Crowdsec packages for OpenWrt

erdoukki · October 15, 2021, 6:25am

Yes, it is why I have said I will look at your first report...

I may propose a crowdsec-data package to integrate the first install data download.

Or move this download further...

Or simply remove the first initial installation I have integrate in the package to simplify the usage for the user, and let him do all by itself reading the documentations...

erdoukki · October 15, 2021, 6:28am

It simply do not work since you remade the needed commands.
But some checks like in upgrade may bot work.

The log may, but the Init script don't.

No. not for now.

anon50098793 · October 15, 2021, 6:30am

negative (your commands were all present at firstboot but failed because they run before any network interfaces are available)

correct

erdoukki · October 15, 2021, 6:32am

?

anon50098793:

dca632 /usbstick 53°# grep plugins /etc/crowdsec/config.yaml
  plugin_dir: /usr/local/lib/crowdsec/plugins/

dca632 /usbstick 54°# ls -lah /usr/local/lib/crowdsec/plugins/
ls: /usr/local/lib/crowdsec/plugins/: No such file or directory

afaik, we don't have /usr/local in OpenWrt

Yes, and it is not used, or I have missing something...

I will patch to move this folder.

Update : To be fixed, it is a new feature from the v1.2.0 and I have missed this part !

erdoukki · October 15, 2021, 6:34am

I do not understand how you have installed the package ?
If you let it fully install and then reboot, is it okay ?

Because you have interrupt the install, the commands did not complete...

What the firstboot do here ?
The script is also apply at installation, and then uneeded at firstboot.
It will only be used at firstboot if you integrate the package in a custom firmware, what is it not supported for now, as I have already said.

erdoukki · October 15, 2021, 6:35am

What happen, when network is ok, if you do :

cscli hub update && cscli collections install crowdsecurity/linux && cscli parsers install crowdsecurity/whitelists && cscli hub upgrade

And then service crowdsec restart

anon50098793 · October 15, 2021, 6:37am

of course that will work... the issue i'm bringing to your attention is when your packages are included within peoples images, which is a typical operation for most packages...

it's only feedback... not questions/direct suggestions... code has a wonderful way of making whats important self evident (clear) over time... so feel free to ignore my observations...

how/if/when/whether to address these 'possible' issues are purely up to you...

erdoukki · October 15, 2021, 6:38am

Oups, apologize...
Thanks for your (needed and appreciate) feedbacks !

I am just trying to understand well to make a patch...
No problem from your observations...

erdoukki · October 15, 2021, 6:44am

I don't now if there is any way, without coding, that can check the "online" internet mode ?
Like the hotplug way of the @vgaetera scripts...
It may be simple to check like this way, and let the initscript do the missing firstboot commands...
Or add a test in the default script and postpone the commands...

Same for service init, there is no standard/default way to check online status before do the job or postpone it, AFAIK ?
This is may be a good tweak to add.

update : look like there is no other way than hotplug.
mwan3 already do something like this : https://github.com/openwrt/packages/blob/master/net/mwan3/files/etc/hotplug.d/iface/15-mwan3
I prefer the https://openwrt.org/docs/guide-user/advanced/hotplug_extras script
It will be great to have them in "default" package for OpenWrt and use them as a dependency...

anon50098793 · October 15, 2021, 6:45am

This looks like a wise move to me... ( a few logger messages if someone upgrades without including /srv/crowdsec or similar seem important also - if needed... I did not test for this yet )

( p.s. take your time... you did a good job on this... considering most users will be advanced users anyway... I think pushing it into the repo's in it's current state was a good move... get some exposure, learn how people use it... and tweak based on practical needs, now it's more available... you'll likely get more help over time too! )

edit: looks like crowdsec-firewall-bouncer may have some issues also...

######################## [root@dca632 /usbstick 54°]# cat /var/log/crowdsec-firewall-bouncer.log 
time="17-10-2021 13:27:54" level=info msg="backend type : nftables"
time="17-10-2021 13:27:54" level=info msg="nftables initiated"
time="17-10-2021 13:27:54" level=info msg="Processing new and deleted decisions . . ."
time="17-10-2021 13:27:54" level=fatal msg="API error: access forbidden"

####################### [root@dca632 /usbstick 54°]# cat /var/log/crowdsec_api.log 
time="17-10-2021 13:27:19" level=info msg="127.0.0.1 - [Sun, 17 Oct 2021 13:27:19 AEDT] \"POST /v1/watchers/login HTTP/1.1 200 441.129836ms \"crowdsec/v1.2.0-openwrt-openwrt\" \""
time="17-10-2021 13:27:20" level=info msg="127.0.0.1 - [Sun, 17 Oct 2021 13:27:20 AEDT] \"POST /v1/watchers/login HTTP/1.1 200 408.192168ms \"crowdsec/v1.2.0-openwrt-openwrt\" \""
time="17-10-2021 13:27:54" level=info msg="127.0.0.1 - [Sun, 17 Oct 2021 13:27:54 AEDT] \"GET /v1/decisions/stream?startup=true HTTP/1.1 403 1.60242ms \"crowdsec-firewall-bouncer/v0.0.15-openwrt\" \""

and then fresh install, and manually re-install packages...

main package is ok until install the bouncer... which is now 401 and kills main package

[ /usbstick 55°]# cat /var/log/crowdsec_api.log 
time="17-10-2021 14:35:28" level=info msg="127.0.0.1 - [Sun, 17 Oct 2021 14:35:28 AEDT] \"POST /v1/watchers/login HTTP/1.1 401 1.749092ms \"crowdsec/v1.2.0-openwrt-openwrt\" \""

vgaetera · October 15, 2021, 9:43am

You can use procd interface triggers inside init scripts:
https://openwrt.org/docs/guide-developer/procd-init-scripts#specifying_triggers
But it can be tricky and may need some delay to mitigate tunneling protocols.

jmarcet · October 16, 2021, 3:57pm

How is this supposed to be bootstrapped? I cannot get it to run:

❯ crowdsec
WARN[0000] can't load CAPI credentials from '/etc/crowdsec/online_api_credentials.yaml' (missing field)
INFO[0000] push and pull to Central API disabled
time="16-10-2021 17:55:26" level=fatal msg="starting outputs error : authenticate watcher (): Post \"http://127.0.0.1:8081/v1/watchers/login\": API error: ent: machine not found"

I've changed the port to 8081 since 8080 is used by docker.

I've also tried:

cscli hub update && cscli collections install crowdsecurity/linux && cscli parsers install crowdsecurity/whitelists && cscli hub upgrade

But still I cannot start the service. This is on a just built master x86_64, with data on external storage, a btrfs sub-volume.

What else do I need to run it?

erdoukki · October 16, 2021, 4:04pm

@jmarcet
Can you please, post the content of /etc/crowdsec/online_api_credentials.yaml
The file look to miss a content !?
Can you do a ls on /etc/crowdsec also please ?

You may try cscli -c /etc/crowdsec/config.yaml capi register -f /etc/crowdsec/online_api_credentials.yaml it will reset the register in central API.
Then restart the service with service crowdsec restart and also check the log, if needed, in /var/log/crowdsec...

Stange that the API was not registered at install, may be because of the already used port !
Will check this.
Thanks for the feedback !

erdoukki · October 17, 2021, 3:39am

Do you have Crowdsec working fine ?
Crowdsec-firewall-bouncer needs crowdsec.
Can you share your /etc/crowdsec/config.yaml
And /etc/crowdsec/local_api_credentials.yaml
And /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

Thanks in advance

anon50098793 · October 17, 2021, 3:45am

yes... (but installing/starting the bouncer kills it)

[ /usbstick 54°]# cat /etc/crowdsec/local_api_credentials.yaml
url: http://127.0.0.1:8080
login: d4a17ef423SNIP
password: zDYcdygIqSNIP

[ /usbstick 55°]# cat /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml 
mode: ${BACKEND}
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://localhost:8080/
api_key: ${API_KEY}
disable_ipv6: false
deny_action: DROP
deny_log: false
#to change log prefix
#deny_log_prefix: "crowdsec: "
#if present, insert rule in those chains
iptables_chains:
  - INPUT
  - FORWARD
#  - DOCKER-USER

[ /usbstick 55°]# cat /etc/crowdsec/config.yaml
common:
  daemonize: true
  pid_dir: /var/run/
  log_media: file
  log_level: info
  log_dir: /var/log/
  working_dir: .
config_paths:
  config_dir: /etc/crowdsec/
  data_dir: /srv/crowdsec/data
  simulation_path: /etc/crowdsec/simulation.yaml
  hub_dir: /etc/crowdsec/hub/
  index_path: /etc/crowdsec/hub/.index.json
  notification_dir: /etc/crowdsec/notifications/
  plugin_dir: /usr/local/lib/crowdsec/plugins/
crowdsec_service:
  acquisition_path: /etc/crowdsec/acquis.yaml
  parser_routines: 1
cscli:
  output: human
db_config:
  log_level: info
  type: sqlite
  db_path: /srv/crowdsec/data/crowdsec.db
  #user: 
  #password:
  #db_name:
  #host:
  #port:
  flush:
    max_items: 5000
    max_age: 7d
plugin_config:
  user: nobody # plugin process would be ran on behalf of this user
  group: nogroup # plugin process would be ran on behalf of this group
api:
  client:
    insecure_skip_verify: false
    credentials_path: /etc/crowdsec/local_api_credentials.yaml
  server:
    log_level: info
    listen_uri: 127.0.0.1:8080
    profiles_path: /etc/crowdsec/profiles.yaml
    online_client: # Central API credentials (to push signals and receive bad IPs)
      credentials_path: /etc/crowdsec/online_api_credentials.yaml
#    tls:
#      cert_file: /etc/crowdsec/ssl/cert.pem
#      key_file: /etc/crowdsec/ssl/key.pem
prometheus:
  enabled: true
  level: full
  listen_addr: 127.0.0.1
  listen_port: 6060

some logs indicating it's using ipv6 for localhost... yet the daemon doesn't listen on 8080 ipv6 socket afaik...

[ /usbstick 54°]# cat /var/log/crowdsec-firewall-bouncer.log 

time="17-10-2021 14:57:15" level=info msg="backend type : nftables"
time="17-10-2021 14:57:15" level=info msg="nftables initiated"
time="17-10-2021 14:57:15" level=info msg="Processing new and deleted decisions . . ."
time="17-10-2021 14:57:15" level=error msg="auth-api: auth with api key failed return nil response, error: dial tcp [::1]:8080: connect: connection refused"
time="17-10-2021 14:57:15" level=fatal msg="Get \"http://localhost:8080/v1/decisions/stream?startup=true\": dial tcp [::1]:8080: connect: connection refused"
#this crashes main server

[ /usbstick 55°]# lsof -i -nP | grep 8080
crowdsec  5518    root   11u  IPv4  84428      0t0  TCP 127.0.0.1:8080 (LISTEN)

erdoukki · October 17, 2021, 7:23am

okay
thanks
I see where is the problem.
2 variables were not rep'aced at install in your
/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

I will look why.
and also guve you manual step fixes.

can you also provide, after a service crowdsec-bouncer-firewall start, the /var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml ?

thanks

anon50098793 · October 17, 2021, 7:28am

I manually fixed the localhost > '::1' issue as can be seen below

############# [root@dca632 ../_WATCHCATNG 54°] cat /var/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
mode: nftables
pid_dir: /var/run/
update_frequency: 10s
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
api_url: http://127.0.0.1:8080/
api_key: ${API_KEY}
disable_ipv6: false
deny_action: DROP
deny_log: false
#to change log prefix
#deny_log_prefix: "crowdsec: "
#if present, insert rule in those chains
iptables_chains:
  - INPUT
  - FORWARD
#  - DOCKER-USER

looks like nft got over adds too (but i'd take that upstream if I were you... should validate/cleanup in it's own afaik)


table ip crowdsec {
	set crowdsec_blocklist {
		type ipv4_addr
	}

	chain crowdsec_chain {
		type filter hook input priority filter; policy accept;
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
		ip saddr @crowdsec_blocklist drop
	}
}
table ip6 crowdsec6 {
	set crowdsec6_blocklist {
		type ipv6_addr
	}

	chain crowdsec6_chain {
		type filter hook input priority filter; policy accept;
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
		ip6 saddr @crowdsec6_blocklist drop
	}
}
table inet nft-qos-monitor {
	chain upload {
		type filter hook prerouting priority filter; policy accept;
		ip saddr 10.2.3.17 counter packets 0 bytes 0
		ip saddr 10.2.3.205 counter packets 2 bytes 130
		ip saddr 10.2.3.167 counter packets 2 bytes 132
		ip6 saddr 2403:b3a7 counter packets 0 bytes 0
		ip6 saddr 2403:adca counter packets 30 bytes 26215
	}

	chain download {
		type filter hook postrouting priority filter; policy accept;
		ip daddr 10.2.3.17 counter packets 0 bytes 0
		ip daddr 10.2.3.205 counter packets 2 bytes 222
		ip daddr 10.2.3.167 counter packets 0 bytes 0
		ip6 daddr 2403:b3a7 counter packets 0 bytes 0
		ip6 daddr 2403:adca counter packets 19 bytes 5888
	}
}

jmarcet · October 17, 2021, 7:39am

I didn't have /etc/crowdsec/online_api_credentials.yaml. I tried copying the one from the build dir, but it is empty so that's all I have.

After doing cscli -c /etc/crowdsec/config.yaml capi register -f /etc/crowdsec/online_api_credentials.yaml now it has some content:

❯ cat /etc/crowdsec/local_api_credentials.yaml
url: http://127.0.0.1:8081
❯ cat /etc/crowdsec/online_api_credentials.yaml
url: https://api.crowdsec.net/
login: 49584377b2242b45c5e64522616aeb8et6xsGRgAsloMB4Md
password: 1KjbHcCjPUxyabEH9yiKzfolJJ5llIQLzBhae7WRUiX5XHesjmJFp5fdkPnGpD2P
❯ ls -Al /etc/crowdsec
total 21
-rw-r--r-- 1 root root  286 Oct 16 09:45 acquis.yaml
drwxr-xr-x 1 root root 3488 Oct 16 17:45 bouncers
drwxr-xr-x 1 root root 3488 Oct 16 17:51 collections
-rw-r--r-- 1 root root 1413 Oct 16 17:54 config.yaml
-rw-r--r-- 1 root root  969 Oct 16 09:45 dev.yaml
-rw-r--r-- 1 root root   27 Oct 16 17:44 local_api_credentials.yaml
-rw-r--r-- 1 root root  162 Oct 17 09:30 online_api_credentials.yaml
drwxrwxr-x 5 root root 3488 Oct 16 17:51 parsers
drwxr-xr-x 2 root root  374 Oct 16 09:45 patterns
drwxr-xr-x 2 root root    3 Oct 16 09:45 postoverflows
-rw-r--r-- 1 root root  522 Oct 16 09:45 profiles.yaml
drwxr-xr-x 1 root root 3488 Oct 16 17:51 scenarios
-rw-r--r-- 1 root root   57 Oct 16 09:45 simulation.yaml
-rw-r--r-- 1 root root  991 Oct 16 17:44 user.yaml

Running crowdsec directly:

==> /var/log/crowdsec.log <==
time="17-10-2021 09:34:59" level=error msg="Failed to notify(sent: false): <nil>"
time="17-10-2021 09:34:59" level=warning msg="Starting processing data"
time="17-10-2021 09:34:59" level=info msg="Error machine login for  : ent: machine not found "

==> /var/log/crowdsec_api.log <==
time="17-10-2021 09:34:59" level=info msg="127.0.0.1 - [Sun, 17 Oct 2021 09:34:59 CEST] \"POST /v1/watchers/login HTTP/1.1 401 430.383µs \"crowdsec/v1.2.0-openwrt-openwrt\" \""

==> /var/log/crowdsec.log <==
time="17-10-2021 09:34:59" level=fatal msg="starting outputs error : authenticate watcher (): Post \"http://127.0.0.1:8081/v1/watchers/login\": API error: ent: machine not found"

erdoukki · October 17, 2021, 8:19am

Here is the error.
It should have been replaced in the

/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

It is made at install, but looks to have not work.
I have add a pseudo upgrade script to not replace it, but it may have a bug.

erdoukki · October 17, 2021, 8:21am

You may have the service already started and then use cscli command line.
You can then check the registered status and redo it if needed.
I will look to the necessary commands.

jmarcet:

==> /var/log/crowdsec.log <==
time="17-10-2021 09:34:59" level=fatal msg="starting outputs error : authenticate watcher (): Post \"http://127.0.0.1:8081/v1/watchers/login\": API error: ent: machine not found"

You may also need to register your host with:

cscli -c /etc/crowdsec/config.yaml machines add -a -f /etc/crowdsec/local_api_credentials.yaml

I do not get the point why your install script do not execute...