Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Crowdsec finally comming to pfSense

    Scheduled Pinned Locked Moved pfSense Packages
    68 Posts 19 Posters 12.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • w0wW
      w0w @mmetc
      last edited by

      @mmetc
      I am grateful for the work done. It's great for me that the package just works after installation.
      I have a question, why are the rules created by Crowdsec hidden from the pfSense interface?

      M 1 Reply Last reply Reply Quote 1
      • M
        mmetc @w0w
        last edited by

        @w0w said in Crowdsec finally comming to pfSense:

        @mmetc
        I am grateful for the work done. It's great for me that the package just works after installation.
        I have a question, why are the rules created by Crowdsec hidden from the pfSense interface?

        We don't do it on purpose, maybe I didn't pay attention but if there is a way to fix that, I'll do it.

        RobbieTTR 1 Reply Last reply Reply Quote 4
        • RobbieTTR
          RobbieTT @mmetc
          last edited by

          @mmetc

          That would be ideal as being 'blind' is counter-intutive to crowdsec's laudable aims.

          ☕️

          1 Reply Last reply Reply Quote 2
          • BismarckB
            Bismarck @mmetc
            last edited by

            @mmetc

            Just a heads up, the package needs to be reinstalled after pfSense updates.

            M P 2 Replies Last reply Reply Quote 2
            • M
              mmetc @Bismarck
              last edited by

              @Bismarck did the pfsense update also remove the configuration (/etc/crowdsec and /var/db/crowdsec), or just the packages?

              BismarckB 1 Reply Last reply Reply Quote 1
              • BismarckB
                Bismarck @mmetc
                last edited by

                @mmetc

                The config and data is still there, but service and menu items are gone from the WebUI.

                1 Reply Last reply Reply Quote 1
                • buggzB
                  buggz
                  last edited by buggz

                  Any updates?
                  Though I see 'official' install method on crowdsec website, I would like to install from pfsense package manager.

                  1 Reply Last reply Reply Quote 4
                  • P
                    philippe richard @Bismarck
                    last edited by

                    @Bismarck said in Crowdsec finally comming to pfSense:

                    @mmetc

                    Just a heads up, the package needs to be reinstalled after pfSense updates.

                    Hello,
                    netgate also advises uninstalling third-party packages before updating.

                    buggzB 1 Reply Last reply Reply Quote 2
                    • buggzB
                      buggz @philippe richard
                      last edited by

                      Shrug, I went ahead and installed it from the instructions on the crowdsec website...

                      1 Reply Last reply Reply Quote 1
                      • buggzB
                        buggz
                        last edited by buggz

                        Not certain where to post this?

                        Anyone else see these type alerts reported?

                        ID	Value		Reason				Country	AS	Decisions		Created At
                        54	Ip:192.168.2.4	LePresidente/http-generic-403-bf			ban:1		7 days ago
                        110	Ip:192.168.2.4	LePresidente/http-generic-403-bf			ban:1		3 days ago
                        
                        
                        - ID           : 54
                         - Date         : 2024-03-06T20:47:07Z
                         - Machine      : N/A
                         - Simulation   : false
                         - Reason       : LePresidente/http-generic-403-bf
                         - Events Count : 7
                         - Scope:Value  : Ip:192.168.2.4
                         - Country      :
                         - AS           :
                         - Begin        : 2024-03-06 20:46:51.646995177 +0000 UTC
                         - End          : 2024-03-06 20:47:07.044271521 +0000 UTC
                         - UUID         : 11f79653-4876-48a9-b45f-7af56c94aff9
                        
                        
                         - Context  :
                        +------------+--------------------------------------------------------------+
                        |    Key     |                            Value                             |
                        +------------+--------------------------------------------------------------+
                        | method     | POST                                                         |
                        | status     | 403                                                          |
                        | target_uri | /widgets/widgets/interfaces.widget.php                       |
                        | target_uri | /widgets/widgets/interface_statistics.widget.php             |
                        | target_uri | /widgets/widgets/disks.widget.php                            |
                        | user_agent | Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ |
                        |            | (KHTML, like Gecko) Version/5.0 Safari/531.2                 |
                        +------------+--------------------------------------------------------------+
                        
                        
                        
                        - ID           : 110
                         - Date         : 2024-03-10T17:05:23Z
                         - Machine      : N/A
                         - Simulation   : false
                         - Reason       : LePresidente/http-generic-403-bf
                         - Events Count : 6
                         - Scope:Value  : Ip:192.168.2.4
                         - Country      :
                         - AS           :
                         - Begin        : 2024-03-10 17:05:14.489298026 +0000 UTC
                         - End          : 2024-03-10 17:05:22.976400929 +0000 UTC
                         - UUID         : 9e9bff46-125a-4ebf-a606-e1910060bc01
                        
                        
                         - Context  :
                        +------------+--------------------------------------------------------------+
                        |    Key     |                            Value                             |
                        +------------+--------------------------------------------------------------+
                        | method     | POST                                                         |
                        | status     | 403                                                          |
                        | target_uri | /widgets/widgets/log.widget.php                              |
                        | target_uri | /widgets/widgets/interfaces.widget.php                       |
                        | target_uri | /widgets/widgets/interface_statistics.widget.php             |
                        | target_uri | /widgets/widgets/disks.widget.php                            |
                        | target_uri | /widgets/widgets/thermal_sensors.widget.php                  |
                        | user_agent | Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ |
                        |            | (KHTML, like Gecko) Version/5.0 Safari/531.2                 |
                        
                        M 1 Reply Last reply Reply Quote 1
                        • M
                          mmetc @buggz
                          last edited by

                          @buggz said in Crowdsec finally comming to pfSense:

                          Not certain where to post this?

                          Anyone else see these type alerts reported?

                          This is a regular crowdsec alert (source: your logs) but the connections come from an internal network.

                          You can install a whitelist with "cscli parsers install crowdsecurity/whitelists" and you shouldn't receive alerts from private IPs anymore.

                          If you have more issues regarding the plugin or are unsure how crowdsec works, feel free to ask on https://github.com/crowdsecurity/crowdsec/issues or the discord channels.

                          buggzB 1 Reply Last reply Reply Quote 2
                          • buggzB
                            buggz @mmetc
                            last edited by

                            @mmetc

                            Thank you for this very informative reply!

                            I will whitelist the local IP.

                            1 Reply Last reply Reply Quote 1
                            • buggzB
                              buggz
                              last edited by buggz

                              Perfect, seems to work, will know in a few more days.

                              cat /usr/local/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/whitelists.yaml
                              name: crowdsecurity/whitelists
                              description: "Whitelist events from private ipv4 addresses"
                              whitelist:
                                reason: "private ipv4/ipv6 ip/ranges"
                                ip:
                                  - "127.0.0.1"
                                  - "::1"
                                cidr:
                                  - "192.168.0.0/16"
                                  - "10.0.0.0/8"
                                  - "172.16.0.0/12"
                                # expression:
                                #   - "'foo.com' in evt.Meta.source_ip.reverse"
                              
                              
                              1 Reply Last reply Reply Quote 1
                              • A
                                Antibiotic
                                last edited by Antibiotic

                                Hi, like me understood , the profit of use Crowdsec if pfSense have opened ports on WAN? no any opened , no any profit. If using pfBlockerNG will Crowdsec only duplicate functionality?
                                Crowdsec is working with a Snort? Have a read working with Suricata, what about Snort?

                                pfSense plus 24.11 on Topton mini PC
                                CPU: Intel N100
                                NIC: Intel i-226v 4 pcs
                                RAM : 16 GB DDR5
                                Disk: 128 GB NVMe
                                Brgds, Archi

                                buggzB 1 Reply Last reply Reply Quote 1
                                • buggzB
                                  buggz @Antibiotic
                                  last edited by

                                  I don't know if CrowdSec duplicates pfBlockerNG.

                                  I use both pfBlockerNG development and Snort.
                                  Seems to be working good for me so far...

                                  @Antibiotic said in Crowdsec finally comming to pfSense:

                                  If using pfBlockerNG will Crowdsec only duplicate functionality?
                                  Crowdsec is working with a Snort? Have a read working with Suricata, what about Snort?

                                  A 1 Reply Last reply Reply Quote 1
                                  • A
                                    Antibiotic @buggz
                                    last edited by

                                    @buggz Are you keep opened any ports on WAN?

                                    pfSense plus 24.11 on Topton mini PC
                                    CPU: Intel N100
                                    NIC: Intel i-226v 4 pcs
                                    RAM : 16 GB DDR5
                                    Disk: 128 GB NVMe
                                    Brgds, Archi

                                    1 Reply Last reply Reply Quote 1
                                    • A
                                      Antibiotic @mmetc
                                      last edited by

                                      @mmetc Any news, regarding the official including of package in pfSense repo?

                                      pfSense plus 24.11 on Topton mini PC
                                      CPU: Intel N100
                                      NIC: Intel i-226v 4 pcs
                                      RAM : 16 GB DDR5
                                      Disk: 128 GB NVMe
                                      Brgds, Archi

                                      S 1 Reply Last reply Reply Quote 1
                                      • S
                                        SteveITS Galactic Empire @Antibiotic
                                        last edited by

                                        @Antibiotic If you have no open ports on WAN then you are only able to block outbound connections.

                                        Surely some pfBlocker lists will include malicious IPs, depending on the list(s) chosen. It is a question of when the lists update.

                                        re: including it, I skimmed the install and a few things stood out, for instance that the config isn't able to be restored from pfSense backup, it is only configurable via command line not web GUI, and is not compatible with RAM disk for /var. I would think some or all of those are big enough issues for Netgate to not include it yet, but obviously I do not speak for either.

                                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                        Upvote 👍 helpful posts!

                                        A 1 Reply Last reply Reply Quote 1
                                        • A
                                          Antibiotic @SteveITS
                                          last edited by

                                          @SteveITS Ok, thanks. But any profit to use /var in RAM, if pfSense instal on nvrme?

                                          pfSense plus 24.11 on Topton mini PC
                                          CPU: Intel N100
                                          NIC: Intel i-226v 4 pcs
                                          RAM : 16 GB DDR5
                                          Disk: 128 GB NVMe
                                          Brgds, Archi

                                          S 1 Reply Last reply Reply Quote 1
                                          • S
                                            SteveITS Galactic Empire @Antibiotic
                                            last edited by

                                            @Antibiotic said in Crowdsec finally comming to pfSense:

                                            But any profit to use /var in RAM, if pfSense instal on nvrme?

                                            Not that much, no. It can save disk writes if you do a lot of logging. Our clients often have eMMC drives and we disable a lot of logging.

                                            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                            Upvote 👍 helpful posts!

                                            A 1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.