Crowdsec finally comming to pfSense
-
Wasn't quite sure where this topic would be best suited. So I'm guessing here would do. Mods please feel free to move apropriately.
Crowdsec are "finally" officially working on a pfSense package. So here's hoping that the community can help making this a great tool for us to use.
https://github.com/crowdsecurity/pfSense-pkg-crowdsec -
Even though I did a search for Crowdsec, I somehow missed that they already announced this. Sorry for failing due diligence.
https://forum.netgate.com/topic/182043/new-package-best-practices -
Hi, since your post we finished the testing and opened a PR for inclusion in pfsense, waiting for feedback.
The package can be installed by hand in the meanwhile
https://docs.crowdsec.net/docs/next/getting_started/install_crowdsec_pfsense
-
@mmetc
I am grateful for the work done. It's great for me that the package just works after installation.
I have a question, why are the rules created by Crowdsec hidden from the pfSense interface? -
@w0w said in Crowdsec finally comming to pfSense:
@mmetc
I am grateful for the work done. It's great for me that the package just works after installation.
I have a question, why are the rules created by Crowdsec hidden from the pfSense interface?We don't do it on purpose, maybe I didn't pay attention but if there is a way to fix that, I'll do it.
-
-
Just a heads up, the package needs to be reinstalled after pfSense updates.
-
@Bismarck did the pfsense update also remove the configuration (/etc/crowdsec and /var/db/crowdsec), or just the packages?
-
The config and data is still there, but service and menu items are gone from the WebUI.
-
Any updates?
Though I see 'official' install method on crowdsec website, I would like to install from pfsense package manager. -
@Bismarck said in Crowdsec finally comming to pfSense:
Just a heads up, the package needs to be reinstalled after pfSense updates.
Hello,
netgate also advises uninstalling third-party packages before updating. -
Shrug, I went ahead and installed it from the instructions on the crowdsec website...
-
Not certain where to post this?
Anyone else see these type alerts reported?
ID Value Reason Country AS Decisions Created At 54 Ip:192.168.2.4 LePresidente/http-generic-403-bf ban:1 7 days ago 110 Ip:192.168.2.4 LePresidente/http-generic-403-bf ban:1 3 days ago - ID : 54 - Date : 2024-03-06T20:47:07Z - Machine : N/A - Simulation : false - Reason : LePresidente/http-generic-403-bf - Events Count : 7 - Scope:Value : Ip:192.168.2.4 - Country : - AS : - Begin : 2024-03-06 20:46:51.646995177 +0000 UTC - End : 2024-03-06 20:47:07.044271521 +0000 UTC - UUID : 11f79653-4876-48a9-b45f-7af56c94aff9 - Context : +------------+--------------------------------------------------------------+ | Key | Value | +------------+--------------------------------------------------------------+ | method | POST | | status | 403 | | target_uri | /widgets/widgets/interfaces.widget.php | | target_uri | /widgets/widgets/interface_statistics.widget.php | | target_uri | /widgets/widgets/disks.widget.php | | user_agent | Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ | | | (KHTML, like Gecko) Version/5.0 Safari/531.2 | +------------+--------------------------------------------------------------+ - ID : 110 - Date : 2024-03-10T17:05:23Z - Machine : N/A - Simulation : false - Reason : LePresidente/http-generic-403-bf - Events Count : 6 - Scope:Value : Ip:192.168.2.4 - Country : - AS : - Begin : 2024-03-10 17:05:14.489298026 +0000 UTC - End : 2024-03-10 17:05:22.976400929 +0000 UTC - UUID : 9e9bff46-125a-4ebf-a606-e1910060bc01 - Context : +------------+--------------------------------------------------------------+ | Key | Value | +------------+--------------------------------------------------------------+ | method | POST | | status | 403 | | target_uri | /widgets/widgets/log.widget.php | | target_uri | /widgets/widgets/interfaces.widget.php | | target_uri | /widgets/widgets/interface_statistics.widget.php | | target_uri | /widgets/widgets/disks.widget.php | | target_uri | /widgets/widgets/thermal_sensors.widget.php | | user_agent | Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ | | | (KHTML, like Gecko) Version/5.0 Safari/531.2 | -
@buggz said in Crowdsec finally comming to pfSense:
Not certain where to post this?
Anyone else see these type alerts reported?
This is a regular crowdsec alert (source: your logs) but the connections come from an internal network.
You can install a whitelist with "cscli parsers install crowdsecurity/whitelists" and you shouldn't receive alerts from private IPs anymore.
If you have more issues regarding the plugin or are unsure how crowdsec works, feel free to ask on https://github.com/crowdsecurity/crowdsec/issues or the discord channels.
-
-
Perfect, seems to work, will know in a few more days.
cat /usr/local/etc/crowdsec/hub/parsers/s02-enrich/crowdsecurity/whitelists.yaml name: crowdsecurity/whitelists description: "Whitelist events from private ipv4 addresses" whitelist: reason: "private ipv4/ipv6 ip/ranges" ip: - "127.0.0.1" - "::1" cidr: - "192.168.0.0/16" - "10.0.0.0/8" - "172.16.0.0/12" # expression: # - "'foo.com' in evt.Meta.source_ip.reverse" -
Hi, like me understood , the profit of use Crowdsec if pfSense have opened ports on WAN? no any opened , no any profit. If using pfBlockerNG will Crowdsec only duplicate functionality?
Crowdsec is working with a Snort? Have a read working with Suricata, what about Snort? -
I don't know if CrowdSec duplicates pfBlockerNG.
I use both pfBlockerNG development and Snort.
Seems to be working good for me so far...@Antibiotic said in Crowdsec finally comming to pfSense:
If using pfBlockerNG will Crowdsec only duplicate functionality?
Crowdsec is working with a Snort? Have a read working with Suricata, what about Snort? -
@buggz Are you keep opened any ports on WAN?
-
@mmetc Any news, regarding the official including of package in pfSense repo?
️