package to version 1.4.6 is opened. No estimate on when it will be merged.

Crowdsec 1.4.6 is available in snapshot branch (as soon as it has been build).

I spent some time playing with crowdsec today but feel there is still a way to go. My questions may be due to my ignorance of the software so apologies in advance if they are not OpenWrt specific:

1. is the email plugin working? I get the following:

time="27-02-2023 20:29:35" level=fatal msg="api server init: unable to run local API: while loading plugin: open /usr/local/lib/crowdsec/plugins: no such file or directory"

2. I've managed to expose the LAPI and Prometheus metrics by changing the listen_addr and listen_uri in config.yaml. Are these available in the UCI config?

3. I've managed to get the agent (1.3.0-3) and bouncer (0.0.25-1) talking to each other by manually registering them as the bouncer did not automatically register. However I'm having trouble downloading a relevant collection/parser/blocklist via the commands at Crowdsec packages for OpenWrt - #21 by erdoukki. Are these still current or is are there other more relevant config I should download?

# cscli collections install crowdsecurity/linux
WARN[27-02-2023 09:03:11 PM] Crowdsec is not the latest version. Current version is 'v1.3.0' and the latest stable version is 'v1.4.6'. Please update it!
WARN[27-02-2023 09:03:11 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.4.6
WARN[27-02-2023 09:03:12 PM] crowdsecurity/syslog-logs : overwrite       
WARN[27-02-2023 09:03:12 PM] crowdsecurity/geoip-enrich : overwrite      
INFO[27-02-2023 09:03:12 PM] downloading data 'https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb' in '/srv/crowdsec/data/GeoLite2-City.mmdb'
Killed

And in my crowdsec.log:

time="27-02-2023 21:05:41" level=warning msg="No matching files for pattern /var/log/nginx/*.log" type=file
time="27-02-2023 21:05:41" level=warning msg="No matching files for pattern ./tests/nginx/nginx.log" type=file
time="27-02-2023 21:05:41" level=warning msg="No matching files for pattern /var/log/auth.log" type=file
time="27-02-2023 21:05:41" level=warning msg="No matching files for pattern /var/log/syslog" type=file
time="27-02-2023 21:05:41" level=warning msg="No matching files for pattern /var/log/apache2/*.log" type=file

In particular I can still see arbitrary scans hitting my WAN port (after turning on zone logging in kernel log), and am not sure if crowdsec is parsing them (or even blocking them).

4. How do I check the contents of @crowdsec-blacklists in the nft firewall rules? I can see the nft tables, but how do I know that the blocklist is actually populated?

1. https://docs.crowdsec.net/docs/notification_plugins/email/
2. cscli config y cscli metrics
3. https://hub.crowdsec.net/
4. cscli decisions list --all y cscli alerts list --all

Thanks - I actually used the config from that page with no results. I should have given context:

So was wondering if this was still a known issue.

==========

My question was whether I should be setting them via /etc/config/crowdsec or directly in the yaml (in case they get overwritten). I may just end up using a local config file though.

==========

I presume this is the same list as found via cscli hub list -a? If so I'm not sure how to determine the appropriate collections/config for an OpenWrt install. Is the crowdsecurity/linux collection and crowdsecurity/whitelists parser not the most appropriate? If so, how to download them without hitting the OOM error?

==========

root@router:/# cscli decisions list --all
No active decisions
root@router:/# cscli alerts list
No active alerts

I think I have an "empty" install so just need this final config for it to actually do anything.

Thanks for the help so far!

This is how I got it working on an openwrt router:

1. DELETE CURRENT INSTALLATIONS OF CROWDSEC/C.S.BOUNCER AND /srv/crowdsec.
2. INSTALL crowdsec_1.4.6-1 AND crowdsec-firewall-bouncer_0.0.25-1.
3. CREATE AN ACCOUNT - https://app.crowdsec.net/signup.
4. ENTER https://app.crowdsec.net/login.
5. REGISTER CrowdSec instance " cscli console enroll .............. ".
6. " service crowdsec reload ".
7. " cscli bouncers add yourbouncername " AND WRITE DOWN APIkey.
8. MODIFY /etc/crowdsec/config.yaml with listen_uri: 127.0.0.1:8080
   and listen_addr: 127.0.0.1
9. MODIFY /etc/config/crowdsec with option api_url '0.0.0.0:8080/' and option api_key 'your APIkey'.

config crowdsec 'crowdsec'
	option data_dir '/srv/crowdsec/data'
	option db_path '/srv/crowdsec/data/crowdsec.db'
config bouncer
	option enabled '1'
	option ipv4 '1'
	option ipv6 '0'
	option api_url '0.0.0.0:8080/'
	option api_key 'your APIkey'
	option update_frequency '10s'
	option deny_action 'drop'
	option deny_log '0'
	option log_prefix 'crowdsec: '
	option log_level 'info'
	option filter_input '1'
	option filter_forward '1'
	list interface 'wan'
	list interface 'VPN1'
	list interface 'VPN2'
	.
	.
	.

10. RESTART DEVICE.

Captura21271×201 61.9 KB

it didnt work for me, eventhough i did exactly what you have written here...
probably related to Banip Package ??? because i have it installed along with AdGuardHome...