Crowdsec packages for OpenWrt

For Developers
148

Crowdsec 1.4.6 is available in snapshot branch (as soon as it has been build).

2 Likes
149

I spent some time playing with crowdsec today but feel there is still a way to go. My questions may be due to my ignorance of the software so apologies in advance if they are not OpenWrt specific:

  1. is the email plugin working? I get the following:
time="27-02-2023 20:29:35" level=fatal msg="api server init: unable to run local API: while loading plugin: open /usr/local/lib/crowdsec/plugins: no such file or directory"

  1. I've managed to expose the LAPI and Prometheus metrics by changing the listen_addr and listen_uri in config.yaml. Are these available in the UCI config?

  2. I've managed to get the agent (1.3.0-3) and bouncer (0.0.25-1) talking to each other by manually registering them as the bouncer did not automatically register. However I'm having trouble downloading a relevant collection/parser/blocklist via the commands at Crowdsec packages for OpenWrt - #21 by erdoukki. Are these still current or is are there other more relevant config I should download?

# cscli collections install crowdsecurity/linux
WARN[27-02-2023 09:03:11 PM] Crowdsec is not the latest version. Current version is 'v1.3.0' and the latest stable version is 'v1.4.6'. Please update it!
WARN[27-02-2023 09:03:11 PM] As a result, you will not be able to use parsers/scenarios/collections added to Crowdsec Hub after CrowdSec v1.4.6
WARN[27-02-2023 09:03:12 PM] crowdsecurity/syslog-logs : overwrite       
WARN[27-02-2023 09:03:12 PM] crowdsecurity/geoip-enrich : overwrite      
INFO[27-02-2023 09:03:12 PM] downloading data 'https://crowdsec-statics-assets.s3-eu-west-1.amazonaws.com/GeoLite2-City.mmdb' in '/srv/crowdsec/data/GeoLite2-City.mmdb'
Killed

And in my crowdsec.log:

time="27-02-2023 21:05:41" level=warning msg="No matching files for pattern /var/log/nginx/*.log" type=file
time="27-02-2023 21:05:41" level=warning msg="No matching files for pattern ./tests/nginx/nginx.log" type=file
time="27-02-2023 21:05:41" level=warning msg="No matching files for pattern /var/log/auth.log" type=file
time="27-02-2023 21:05:41" level=warning msg="No matching files for pattern /var/log/syslog" type=file
time="27-02-2023 21:05:41" level=warning msg="No matching files for pattern /var/log/apache2/*.log" type=file

In particular I can still see arbitrary scans hitting my WAN port (after turning on zone logging in kernel log), and am not sure if crowdsec is parsing them (or even blocking them).

  1. How do I check the contents of @crowdsec-blacklists in the nft firewall rules? I can see the nft tables, but how do I know that the blocklist is actually populated?
150
  1. https://docs.crowdsec.net/docs/notification_plugins/email/
  2. cscli config y cscli metrics
  3. https://hub.crowdsec.net/
  4. cscli decisions list --all y cscli alerts list --all

:+1:

151

Thanks - I actually used the config from that page with no results. I should have given context:

So was wondering if this was still a known issue.

==========

My question was whether I should be setting them via /etc/config/crowdsec or directly in the yaml (in case they get overwritten). I may just end up using a local config file though.

==========

I presume this is the same list as found via cscli hub list -a? If so I'm not sure how to determine the appropriate collections/config for an OpenWrt install. Is the crowdsecurity/linux collection and crowdsecurity/whitelists parser not the most appropriate? If so, how to download them without hitting the OOM error?

==========

root@router:/# cscli decisions list --all
No active decisions
root@router:/# cscli alerts list
No active alerts

I think I have an "empty" install so just need this final config for it to actually do anything.

Thanks for the help so far!

1 Like
152

This is how I got it working on an openwrt router:

  1. DELETE CURRENT INSTALLATIONS OF CROWDSEC/C.S.BOUNCER AND /srv/crowdsec.
  2. INSTALL crowdsec_1.4.6-1 AND crowdsec-firewall-bouncer_0.0.25-1.
  3. CREATE AN ACCOUNT - https://app.crowdsec.net/signup.
  4. ENTER https://app.crowdsec.net/login.
  5. REGISTER CrowdSec instance " cscli console enroll .............. ".
  6. " service crowdsec reload ".
  7. " cscli bouncers add yourbouncername " AND WRITE DOWN APIkey.
  8. MODIFY /etc/crowdsec/config.yaml with listen_uri: 127.0.0.1:8080
    and listen_addr: 127.0.0.1
  9. MODIFY /etc/config/crowdsec with option api_url '0.0.0.0:8080/' and option api_key 'your APIkey'.
config crowdsec 'crowdsec'
	option data_dir '/srv/crowdsec/data'
	option db_path '/srv/crowdsec/data/crowdsec.db'
config bouncer
	option enabled '1'
	option ipv4 '1'
	option ipv6 '0'
	option api_url '0.0.0.0:8080/'
	option api_key 'your APIkey'
	option update_frequency '10s'
	option deny_action 'drop'
	option deny_log '0'
	option log_prefix 'crowdsec: '
	option log_level 'info'
	option filter_input '1'
	option filter_forward '1'
	list interface 'wan'
	list interface 'VPN1'
	list interface 'VPN2'
	.
	.
	.
  1. RESTART DEVICE.

Captura2
Captura21271×201 61.9 KB

:slight_smile: :+1:

153

it didnt work for me, eventhough i did exactly what you have written here...
probably related to Banip Package ??? because i have it installed along with AdGuardHome...

154

I guess something wasn´t right because this morning I was:

Captura mal
Captura mal958×374 10.6 KB

After some testing I think I fixed with new cfg:

Captura bien

I have modified first post.
I also use banip, AdGuardHome, nextdns, bcp38 with crowdsec.

Captura
Captura925×509 35.2 KB

:slight_smile: