Crowdsec packages for OpenWrt

Really happy with crowdsec so far. I have added the multibase container so I was missing the cs-nginx-bouncer.

I've been trying to get it running under OpenWrt. The first thing I had to change was lua's makefile dropping the -DNGX_LUA_NO_BY_LUA_BLOCK option.

Then I had to add lua-logging and lua-ffi but I get a segfault in nginx with the ffi module:

Oct 18 14:40:48 someserver kernel: [  397.530419] traps: nginx[20136] general protection fault ip:7fd036c3b47e sp:7fff2ec6f830 error:0 in ffi.so[7fd036c38000+10000

So I am wondering what's the required ffi module. I've tried with https://github.com/zhaozg/lua-ffi

I've opened an issue in lua-cs-bouncer

The WIP packages are here

Also, the reason the initialization does not work automatically is because it is tried in a uci-default.

uci-default scripts are run the first thing in the boot process, much earlier than the networks are setup, hence it is not possible the registration can work. It has to be moved to a hotplug event.

uci-default are also execute at package installation.
It was modified in the review of the PR...
But there is still an issue, I think with the sed replacement.

It got also, you are right, to be managed with something like a hotplug checking network live, for be fully integrate in a firmware.
It do not work for now if you install it in a firmware image, but only if you install it at runtime.

Thanks,
I get a similar issue with cs-nginx-bouncer in debian lxc container, but I do not reproduce and the issue was closed.
I now use dockers on OpenWrt, but it is a WIP also...

Upon finding this issue 17 @ cs-nginx-bouncer I thought you got it working.

Following https://github.com/justincormack/ljsyscall, I first tried with it, since it did not work, I then installed https://github.com/jmckaskill/luaffi and now nginx works with the cs-nginx-bouncer.

You can see the working OpenWRT packages here

I'm using crowdsec-firewall-bouncer on many OpenWRT devices connected with my domain LAPI server (which collect many crowdsec machines, mostly nginx), it works great. Actually, crowdsec package is not mandatory for that usage, it would be great if it was not a dependency.

Exact, thanks for the report, I can add this modification in the next release…
You can also open an issue at openwrt’s packages github to help me not forget ?

Open

PR : https://github.com/openwrt/packages/pull/17407

You may test the results packages from the PR build check/tests...

Is there a pull planned for the new version? i tried a simple install today and it appears to be out of date. Also OpenWrt doesn't use systemctl. Is there a guide to differences or a wiki entry for using on OpenWrt?

root@OpenWrt:~# opkg list crowdsec
crowdsec - 1.2.1-1 - Crowdsec - An open-source, lightweight agent to detect
 and respond to bad behaviours.
 It also automatically benefits from a global
 community-wide IP reputation database.

 This package contains the main program.
root@OpenWrt:~# opkg install crowdsec
Multiple packages (libgcc1 and libgcc1) providing same name marked HOLD or PREFER. Using latest.
Installing crowdsec (1.2.1-1) to root...
Downloading https://downloads.openwrt.org/releases/21.02-SNAPSHOT/packages/aarch64_generic/packages/crowdsec_1.2.1-1_aarch64_generic.ipk
Configuring crowdsec.
WARN[07-01-2022 12:56:42 PM] can't load CAPI credentials from '/etc/crowdsec/online_api_credentials.yaml' (missing field)
INFO[07-01-2022 12:56:42 PM] push and pull to Central API disabled
INFO[07-01-2022 12:56:42 PM] Machine '5cd5a4171fbda4fd0034a7fe50f90ccftX7oNhgSVnFuAwe2' successfully added to the local API
INFO[07-01-2022 12:56:42 PM] API credentials dumped to '/etc/crowdsec/local_api_credentials.yaml'
WARN[07-01-2022 12:56:42 PM] can't load CAPI credentials from '/etc/crowdsec/online_api_credentials.yaml' (missing field)
INFO[07-01-2022 12:56:42 PM] push and pull to Central API disabled
INFO[07-01-2022 12:56:44 PM] Successfully registered to Central API (CAPI)
INFO[07-01-2022 12:56:44 PM] Central API credentials dumped to '/etc/crowdsec/online_api_credentials.yaml'
WARN[07-01-2022 12:56:44 PM] Run 'sudo systemctl reload crowdsec' for the new configuration to be effective.
WARN[07-01-2022 12:56:44 PM] Crowdsec is not the latest version. Current version is 'v1.2.1' and the latest stable version is 'v1.2.2'. Please update it!
WARN[07-01-2022 12:56:44 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.2.2
INFO[07-01-2022 12:56:44 PM] Wrote new 191129 bytes index to /etc/crowdsec/hub/.index.json
WARN[07-01-2022 12:56:44 PM] Crowdsec is not the latest version. Current version is 'v1.2.1' and the latest stable version is 'v1.2.2'. Please update it!
WARN[07-01-2022 12:56:44 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.2.2
INFO[07-01-2022 12:56:45 PM] crowdsecurity/syslog-logs : OK
INFO[07-01-2022 12:56:45 PM] /etc/crowdsec/parsers/s00-raw doesn't exist, create
INFO[07-01-2022 12:56:45 PM] Enabled parsers : crowdsecurity/syslog-logs
INFO[07-01-2022 12:56:45 PM] crowdsecurity/geoip-enrich : OK
INFO[07-01-2022 12:56:45 PM] downloading data 'https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb' in '/srv/crowdsec/data/GeoLite2-City.mmdb'
INFO[07-01-2022 12:57:13 PM] downloading data 'https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-ASN.mmdb' in '/srv/crowdsec/data/GeoLite2-ASN.mmdb'
INFO[07-01-2022 12:57:16 PM] /etc/crowdsec/parsers/s02-enrich doesn't exist, create
INFO[07-01-2022 12:57:16 PM] Enabled parsers : crowdsecurity/geoip-enrich
INFO[07-01-2022 12:57:16 PM] crowdsecurity/dateparse-enrich : OK
INFO[07-01-2022 12:57:16 PM] Enabled parsers : crowdsecurity/dateparse-enrich
INFO[07-01-2022 12:57:16 PM] crowdsecurity/sshd-logs : OK
INFO[07-01-2022 12:57:16 PM] /etc/crowdsec/parsers/s01-parse doesn't exist, create
INFO[07-01-2022 12:57:16 PM] Enabled parsers : crowdsecurity/sshd-logs
INFO[07-01-2022 12:57:17 PM] crowdsecurity/ssh-bf : OK
INFO[07-01-2022 12:57:17 PM] Enabled scenarios : crowdsecurity/ssh-bf
INFO[07-01-2022 12:57:17 PM] crowdsecurity/ssh-slow-bf : OK
INFO[07-01-2022 12:57:17 PM] Enabled scenarios : crowdsecurity/ssh-slow-bf
INFO[07-01-2022 12:57:17 PM] crowdsecurity/sshd : OK
WARN[07-01-2022 12:57:17 PM] crowdsecurity/sshd : overwrite
INFO[07-01-2022 12:57:17 PM] Enabled collections : crowdsecurity/sshd
INFO[07-01-2022 12:57:17 PM] crowdsecurity/linux : OK
INFO[07-01-2022 12:57:17 PM] /etc/crowdsec/collections/sshd.yaml already exists.
INFO[07-01-2022 12:57:17 PM] Enabled collections : crowdsecurity/linux
INFO[07-01-2022 12:57:17 PM] Enabled crowdsecurity/linux
INFO[07-01-2022 12:57:17 PM] Run 'sudo systemctl reload crowdsec' for the new configuration to be effective.
WARN[07-01-2022 12:57:17 PM] Crowdsec is not the latest version. Current version is 'v1.2.1' and the latest stable version is 'v1.2.2'. Please update it!
WARN[07-01-2022 12:57:17 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.2.2
INFO[07-01-2022 12:57:18 PM] crowdsecurity/whitelists : OK
INFO[07-01-2022 12:57:18 PM] Enabled parsers : crowdsecurity/whitelists
INFO[07-01-2022 12:57:18 PM] Enabled crowdsecurity/whitelists
INFO[07-01-2022 12:57:18 PM] Run 'sudo systemctl reload crowdsec' for the new configuration to be effective.
WARN[07-01-2022 12:57:18 PM] Crowdsec is not the latest version. Current version is 'v1.2.1' and the latest stable version is 'v1.2.2'. Please update it!
WARN[07-01-2022 12:57:18 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.2.2
INFO[07-01-2022 12:57:18 PM] Upgrading collections
INFO[07-01-2022 12:57:18 PM] crowdsecurity/sshd : up-to-date
INFO[07-01-2022 12:57:18 PM] crowdsecurity/linux : up-to-date
INFO[07-01-2022 12:57:18 PM] All collections are already up-to-date
INFO[07-01-2022 12:57:18 PM] Upgrading parsers
INFO[07-01-2022 12:57:18 PM] crowdsecurity/whitelists : up-to-date
INFO[07-01-2022 12:57:18 PM] crowdsecurity/geoip-enrich : up-to-date
INFO[07-01-2022 12:57:18 PM] crowdsecurity/dateparse-enrich : up-to-date
INFO[07-01-2022 12:57:18 PM] crowdsecurity/sshd-logs : up-to-date
INFO[07-01-2022 12:57:18 PM] crowdsecurity/syslog-logs : up-to-date
INFO[07-01-2022 12:57:18 PM] All parsers are already up-to-date
INFO[07-01-2022 12:57:18 PM] Upgrading scenarios
INFO[07-01-2022 12:57:18 PM] crowdsecurity/ssh-slow-bf : up-to-date
INFO[07-01-2022 12:57:18 PM] crowdsecurity/ssh-bf : up-to-date
INFO[07-01-2022 12:57:18 PM] All scenarios are already up-to-date
INFO[07-01-2022 12:57:18 PM] Upgrading postoverflows
INFO[07-01-2022 12:57:18 PM] No postoverflows installed, nothing to upgrade
root@OpenWrt:~# sudo systemctl reload crowdsec
sudo: systemctl: command not found
root@OpenWrt:~# systemctl reload crowdsec
-ash: systemctl: not found
root@OpenWrt:~# service crowdsec status
running

Yes, I will work on the new versions soon...
I also may implement some evolution in regards of users feedbacks, from this topic...

systemctl is not implemented in OpenWrt.
You may use service and init.d calls in place:
like /etc/init.d/crowdsec status or service crowdsec status

Why do you say it is "out of date" ?

For Wiki, I still have no time free to work on it.

I guessed that a PR needed doing for this. I've finally got around to playing with crowdsec on my R4S.

No problem. I'll see if i can knock a little guide up for the wiki just as a placeholder and starter with links back to crowdsec's own wiki. Just pointing out the little differences will aid users for usage.

Done...

and

Its a bit brief but its up

Any noobs guide to install and setup it up on Openwrt ?
does it really interfere with Stubby/Banip/Adblock Packages ???

you should disable/remove BanIP as Crowdsec will replace it. The rest should be fine.

Oh OK, but I am not finding any simple to do guide to successfully install crowdsec package. Because I could install the package from software and after that how do I configure it? Is it really necessary to configure it and if yes how do I do it?
Please guide me.
Stubby + Adblock + Crowdsec works perfectly together according to you right?
I know you support and suggest to install Adguardhome only but how do you compare this crowdsec +Adblock against Adguardhome???

Ja, sorry. But I referred my comment to user mercygroundabyss. I thought he would reply to my comment.

so crowdsec only blocks incoming SYN to the router?

in that case

there should be no adverse/negative interactions based in that combination of packages...