Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update opnsense/pfsense install docs #598

Merged
merged 10 commits into from
Jul 30, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 32 additions & 31 deletions crowdsec-docs/docs/getting_started/install_opnsense.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,45 +4,52 @@ title: OPNsense
sidebar_position: 1
---

## The OPNsense plugin
# OPNsense plugin

OPNsense, the widely known firewall and routing software, is based on FreeBSD. The standard packages that we provide for FreeBSD (agent+lapi and bouncer) can also run on OPNsense, but need more integration with the rest of the system (for example, to feed the firewall tables).
The CrowdSec plugin for OPNsense is installed from the official repositories.
It includes a Log Processor, LAPI service, and Remediation Component. This allows you
to:

By installing the `CrowdSec` plugin, available through the OPNsense repositories, you can:

- use the OPNsense server as LAPI for other agents and bouncers
- deploy an agent on OPNsense and scan its logs for attacks
- block attackers from your whole network with a single firewall bouncer
- block attacking traffic from entering the network (protect machines that don't have CrowdSec)
- deploy a log processor on OPNsense and scan its logs for attacks
- use the OPNsense server as LAPI for other log processors and remediation components
- list the hub plugins (parsers, scenarios..) and decisions on the OPNsense admin interface

### Plugin installation
## Plugin installation

:::caution
With OPNsense 22.1, if you are using a RAM filesystem for `/var` (you can verify `System > Settings > Miscellaneous > Disk/Memory Settings`) you need to disable it before proceeding, because the `Security Engine` keeps a small persistent database in `/var/db`. When the `/var` directory is in RAM, the database is re-created from scratch at each reboot. The ram disk was changed to `/var/log` for 22.7, which does not interfere with the database.
:::
Click `System > Firmware > Plugins` menu. Select os-crowdsec. It will deploy three packages:

With OPNsense 22.1:
- `os-crowdsec`, the plugin itself
- `crowdsec`
- `crowdsec-firewall-bouncer`

```console
# pkg install os-crowdsec-devel
```
Do not enable/start the services from the terminal like you would on a standard freebsd system, because the plugin takes care of that.

With OPNsense >= 22.7:
Refresh the page and go to `Services > CrowdSec > Overview` to verify the running services and installed configurations.

Download CrowdSec from the `System > Firmware > Plugins` menu. It will deploy three packages:
Great, you now have CrowdSec installed on your system. Have a look at the [post installation steps](/getting_started/next_steps.md) to see how to to configure and optimize it,
these recommendations are valid for any system.

- `os-crowdsec`, the plugin itself
- `crowdsec`
- `crowdsec-firewall-bouncer`

On the Settings tab, select the first three checkboxes: IDS, LAPI and IPS. Click Apply.
## Plugin Configuration

Do not enable/start the agent and bouncer services with `sysrc` or `/etc/rc.conf` like you would on a standard freebsd system, because the plugin takes care of that (in a different way).
You will find some options under `Services > CrowdSec > Settings`. You will see the first three are enabled by default: Log Processor (previously known as IDS), LAPI and Remediation Component (previously known as IPS).
You can disable them for testing or if you have special requirements.

The parsers, scenarios and all objects from the [CrowdSec Hub](https://hub.crowdsec.net/) are periodically upgraded. The [crowdsecurity/freebsd](https://hub.crowdsec.net/author/crowdsecurity/collections/freebsd) and [crowdsecurity/opnsense](https://hub.crowdsec.net/author/crowdsecurity/collections/opnsense) collections are installed by default.

### Testing the plugin
Since crowdsec 1.6.3, private IP networks are whitelisted by default as well. This means for example an IP from a LAN or WAN which is on 192.168.x.y won't get blocked by a local decision
(community blocklists don't contain private IPs).

If you want to revert to the previous behavior, to block private IPs as well, you can remove the related parser.

```console
[root@OPNsense ~]# cscli parsers remove crowdsecurity/whitelists
```

If on the other hand you upgrade from a version before 1.6.3, you need to install the lists yourself.

## Testing the remediation component

A quick way to test that everything is working correctly is to execute the following command. Your ssh session should freeze and you should be kicked out from the firewall. You will not be able to connect to it (from the same IP address) for two minutes. It might be a good idea to have a secondary IP from which you can connect, should anything go wrong.

Expand All @@ -54,7 +61,7 @@ This is a more secure way to test than attempting to brute-force yourself: the d

You can find a list of all available flags with `cscli decisions add --help`.

#### How do I find my connecting IP address to test?
### How do I find my connecting IP address to test?

We have provided some examples below to help you find your connecting IP address. Depending on your shell / environment, you may need to use a different command.

Expand All @@ -65,8 +72,7 @@ We have provided some examples below to help you find your connecting IP address

## Remote LAPI setup (optional)

You may have a need to put the LAPI service on a different machine, possibly because you already have it, or opnsense is running on a slow machine or...
well - your servers, your right to choose. But you'll have to manually tweak the configuration (thanks [Jarno Rankinen](https://github.com/0ranki)).
If you don't want to run the LAPI service on the OPNsense machine (because it's small/slow or you already have LAPI somewhere) then you'll have to manually tweak the configuration (thanks [Jarno Rankinen](https://github.com/0ranki)).

Be aware: the list of machines and bouncers shown in the Overview tab will be incorrect. In the current version, the crowdsec instance on OPNsense has no way (and no permission) to retrieve the list of machines and bouncers from the LAPI if it resides on another server, so it displays the local (and outdated) information.

Expand Down Expand Up @@ -122,8 +128,3 @@ For more information on the topic:

- [Improve The CrowdSec Multi-Server Installation With HTTPS Between Agents](https://www.linuxjournal.com/content/improve-crowdsec-multi-server-installation-https-between-agents) (Linux Journal)

## Enrolling your instance

The next step is to enroll your instance with the [CrowdSec Console](https://app.crowdsec.net/security-engines?enroll-engine=true).

For the benefits, please visit the [Console section](/u/console/intro).
54 changes: 24 additions & 30 deletions crowdsec-docs/docs/getting_started/install_pfsense.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,13 @@ id: install_crowdsec_pfsense
title: pfSense
---

We have created a [pfSense package](https://docs.netgate.com/pfsense/en/latest/packages/list.html) with
a simple UI to configure the Security Engine and the Firewall Remediation Component (bouncer).
The CrowdSec package for pfSense requires some manual installation steps, as it is not yet available in the official repositories.

Three types of setup are supported:

**Small** (remediation only) - the pfSense machine receives blocklists from a CrowdSec
**Small** (remediation only) - the pfSense machine receives blocklists from a
Security Engine that you are running on a different machine.
Incoming connections are blocked at the firewall by (configurable) pfSense rules.
Attacking traffic is blocked at the firewall by (configurable) pfSense rules.

**Medium** (small+log processor) - in addition to enforcing blocklists, the pfSense
machine can detect attacks directed at the firewall itself, for example port scans.
Expand All @@ -27,17 +26,13 @@ values to enable remediation, log processor and Local API.

:::info
The CrowdSec configuration is not transferred when you restore a pfSense backup, and you'll need
to reconfigure it or backup separately.
to reconfigure it or backup separately. Major pfSense upgrades may also require you to re-install
or re-configure CrowdSec so please verify that it's running afterwards. We have submitted the package
for inclusion in the official repository which should smooth out these issues.
:::

## Installing the package

We have submitted the package to the pfSense developers for review and inclusion in the official repositories.

If you find `crowdsec` under `System/Package Manager`, we recommend you to install it from there.

If the package is not available yet, you'll have to install it manually.

* Choose [the release you want to install](https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases),
click `Assets` for the list of packages to install.

Expand All @@ -53,6 +48,10 @@ If the package is not available yet, you'll have to install it manually.
# pkg add -f <link to pfSense-pkg-crowdsec>
```

The direct links are for the most popular Community Edition of pfSense, architecture amd64. If you run on ARM or a different base version
of FreeBSD, you will find .tar files in the release assets containing the packages for the possible platforms.


## Configuration

Once the package and its dependencies are installed, go to `Service/CrowdSec`. The options *Remediation Component*,
Expand All @@ -61,7 +60,7 @@ Once the package and its dependencies are installed, go to `Service/CrowdSec`. T
With the size analogy, the default is a "Large", autonomous installation. For a "Medium", disable *Local API* and fill the fields in the *Remote LAPI* section. For a "Small", disable *Log Processor* too.

CrowdSec on pfSense is fully functional from the command line but the web interface is read-only, with the exception of decision revocation (unban).
Most actions require the shell or the [CrowdSec Console](https://app.crowdsec.net).
Most other actions require the shell or the [CrowdSec Console](https://app.crowdsec.net).
For simple things, `Diagnostics/Command Prompt` works as well as ssh.
You are free to edit the files in `/usr/local/etc/crowdsec`, although some setting may be overwritten by the pfSense package if they are mandatory.

Expand All @@ -81,7 +80,8 @@ In the page `Status/CrowdSec` you can see
- installed hub items (collections, scenarios, parsers, postoverflows)
- alerts and local decisions

All tables are read-only with an exception: you can delete single decisions, to unban an IP for example.
All tables are read-only with an exception: you can delete decisions one by one, to unban an IP for example.
An IP may have been banned for several reasons, which counts as separate decisions.

All hub objects are periodically upgraded with a cron job.

Expand Down Expand Up @@ -181,9 +181,17 @@ If you need more CrowdSec tests you may want to temporarily disable Login Protec

## LAN / private networks whitelist

By default the FreeBSD version of CrowdSec does not install any whitelist.
If you trust your `10.0.0.0/8`, `192.168.0.0/16` and `172.16.0.0/12`
networks, you can use `cscli parsers install crowdsecurity/whitelists` to whitelist them.
Since crowdsec 1.6.3, private IP networks are whitelisted by default as well. This means for example an IP from a LAN or WAN which is on 192.168.x.y won't get blocked by a local decision
(community blocklists don't contain private IPs).

If you want to revert to the previous behavior, to block private IPs as well, you can remove the related parser.

```console
[root@OPNsense ~]# cscli parsers remove crowdsecurity/whitelists
```

If on the other hand you upgrade from a version before 1.6.3, you need to install the lists yourself.


## Uninstalling

Expand All @@ -203,17 +211,3 @@ If you need to make sure you removed all traces of CrowdSec, you can run the fol
For testing purposes, you may want to remove the &lt;crowdsec&gt; section
from `/conf/config.xml` as well.


## The blocklist mirror

Before releasing the official package, one way to integrate pfSense and CrowdSec
was to install a blocklist mirror and connect it to pfBlockerNG. While this is still
a viable solution, it has slower performance than the method described above,
especially in terms of latency when receiving decision updates.
It also required pfBlockerNG in addition to CrowdSec.

## Enrolling your instance

The next step is to enroll your instance with the [CrowdSec Console](https://app.crowdsec.net/security-engines?enroll-engine=true).

For the benefits, please visit the [Console section](/u/console/intro).
4 changes: 2 additions & 2 deletions crowdsec-docs/sidebarsUnversioned.js
Original file line number Diff line number Diff line change
Expand Up @@ -429,8 +429,8 @@ module.exports = {
"getting_started/installation/macos",
"getting_started/installation/docker",
"getting_started/installation/kubernetes",
// "getting_started/installation/pfsense",
// "getting_started/installation/opnsense",
"getting_started/installation/pfsense",
"getting_started/installation/opnsense",
"getting_started/installation/whm",
],
},
Expand Down
20 changes: 10 additions & 10 deletions crowdsec-docs/src/components/QuickStart.js
Original file line number Diff line number Diff line change
Expand Up @@ -43,16 +43,16 @@ const staticData = [
text: "Kubernetes",
link: "/u/getting_started/installation/kubernetes",
},
// {
// icon: opnsenseLogo,
// text: "OPNsense",
// link: "/u/getting_started/installation/opnsense",
// },
// {
// icon: pfSenseLogo,
// text: "pfSense",
// link: "/u/getting_started/installation/pfsense",
// },
{
icon: opnsenseLogo,
text: "OPNsense",
link: "/u/getting_started/installation/opnsense",
},
{
icon: pfSenseLogo,
text: "pfSense",
link: "/u/getting_started/installation/pfsense",
},
{
icon: whmLogo,
text: "WHM",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,29 @@ pagination_prev: getting_started/pre_requisites
pagination_next: getting_started/next_steps
---

## TODO BY @MMETC
# OPNsense plugin

The CrowdSec plugin for OPNsense is installed from the official repositories.
It includes a Log Processor, LAPI service, and Remediation Component. This allows you
to:

- block attacking traffic from entering the network (protect machines that don't have CrowdSec)
- deploy a log processor on OPNsense and scan its logs for attacks
- use the OPNsense server as LAPI for other log processors and remediation components
- list the hub plugins (parsers, scenarios..) and decisions on the OPNsense admin interface

## Plugin installation

Click `System > Firmware > Plugins` menu. Select os-crowdsec. It will deploy three packages:

- `os-crowdsec`, the plugin itself
- `crowdsec`
- `crowdsec-firewall-bouncer`

Do not enable/start the services from the terminal like you would on a standard freebsd system, because the plugin takes care of that.

Refresh the page and go to `Services > CrowdSec > Overview` to verify the running services and installed configurations.

## Next Steps?

Great, you now have CrowdSec installed on your system. Have a look at the [post installation steps](/getting_started/next_steps.md) to see how to to configure and optimize it, or keep reading [the rest of the plugin documentation](/docs/next/getting_started/install_crowdsec_opnsense)
Original file line number Diff line number Diff line change
@@ -1,8 +1,13 @@
---
id: pfsense
title: PFsense
title: pfSense
pagination_prev: getting_started/pre_requisites
pagination_next: getting_started/next_steps
---

## TODO BY @MMETC
# pfSense package

The CrowdSec package for pfSense is not installed from the official repositories, at least not yet.

Please refer to the [detailed documentation](/docs/next/getting_started/install_crowdsec_pfsense) to install or update it from a release archive.

Loading