NS8 / Crowdsec settings in GUI

Looking in the CrowdSec Doc’s -

https://docs.nethserver.org/projects/ns8/en/latest/crowdsec.html#configuration

It’s probably me, but in the above ns8 crowdsec doc / github don’t really go into detail to explain setup on the GUI side.

So when I look at the following, I have questions -

I number the items I have questions.

Lets take item 1 - Email recipients for notifications

-There is no real explanation of what email recipients should be used. I am guessing that I can have different people’s email addresses. This would be like and alert email address, admin address, or so one who manages the security for NS8.

So for instance I would put - admin@example.com or info@example.com or I could put both or more?

Item 2 - Allow list of CIDR, IP and fully qualified domain name ( No ban will occur for members of this list)

So what would be examples or a thought process of what CIDR, IP or FQDN. that I would place in this area, Do I need to worry about putting in the IP address for the NS8? Like if I had an on-prem NS8 and my network is 192.168.77.0 and my NS8 was at 192.168.77.25, I would add 192.168.77.25, or does Crowdsec already account for the IP of NS8/IP adddress Crowdsec is on? Do I have to put in the FQDN of my NS8 as well? or is it already counted for by Crowdsec because its running on NS8? Could you give me a example of CIDR, IP and fully qualified domain name that would be relavant to add to this item.

Item 3 - Enroll this CrowdSec instance (says the token must be retrieved from the website)

I realize that I have to go to Crowdsec and setup and account at - https://app.crowdsec.net/

No specifics on to go and retrieve the token on the website. (I see you can do it in the CLI, but is it still doable and how in the GUI?)

Can anyone show me on the Crowdsec site you get the token to put in to item 3 location.

Item 4 - Helo_host

Would this be like mail.example.com? When is an example of when this is needed? Does this have to be done with Webtop or Sogo NS8 setups?
Any background on this would be great too…

I appreciate any feedback on this.

Hi @Shadowfire

For item 1, I read as follows: “Enter an email address per line”.
This is clear english to me, one e-mail per line, as many as you want or need:

Eg

security@example.com
my-fat-poop@example.com

Whatever… :slight_smile:

Item 2:
AFAIK, you do not need to put in NS8 in any form (IP, DNS Name, FQDN, whatever…).

An Example:

A network printer, when printing triggers something in Croudsec.
You know it prints
It has a static IP AND no gateway or DNS entered (It can’t reach the Internet!).
So why bear with not important reports in Croudsec?

As to items 3 and 4 I can’t say much (yet).

My 2 cents
Andy

1 Like

On the CrowdSec page go to Security Engines/Engines:

Add security engine:

Get the code and insert it in the NS8 UI:

EDIT:

From the tooltip text:

This might be needed to properly receive email notifications. If your antispam system adds score due to default ‘localhost’ Helo name, you can set a specific Helo FQDN here

I entered the node FQDN. It does not affect other apps like Webtop or Sogo.

EDIT2:

The helo host (in this example node.example.com) is used as sending domain like the crowdsec mails are sent by crowdsec@node.example.com

Background:
Usually the hosts FQDN is used as helo host but in the crowdsec container the hostname is localhost which may cause issues with spamfilters.

2 Likes

Thanks for the walk through. I think this was helpful for me. I believe it will be helpful for others as well.

Thanks!

1 Like