There is a package fix pending for approval.
You may, wait for approval being effective, or reproducing the fix locally.
Look at: https://github.com/openwrt/packages/pull/17614/files# and reproduce the modification at line 7 of initd.
All the rest are just cosmetics fixes.
Then do a service restart with:
service crowdsec-firewall-bouncer restart
Then do a check on the /var/log/crowdsec-firewall-bouncer.log
Or, better, look at the bouncers status with:
cscli bouncers list
Or look at the crowdsec wiki page with the check about firewall bouncer at openwrt wiki.
I do not have made any package for nginx bouncer for now.
I will, soon, if needed.
its very strange that i dont have any output when i type ipset list !!!
root@rpi4-e45f01048a ~41# ipset list
root@rpi4-e45f01048a ~41#
few log files from the commands which i tried to check whether firewall-bouncer is working or not... does it say anything to you ? i mean whether my setup is complete and functioning properly ???
root@rpi4-e45f01048a ~41# cscli bouncers list
NAME IP ADDRESS VALID LAST API PULL TYPE VERSION
crowdsec-firewall-bouncer-yNsKPLaO 
2022-01-18T22:05:17Z
myBouncer 2022-01-18T22:12:12Z
crowdsec-nginx-bouncer-qOZcHzrL 2022-01-18T22:48:02Z
MyBouncerName 2022-01-18T22:54:39Z
root@rpi4-e45f01048a ~41# cscli metrics
INFO[18-01-2022 10:56:16 PM] Local Api Metrics:
+--------------------+--------+------+
| ROUTE | METHOD | HITS |
+--------------------+--------+------+
| /v1/alerts | GET | 2 |
| /v1/watchers/login | POST | 4 |
+--------------------+--------+------+
INFO[18-01-2022 10:56:16 PM] Local Api Machines Metrics:
+--------------------------------------------------+------------+--------+------+
| MACHINE | ROUTE | METHOD | HITS |
+--------------------------------------------------+------------+--------+------+
| 1e13711506834337890b76ea8f69d734y4eu4sozLJGym7rk | /v1/alerts | GET | 2 |
+--------------------------------------------------+------------+--------+------+
root@rpi4-e45f01048a ~42# ps | grep crowdsec
4351 root 1220 RN grep crowdsec
32362 root 783m S /usr/bin/crowdsec -c /var/etc/crowdsec/config.yaml
root@rpi4-e45f01048a ~40# service crowdsec-firewall-bouncer restart
iptables found
nftables found
Found nftables(default) and iptables...
root@rpi4-e45f01048a ~40# ipset list
root@rpi4-e45f01048a ~40# cscli decisions list
No active decisions
root@rpi4-e45f01048a ~41# cscli decision
Error: unknown command "decision" for "cscli"
Did you mean this?
decisions
Run 'cscli --help' for usage.
FATA[0000] While executing root command : unknown command "decision" for "cscli"
Did you mean this?
decisions
root@rpi4-e45f01048a ~42# cscli decisions
Add/List/Delete/Import decisions from LAPI
Usage:
cscli decisions [command]
Examples:
cscli decisions [action] [filter]
Available Commands:
add Add decision to LAPI
delete Delete decisions
import Import decisions from json or csv file
list List decisions from LAPI
Flags:
-h, --help help for decisions
Global Flags:
-c, --config string path to crowdsec config file (default "/etc/crowdsec/config.yaml")
--debug Set logging to debug.
--error Set logging to error.
--info Set logging to info.
-o, --output string Output format : human, json, raw.
--trace Set logging to trace.
--warning Set logging to warning.
Use "cscli decisions [command] --help" for more information about a command.
root@rpi4-e45f01048a ~41# cscli decisions list
No active decisions
root@rpi4-e45f01048a ~41# ipset list
root@rpi4-e45f01048a ~41# nft list tables
root@rpi4-e45f01048a ~41# cscli alerts list
+----+------------------------------+-----------------------+---------+----+-----------+-------------------------------+
| ID | VALUE | REASON | COUNTRY | AS | DECISIONS | CREATED AT |
+----+------------------------------+-----------------------+---------+----+-----------+-------------------------------+
| 1 | crowdsec/community-blocklist | update : +2115/-0 IPs | | | ban:2115 | 2022-01-18 22:14:04 +0000 UTC |
+----+------------------------------+-----------------------+---------+----+-----------+-------------------------------+
root@rpi4-e45f01048a ~41# ipset list
root@rpi4-e45f01048a ~41# ^C
root@rpi4-e45f01048a ~41#
You have nftables and iptables installed.
Your firewall default for crowdsec became then nftables.
You have to use nft specific command to check config and effect of crowdsec firewall bouncer on your firewall.
Or remove nftables package from your config and use iptables.
Have you apply this fix ?
Can you check ps | grep crowdsec after the service crowdsec-firewall-bouncer restart
You have community rules correctly applied.
So crowdsec is already working.
I think firewall also gets the ips to ban when alerts are feeded.
But you may use the nft commands, when using nftables, or ipset commands if using only iptables, to check the statis of your system firewall bans and to be sure.
root@rpi4-e45f01048a /41# ps | grep crowdsec
5175 root 1220 RN grep crowdsec
32362 root 784m S /usr/bin/crowdsec -c /var/etc/crowdsec/config.yaml
Apologize, this check only crowdsec, not cs !
If you have already modified your /etc/initd/crowdsec-firewall-bouncer, with nano or vi, and replaced, at line 7;
PROG=/usr/bin/crowdsec-firewall-bouncer
by;
PROG=/usr/bin/cs-firewall-bouncer
Then do service crowdsec-firewall-bouncer restart and ps | grep cs
If okay, then both works fine…
1 Like
I will try to do it today after I come home. Sorry for yesterday, I slept off before replying to you. I also deleted nftables and see if only with iptables I can get crowdsec working...
I will get back to you today evening... Thanks die you're reply
Thank you Erdoukki, now it is working fine. i have one request though, could you make this installation lot more easier for the end user with updates ??? so that we dont have to struggle a lot in making this wonderful software work on Openwrt please ???
Thanks once again for your hard work and keep it up.
Thanks...
I will try to enhance with users feedbacks...
Already all the processes you have to do manually was because of some, now fixed, bugs in the firewall package.
Please, keep in mind that all the jobs is done, at free time, when, so, I have some.
It is also the case of the most of the OpenWrt developers, and, I also have to wait for them, when I share my works on CrowdSec.
firewall fix PR for master merged !
firewall initd fix for 21.02 (PR opened):
will resolve issue:
PRs for lua-cs-bouncer and crowdsec-nginx-bouncer:
...stay tuned !
1 Like
Hi, that means no more fiddling with the setup of Crowdsec and I have to just install Crowdsec and bouncer and the rest works automatically??? Or is it not the case as of now?
As I understand cs-nginx-bouncer is also included in the package or should I install it manually???
Oh, my mistake. I saw just now the package. There once again a72 package is missing for Rpi4. Can you please compile for a72 architecture also? Or tell me which version I should use for my Rpi4 Openwrt.
One more question, post Crowdsec installation, which collections or parsers in addition to Crowdsec should I install??
If you need and wand to use only the banip feature of the firewall, just do:
heart component:
opkg install crowdsec
This package will register to the official API and you'll get feed with the community, free, CrowdSec managed IPs list.
ipbans firewalling:
opkg install crowdsec-firewall-bouncer
The community IPs BANs list will be used and managed by OpenWrt System firewall software...
if you need to protect an nginx instance on OpenWrt itself:
opkg install crowdsec-nginx-bouncer
You will then get this specific nginx component for protecting OpenWrt NGINX software.
The component will be available on the official upstream pacakges, when it will be compiled by the buildbots, after developers get review of my PR and they validated it, to be merged in the code...
Each steps require time, to each actor !
If you want more by yourself, give a try to a build of the package.
None / depends of your needs !
If you want more, you may look at the code itself, and then compare at the bouncers list, and also share your results in the wiki, or here...
1 Like
Hi, i just want to thank you for your wonderful work on this addon. It's working perfectly. Even then i should change the name backend to iptables... Is it must or it works by leaving it default?
1 Like
Thanks!
I still had to share some tutorials, the software is really cool and can afford a great enhancement in network security...
Stay tune!
I you have install iptables and ipset without installing also nftables, then all will be automatically detected and the backend will be sets to iptables at services startup.
If you have only nftables, same, but with nftables.
If you have installed both nftables and iptables, then nftables will be selected in priority.
The backend cannot be sets manually on OpenWrt, but I can made a general config if needed, disabling the auto-detect of backend, and using a manual forced backend.
A tweak is also possible with removing the backend tag in the /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml , removing the tag ${BACKEND} which is searched and used in the auto-detect script...
I have start to wrote some notes in the Wiki...
About the upcoming feature of notifications alerts and quick howto with collections from the hub, to protect dockers instance of NextCloud and NginxProxyManager...
https://openwrt.org/docs/guide-user/services/crowdsec#external_tools a new script will be available for external tools contributing to simplify users experience with CrowdSec!
Hi erduokki:- i am getting a strange error when i try to list decisions list. This is the error i am getting
root@rpi4-e45f01048a /45# cscli decisions list
FATA[07-02-2022 12:14:48 PM] Unable to list decisions : performing request: Get "http://127.0.0.1:8080/v1/alerts?has_active_decision=true&include_capi=false&limit=100": could not get jwt token: Post "http://127.0.0.1:8080/v1/watchers/login": dial tcp 127.0.0.1:8080: connect: connection refused
what does it really mean ? how do i solve this error ?
