Crowdsec finally comming to pfSense

SteveITS

@Antibiotic If you have no open ports on WAN then you are only able to block outbound connections.

Surely some pfBlocker lists will include malicious IPs, depending on the list(s) chosen. It is a question of when the lists update.

re: including it, I skimmed the install and a few things stood out, for instance that the config isn't able to be restored from pfSense backup, it is only configurable via command line not web GUI, and is not compatible with RAM disk for /var. I would think some or all of those are big enough issues for Netgate to not include it yet, but obviously I do not speak for either.

Antibiotic

@SteveITS Ok, thanks. But any profit to use /var in RAM, if pfSense instal on nvrme?

SteveITS

@Antibiotic said in Crowdsec finally comming to pfSense:

But any profit to use /var in RAM, if pfSense instal on nvrme?

Not that much, no. It can save disk writes if you do a lot of logging. Our clients often have eMMC drives and we disable a lot of logging.

Antibiotic

@SteveITS Can you please share, what kind of logs you disabled? and where, could be also will switch OFF!

SteveITS

@Antibiotic

• uncheck "Log packets matched from the default block rules in the ruleset"
• uncheck "Log packets blocked by 'Block Bogon Networks' rules"
• uncheck "Log packets blocked by 'Block Private Networks' rules"
• set "Log Compression" = None on all devices with ZFS (off by default but on if you restore an old config to new unit), or devices with eMMC
• Suricata uncheck "Enable HTTP Log"

re: default block rules, we turn those on temporarily if we're debugging something.

Antibiotic

@SteveITS Thank you , one question if use Crowdsec which one reading different logs, this unchecks will not OFF some important data logs for Crowdsec readings?

SteveITS

@Antibiotic I have not used the Crowdsec plugin.

Dobby_

@SteveITS said in Crowdsec finally comming to pfSense:

@Antibiotic I have not used the Crowdsec plugin.

Hey Steve do you know where to find "Crowdsec" for installing it on pfSense?
I havw done a pkg info and pkg search for Crowdsec and also in the package
manager I can´t see an option to install it as a pkg.

SteveITS

@Dobby_ said in Crowdsec finally comming to pfSense:

do you know where to find "Crowdsec" for installing it on pfSense

It's a manual install and I want to say is therefore CE only? (not sure on that) A link was above:

@mmetc said in Crowdsec finally comming to pfSense:

The package can be installed by hand in the meanwhile

https://docs.crowdsec.net/docs/next/getting_started/install_crowdsec_pfsense

Dobby_

@SteveITS

Thank you I got installed now.

Antibiotic

Could some1 to explain, is it possible to read Windows PC log with Crowdsec installed on pfSense or need to install Crowdsec also for Windows PC?

provels

Is CrowdSec meant to replace pfB? Snort, Suricata? Augment them? Thanks.

Antibiotic

@provels You can read here:

"https://www.crowdsec.net/blog/suricata-vs-crowdsec"

I think Crowdsec blacklist working the same as pfBlockerNG, THE POINT of this, that pfBlockerNG limited to one hour update maximum , Crowdsec update more frequently I think!

provels

Looks like the pfSense install is not supported in FreeBSD 15 (24.03-RELEASE upgrade). Sad face.

mmetc

@provels this? https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/download/v0.1.3/freebsd-15-amd64.tar

provels

@mmetc Not sure at present. I saw Crowdsec was uninstalled by the upgrade process when I upgraded yesterday and saw an OS mismatch when I tried to reinstall, hence my post. But there is a pfSense update issued overnight with the following log:

The following 3 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
	re2: 20231101

Installed packages to be UPGRADED:
	pfSense: 24.03 -> 24.03_1 [pfSense]

Installed packages to be REINSTALLED:
	abseil-20230125.3 [pfSense] (ABI changed: 'freebsd:14:x86:64' -> 'freebsd:15:x86:64')

So maybe fixed, don't know yet.

Edit: Same errors as yesterday.

[24.03-RELEASE][root@fw.workgroup]/root: pkg add -f /root/CrowdSec/re2-20231101.pkg
Installing re2-20231101...
pkg: wrong architecture: FreeBSD:14:amd64 instead of FreeBSD:15:amd64
Extracting re2-20231101: 100%

Installing crowdsec-1.6.0...
pkg: wrong architecture: FreeBSD:14:amd64 instead of FreeBSD:15:amd64
Extracting crowdsec-1.6.0: 100%

Installing pfSense-pkg-crowdsec-0.1.3...
pkg: wrong architecture: FreeBSD:14:amd64 instead of FreeBSD:15:amd64
Extracting pfSense-pkg-crowdsec-0.1.3: 100%

Edit2: So I guess it's working even after mismatch messages. Probably the reason for this line in the install instructions. What do I know, I'm just some hack who will install anything! :)

# setenv IGNORE_OSVERSION yes

mmetc

@provels you can download the archive I linked, there is the same content as the *pkg files but for freebsd 15. A new release with crowdsec 1.6.1 should be uploaded soon, I'll make sure to build the *pkg files with version 15

Antibiotic

@provels New release there for Freebsd15 and updated to 1.6.1

Antibiotic

@mmetc Hello after install 1.6.1 on 24.03 have this error
level=error msg="while fetching bouncer info: ent: bouncer not found" ip=127.0.0.1

Dobby_

For pfSense+ 24.03_1 (amd64) I was following this steps;

Getting started - Install CrowdSec on pfSense

Please scroll down until you read the following (in a blue image)
You will see it here below in the code block
It is the install sequence (from top till down)

# setenv IGNORE_OSVERSION yes
# pkg add -f <link to abseil>
# pkg add -f <link to re2>
# pkg add -f <link to crowdsec-firewall-bouncer>
# pkg add -f <link to crowdsec>
# pkg add -f <link to pfSense-pkg-crowdsec>

And under this page you find the latest pkg´s or files for your installation.
pfSense-pkg-Crowdsec, click on assets (11) and the drop down menue is opening then right click on the shown links and past them in the following sequence inside of your pfSense console CLI.

• Connect to your console
• type in (8) for shell
• and now all commands together (one after one) with the right link to the packages

As an example for pfSense+ 24.03_1 (FreeBSD 15) amd64 hardware shown below:

# setenv IGNORE_OSVERSION yes
# pkg add -f https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/download/v0.1.3-1.6.1/abseil-20230125.3.pkg
# pkg add -f https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/download/v0.1.3-1.6.1/re2-20240401.pkg
# pkg add -f https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/download/v0.1.3-1.6.1/crowdsec-firewall-bouncer-0.0.28_3.pkg
# pkg add -f https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/download/v0.1.3-1.6.1/crowdsec-1.6.1.pkg
# pkg add -f https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/download/v0.1.3-1.6.1/pfSense-pkg-crowdsec-0.1.3.pkg

After installing it you may have a look under system > services > CrowdSec
to ensure that all is right enabled. If not enable (activate) them by clicking
on it, please click then at last on save

Now you should read the rest of the page
Getting started - CrowdSec on pfSense
to configure your installation, matching well to your network setup.

And at least activate both services to make them running.