NS8 modules with crowdsec config file


Now that there are wonderful modules out there, would it be possible to include a crowdsec on/off switch to the advanced section of the module configuration options, or simply always on and in effect by default?

I believe it would be a simpel config file added to the Crowdsec collections, but I am not a dev. But I feel the security is a bit left behind with the release of new modules. I am not sure (at all) what it means if a module travels from one node to another for Crowdsec can only be installed once on each node, so Crowdsec rules have to move along (if Crowdsec is installed on the destination node)?

Thanks for any considerations!

crowdsec works with collections

runagent -m crowdsec1 cscli collections list

runagent -m crowdsec1 cscli collections install <collections>

runagent -m crowdsec1 cscli collections remove <collections>

see readme : ns8-crowdsec/README.md at main Β· NethServer/ns8-crowdsec Β· GitHub

crowdsec for now work in a standalone mode, install it on each node

Right, so you got me exposed as a total nOOb by telling me that the Guacamole of @mrmarkuz can be protected as easy as:

cscli collections install corvese/apache-guacamole
systemctl reload crowdsec1

and that

runagent -m crowdsec1 cscli collections list

Shows me:

 Name                                  πŸ“¦ Status   Version   Local Path                                           
 corvese/apache-guacamole              βœ”οΈ enabled   0.1       /etc/crowdsec/collections/apache-guacamole.yaml      
 crowdsecurity/apache2                 βœ”οΈ enabled   0.1       /etc/crowdsec/collections/apache2.yaml               
 crowdsecurity/base-http-scenarios     βœ”οΈ enabled   0.8       /etc/crowdsec/collections/base-http-scenarios.yaml   
 crowdsecurity/dovecot                 βœ”οΈ enabled   0.1       /etc/crowdsec/collections/dovecot.yaml               
 crowdsecurity/http-cve                βœ”οΈ enabled   2.6       /etc/crowdsec/collections/http-cve.yaml              
 crowdsecurity/linux                   βœ”οΈ enabled   0.2       /etc/crowdsec/collections/linux.yaml                 
 crowdsecurity/mariadb                 βœ”οΈ enabled   0.1       /etc/crowdsec/collections/mariadb.yaml               
 crowdsecurity/nextcloud               βœ”οΈ enabled   0.3       /etc/crowdsec/collections/nextcloud.yaml             
 crowdsecurity/nginx                   βœ”οΈ enabled   0.2       /etc/crowdsec/collections/nginx.yaml                 
 crowdsecurity/nginx-proxy-manager     βœ”οΈ enabled   0.1       /etc/crowdsec/collections/nginx-proxy-manager.yaml   
 crowdsecurity/pgsql                   βœ”οΈ enabled   0.1       /etc/crowdsec/collections/pgsql.yaml                 
 crowdsecurity/postfix                 βœ”οΈ enabled   0.2       /etc/crowdsec/collections/postfix.yaml               
 crowdsecurity/proftpd                 βœ”οΈ enabled   0.1       /etc/crowdsec/collections/proftpd.yaml               
 crowdsecurity/sshd                    βœ”οΈ enabled   0.3       /etc/crowdsec/collections/sshd.yaml                  
 crowdsecurity/traefik                 βœ”οΈ enabled   0.1       /etc/crowdsec/collections/traefik.yaml               
 crowdsecurity/vsftpd                  βœ”οΈ enabled   0.1       /etc/crowdsec/collections/vsftpd.yaml                
 crowdsecurity/whitelist-good-actors   βœ”οΈ enabled   0.1       /etc/crowdsec/collections/whitelist-good-actors.yaml 
 crowdsecurity/wordpress               βœ”οΈ enabled   0.4       /etc/crowdsec/collections/wordpress.yaml             





Please test the collection and report

Tested and locked myself completely out… Luckily I can access the server via VNC :slight_smile:
So, works!

Maybe not yet…

In the crowdsec log I see (where xx.xx.xx.xx is my banned IP address):

level=info msg="(localhost/crowdsec) LePresidente/http-generic-403-bf by ip xx.xx.xx.xx

The collection for Guacamole is not from LePresident, this is from Grafana collection which I installed too.


And this is the Guacamole one:


Way out of my league!! I could be completely wrong!

Just removed the Grafa collection, but still the same log entry with LePresident.

The Guacamole login is just a generic http one so the additional Guacamole collection is not needed (because it does the same as the already present http-generic-bf collection)

Yes, because the block doesn’t come from Grafana collection but from the http-generic-bf one:



There we go, solved. LePresident threw me off guard. Thanks!

1 Like