Crowdsec finally comming to pfSense
-
Not certain where to post this?
Anyone else see these type alerts reported?
ID Value Reason Country AS Decisions Created At 54 Ip:192.168.2.4 LePresidente/http-generic-403-bf ban:1 7 days ago 110 Ip:192.168.2.4 LePresidente/http-generic-403-bf ban:1 3 days ago - ID : 54 - Date : 2024-03-06T20:47:07Z - Machine : N/A - Simulation : false - Reason : LePresidente/http-generic-403-bf - Events Count : 7 - Scope:Value : Ip:192.168.2.4 - Country : - AS : - Begin : 2024-03-06 20:46:51.646995177 +0000 UTC - End : 2024-03-06 20:47:07.044271521 +0000 UTC - UUID : 11f79653-4876-48a9-b45f-7af56c94aff9 - Context : +------------+--------------------------------------------------------------+ | Key | Value | +------------+--------------------------------------------------------------+ | method | POST | | status | 403 | | target_uri | /widgets/widgets/interfaces.widget.php | | target_uri | /widgets/widgets/interface_statistics.widget.php | | target_uri | /widgets/widgets/disks.widget.php | | user_agent | Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ | | | (KHTML, like Gecko) Version/5.0 Safari/531.2 | +------------+--------------------------------------------------------------+ - ID : 110 - Date : 2024-03-10T17:05:23Z - Machine : N/A - Simulation : false - Reason : LePresidente/http-generic-403-bf - Events Count : 6 - Scope:Value : Ip:192.168.2.4 - Country : - AS : - Begin : 2024-03-10 17:05:14.489298026 +0000 UTC - End : 2024-03-10 17:05:22.976400929 +0000 UTC - UUID : 9e9bff46-125a-4ebf-a606-e1910060bc01 - Context : +------------+--------------------------------------------------------------+ | Key | Value | +------------+--------------------------------------------------------------+ | method | POST | | status | 403 | | target_uri | /widgets/widgets/log.widget.php | | target_uri | /widgets/widgets/interfaces.widget.php | | target_uri | /widgets/widgets/interface_statistics.widget.php | | target_uri | /widgets/widgets/disks.widget.php | | target_uri | /widgets/widgets/thermal_sensors.widget.php | | user_agent | Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ | | | (KHTML, like Gecko) Version/5.0 Safari/531.2 |
-
@buggz said in Crowdsec finally comming to pfSense:
Not certain where to post this?
Anyone else see these type alerts reported?
This is a regular crowdsec alert (source: your logs) but the connections come from an internal network.
You can install a whitelist with "cscli parsers install crowdsecurity/whitelists" and you shouldn't receive alerts from private IPs anymore.
If you have more issues regarding the plugin or are unsure how crowdsec works, feel free to ask on https://github.com/crowdsecurity/crowdsec/issues or the discord channels.
-
-
Perfect, seems to work, will know in a few more days.
cat /usr/local/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/whitelists.yaml name: crowdsecurity/whitelists description: "Whitelist events from private ipv4 addresses" whitelist: reason: "private ipv4/ipv6 ip/ranges" ip: - "127.0.0.1" - "::1" cidr: - "192.168.0.0/16" - "10.0.0.0/8" - "172.16.0.0/12" # expression: # - "'foo.com' in evt.Meta.source_ip.reverse"
-
Hi, like me understood , the profit of use Crowdsec if pfSense have opened ports on WAN? no any opened , no any profit. If using pfBlockerNG will Crowdsec only duplicate functionality?
Crowdsec is working with a Snort? Have a read working with Suricata, what about Snort? -
I don't know if CrowdSec duplicates pfBlockerNG.
I use both pfBlockerNG development and Snort.
Seems to be working good for me so far...@Antibiotic said in Crowdsec finally comming to pfSense:
If using pfBlockerNG will Crowdsec only duplicate functionality?
Crowdsec is working with a Snort? Have a read working with Suricata, what about Snort? -
@buggz Are you keep opened any ports on WAN?
-
@mmetc Any news, regarding the official including of package in pfSense repo?
-
@Antibiotic If you have no open ports on WAN then you are only able to block outbound connections.
Surely some pfBlocker lists will include malicious IPs, depending on the list(s) chosen. It is a question of when the lists update.
re: including it, I skimmed the install and a few things stood out, for instance that the config isn't able to be restored from pfSense backup, it is only configurable via command line not web GUI, and is not compatible with RAM disk for /var. I would think some or all of those are big enough issues for Netgate to not include it yet, but obviously I do not speak for either.
-
@SteveITS Ok, thanks. But any profit to use /var in RAM, if pfSense instal on nvrme?
-
@Antibiotic said in Crowdsec finally comming to pfSense:
But any profit to use /var in RAM, if pfSense instal on nvrme?
Not that much, no. It can save disk writes if you do a lot of logging. Our clients often have eMMC drives and we disable a lot of logging.
-
@SteveITS Can you please share, what kind of logs you disabled? and where, could be also will switch OFF!
-
- uncheck "Log packets matched from the default block rules in the ruleset"
- uncheck "Log packets blocked by 'Block Bogon Networks' rules"
- uncheck "Log packets blocked by 'Block Private Networks' rules"
- set "Log Compression" = None on all devices with ZFS (off by default but on if you restore an old config to new unit), or devices with eMMC
- Suricata uncheck "Enable HTTP Log"
re: default block rules, we turn those on temporarily if we're debugging something.
-
@SteveITS Thank you , one question if use Crowdsec which one reading different logs, this unchecks will not OFF some important data logs for Crowdsec readings?
-
@Antibiotic I have not used the Crowdsec plugin.
-
@SteveITS said in Crowdsec finally comming to pfSense:
@Antibiotic I have not used the Crowdsec plugin.
Hey Steve do you know where to find "Crowdsec" for installing it on pfSense?
I havw done a pkg info and pkg search for Crowdsec and also in the package
manager I canΒ΄t see an option to install it as a pkg. -
@Dobby_ said in Crowdsec finally comming to pfSense:
do you know where to find "Crowdsec" for installing it on pfSense
It's a manual install and I want to say is therefore CE only? (not sure on that) A link was above:
@mmetc said in Crowdsec finally comming to pfSense:
The package can be installed by hand in the meanwhile
https://docs.crowdsec.net/docs/next/getting_started/install_crowdsec_pfsense
-
Thank you I got installed now.
-
Could some1 to explain, is it possible to read Windows PC log with Crowdsec installed on pfSense or need to install Crowdsec also for Windows PC?
-
Is CrowdSec meant to replace pfB? Snort, Suricata? Augment them? Thanks.