Crowdsec finally comming to pfSense

cloudroot

Even though I did a search for Crowdsec, I somehow missed that they already announced this. Sorry for failing due diligence.
https://forum.netgate.com/topic/182043/new-package-best-practices

mmetc

@cloudroot

Hi, since your post we finished the testing and opened a PR for inclusion in pfsense, waiting for feedback.

The package can be installed by hand in the meanwhile

https://docs.crowdsec.net/docs/next/getting_started/install_crowdsec_pfsense

w0w

@mmetc
I am grateful for the work done. It's great for me that the package just works after installation.
I have a question, why are the rules created by Crowdsec hidden from the pfSense interface?

mmetc

@w0w said in Crowdsec finally comming to pfSense:

@mmetc
I am grateful for the work done. It's great for me that the package just works after installation.
I have a question, why are the rules created by Crowdsec hidden from the pfSense interface?

We don't do it on purpose, maybe I didn't pay attention but if there is a way to fix that, I'll do it.

RobbieTT

@mmetc

That would be ideal as being 'blind' is counter-intutive to crowdsec's laudable aims.

️

Bismarck

@mmetc

Just a heads up, the package needs to be reinstalled after pfSense updates.

mmetc

@Bismarck did the pfsense update also remove the configuration (/etc/crowdsec and /var/db/crowdsec), or just the packages?

Bismarck

@mmetc

The config and data is still there, but service and menu items are gone from the WebUI.

buggz

Any updates?
Though I see 'official' install method on crowdsec website, I would like to install from pfsense package manager.

philippe richard

@Bismarck said in Crowdsec finally comming to pfSense:

@mmetc

Just a heads up, the package needs to be reinstalled after pfSense updates.

Hello,
netgate also advises uninstalling third-party packages before updating.

buggz

Shrug, I went ahead and installed it from the instructions on the crowdsec website...

buggz

Not certain where to post this?

Anyone else see these type alerts reported?

ID	Value		Reason				Country	AS	Decisions		Created At
54	Ip:192.168.2.4	LePresidente/http-generic-403-bf			ban:1		7 days ago
110	Ip:192.168.2.4	LePresidente/http-generic-403-bf			ban:1		3 days ago


- ID           : 54
 - Date         : 2024-03-06T20:47:07Z
 - Machine      : N/A
 - Simulation   : false
 - Reason       : LePresidente/http-generic-403-bf
 - Events Count : 7
 - Scope:Value  : Ip:192.168.2.4
 - Country      :
 - AS           :
 - Begin        : 2024-03-06 20:46:51.646995177 +0000 UTC
 - End          : 2024-03-06 20:47:07.044271521 +0000 UTC
 - UUID         : 11f79653-4876-48a9-b45f-7af56c94aff9


 - Context  :
+------------+--------------------------------------------------------------+
|    Key     |                            Value                             |
+------------+--------------------------------------------------------------+
| method     | POST                                                         |
| status     | 403                                                          |
| target_uri | /widgets/widgets/interfaces.widget.php                       |
| target_uri | /widgets/widgets/interface_statistics.widget.php             |
| target_uri | /widgets/widgets/disks.widget.php                            |
| user_agent | Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ |
|            | (KHTML, like Gecko) Version/5.0 Safari/531.2                 |
+------------+--------------------------------------------------------------+



- ID           : 110
 - Date         : 2024-03-10T17:05:23Z
 - Machine      : N/A
 - Simulation   : false
 - Reason       : LePresidente/http-generic-403-bf
 - Events Count : 6
 - Scope:Value  : Ip:192.168.2.4
 - Country      :
 - AS           :
 - Begin        : 2024-03-10 17:05:14.489298026 +0000 UTC
 - End          : 2024-03-10 17:05:22.976400929 +0000 UTC
 - UUID         : 9e9bff46-125a-4ebf-a606-e1910060bc01


 - Context  :
+------------+--------------------------------------------------------------+
|    Key     |                            Value                             |
+------------+--------------------------------------------------------------+
| method     | POST                                                         |
| status     | 403                                                          |
| target_uri | /widgets/widgets/log.widget.php                              |
| target_uri | /widgets/widgets/interfaces.widget.php                       |
| target_uri | /widgets/widgets/interface_statistics.widget.php             |
| target_uri | /widgets/widgets/disks.widget.php                            |
| target_uri | /widgets/widgets/thermal_sensors.widget.php                  |
| user_agent | Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ |
|            | (KHTML, like Gecko) Version/5.0 Safari/531.2                 |

mmetc

@buggz said in Crowdsec finally comming to pfSense:

Not certain where to post this?

Anyone else see these type alerts reported?

This is a regular crowdsec alert (source: your logs) but the connections come from an internal network.

You can install a whitelist with "cscli parsers install crowdsecurity/whitelists" and you shouldn't receive alerts from private IPs anymore.

If you have more issues regarding the plugin or are unsure how crowdsec works, feel free to ask on https://github.com/crowdsecurity/crowdsec/issues or the discord channels.

buggz

@mmetc

Thank you for this very informative reply!

I will whitelist the local IP.

buggz

Perfect, seems to work, will know in a few more days.

cat /usr/local/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/whitelists.yaml
name: crowdsecurity/whitelists
description: "Whitelist events from private ipv4 addresses"
whitelist:
  reason: "private ipv4/ipv6 ip/ranges"
  ip:
    - "127.0.0.1"
    - "::1"
  cidr:
    - "192.168.0.0/16"
    - "10.0.0.0/8"
    - "172.16.0.0/12"
  # expression:
  #   - "'foo.com' in evt.Meta.source_ip.reverse"

Antibiotic

Hi, like me understood , the profit of use Crowdsec if pfSense have opened ports on WAN? no any opened , no any profit. If using pfBlockerNG will Crowdsec only duplicate functionality?
Crowdsec is working with a Snort? Have a read working with Suricata, what about Snort?

buggz

I don't know if CrowdSec duplicates pfBlockerNG.

I use both pfBlockerNG development and Snort.
Seems to be working good for me so far...

@Antibiotic said in Crowdsec finally comming to pfSense:

If using pfBlockerNG will Crowdsec only duplicate functionality?
Crowdsec is working with a Snort? Have a read working with Suricata, what about Snort?

Antibiotic

@buggz Are you keep opened any ports on WAN?

Antibiotic

@mmetc Any news, regarding the official including of package in pfSense repo?

SteveITS

@Antibiotic If you have no open ports on WAN then you are only able to block outbound connections.

Surely some pfBlocker lists will include malicious IPs, depending on the list(s) chosen. It is a question of when the lists update.

re: including it, I skimmed the install and a few things stood out, for instance that the config isn't able to be restored from pfSense backup, it is only configurable via command line not web GUI, and is not compatible with RAM disk for /var. I would think some or all of those are big enough issues for Netgate to not include it yet, but obviously I do not speak for either.