NS8 modules with crowdsec config file

LayLow · April 9, 2024, 12:15am

Hi,

Now that there are wonderful modules out there, would it be possible to include a crowdsec on/off switch to the advanced section of the module configuration options, or simply always on and in effect by default?

I believe it would be a simpel config file added to the Crowdsec collections, but I am not a dev. But I feel the security is a bit left behind with the release of new modules. I am not sure (at all) what it means if a module travels from one node to another for Crowdsec can only be installed once on each node, so Crowdsec rules have to move along (if Crowdsec is installed on the destination node)?

Thanks for any considerations!

stephdl · April 9, 2024, 7:02am

crowdsec works with collections

runagent -m crowdsec1 cscli collections list

runagent -m crowdsec1 cscli collections install <collections>

runagent -m crowdsec1 cscli collections remove <collections>

stephdl · April 9, 2024, 7:04am

see readme : ns8-crowdsec/README.md at main · NethServer/ns8-crowdsec · GitHub

stephdl · April 9, 2024, 7:04am

crowdsec for now work in a standalone mode, install it on each node

LayLow · April 9, 2024, 8:57am

Right, so you got me exposed as a total nOOb by telling me that the Guacamole of @mrmarkuz can be protected as easy as:

cscli collections install corvese/apache-guacamole
systemctl reload crowdsec1

and that

runagent -m crowdsec1 cscli collections list

Shows me:

COLLECTIONS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 Name                                  📦 Status   Version   Local Path                                           
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 corvese/apache-guacamole              ✔️ enabled   0.1       /etc/crowdsec/collections/apache-guacamole.yaml      
 crowdsecurity/apache2                 ✔️ enabled   0.1       /etc/crowdsec/collections/apache2.yaml               
 crowdsecurity/base-http-scenarios     ✔️ enabled   0.8       /etc/crowdsec/collections/base-http-scenarios.yaml   
 crowdsecurity/dovecot                 ✔️ enabled   0.1       /etc/crowdsec/collections/dovecot.yaml               
 crowdsecurity/http-cve                ✔️ enabled   2.6       /etc/crowdsec/collections/http-cve.yaml              
 crowdsecurity/linux                   ✔️ enabled   0.2       /etc/crowdsec/collections/linux.yaml                 
 crowdsecurity/mariadb                 ✔️ enabled   0.1       /etc/crowdsec/collections/mariadb.yaml               
 crowdsecurity/nextcloud               ✔️ enabled   0.3       /etc/crowdsec/collections/nextcloud.yaml             
 crowdsecurity/nginx                   ✔️ enabled   0.2       /etc/crowdsec/collections/nginx.yaml                 
 crowdsecurity/nginx-proxy-manager     ✔️ enabled   0.1       /etc/crowdsec/collections/nginx-proxy-manager.yaml   
 crowdsecurity/pgsql                   ✔️ enabled   0.1       /etc/crowdsec/collections/pgsql.yaml                 
 crowdsecurity/postfix                 ✔️ enabled   0.2       /etc/crowdsec/collections/postfix.yaml               
 crowdsecurity/proftpd                 ✔️ enabled   0.1       /etc/crowdsec/collections/proftpd.yaml               
 crowdsecurity/sshd                    ✔️ enabled   0.3       /etc/crowdsec/collections/sshd.yaml                  
 crowdsecurity/traefik                 ✔️ enabled   0.1       /etc/crowdsec/collections/traefik.yaml               
 crowdsecurity/vsftpd                  ✔️ enabled   0.1       /etc/crowdsec/collections/vsftpd.yaml                
 crowdsecurity/whitelist-good-actors   ✔️ enabled   0.1       /etc/crowdsec/collections/whitelist-good-actors.yaml 
 crowdsecurity/wordpress               ✔️ enabled   0.4       /etc/crowdsec/collections/wordpress.yaml             
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────

??

Thanks!!!

stephdl · April 9, 2024, 12:12pm

Please test the collection and report

LayLow · April 9, 2024, 5:06pm

Tested and locked myself completely out… Luckily I can access the server via VNC
So, works!

Maybe not yet…

In the crowdsec log I see (where xx.xx.xx.xx is my banned IP address):

level=info msg="(localhost/crowdsec) LePresidente/http-generic-403-bf by ip xx.xx.xx.xx

The collection for Guacamole is not from LePresident, this is from Grafana collection which I installed too.

And this is the Guacamole one:

Way out of my league!! I could be completely wrong!

Just removed the Grafa collection, but still the same log entry with LePresident.

mrmarkuz · April 9, 2024, 6:36pm

The Guacamole login is just a generic http one so the additional Guacamole collection is not needed (because it does the same as the already present http-generic-bf collection)

Yes, because the block doesn’t come from Grafana collection but from the http-generic-bf one:

https://app.crowdsec.net/hub/author/crowdsecurity/configurations/http-generic-bf

LayLow · April 9, 2024, 8:52pm

There we go, solved. LePresident threw me off guard. Thanks!