SMEServer Crowdsec
Copied from; https://wiki.koozali.org/Crowdsec (270626)
Template:Languages {{#vardefine:contribname| {{#titleparts: smeserver crowdsec |1}} }} {{#vardefine:smecontribname| smeserver-{{#titleparts: smeserver crowdsec |1}} }} {{#vardefine:lang| {{#titleparts: smeserver crowdsec | | -1}} |en }} Template:Infobox contribs
Version
{{#smeversion: {{#var:smecontribname}} }}
Description
Crowdsec turns crowd-powered intelligence into tactical intelligence with actionable blocklists to maximize your SOC efficiency and reduce your costs. In other words, it helps you defends your servers from major new attacks by sharing with the community.
For SME, we rely on crowdsec-blocklist-mirror, crowdsec and crowdsec-firewall-bouncer-iptables. crowdsec-custom-bouncer is planned to be used.
We have added rules for qpsmtpd. Some general whitelists configurable.
Installation
<tabs container="" style="display: inline-block;"><tab name="For SME 11"> First install the external repo
dnf install smeserver-extrarepositories-crowdsec expand-template /etc/yum.smerepos.d/sme-base.repo
Install
dnf install {{#var:smecontribname}}
Then you will need to get an ID to register your engine on https://app.crowdsec.net, and execute
cscli console enroll YOURID
</tab></tabs>
Configuration
you can list the available configuration with the following command :
config show {{#var:contribname}}
Some of the properties are not shown, but are defaulted in a template or a script. Here a more comprehensive list with default and expected values :
| property | default | values | |
|---|---|---|---|
| IgnoreIP | ip/bitmask,ip/bitmask | a comma separated list of IP or CIDR networks which will never be blocked by fail2ban. Example: 12.15.22.4,17.20.0.0/16. All your local networks and networks allowed to access the server-manager are already automatically whitelisted | |
| FilterLocalNetworks | disabled | enabled/disabled | can be enabled or disabled (default is disabled). If set to enabled, local networks won't be whitelisted, and fail2ban can also ban hosts from the internal networks. Note that networks allowed to access the server-manager are not affected (they will never be blocked) |
| FilterAnyLANIP | disabled | enabled/disabled | add a list of common LAN ip to not filter them by default (ie if disabled). 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 are not filtered whether or not they are in your networks e-smith db. This is an extra precaution for most user not to shot themselves, but if you know what you do you can enable this filtering (ie remove the default whitelist) |
| access | private, public | should remains empty for localhost only, anyway service is set to only listen on localhost | |
| status | enabled | enabled,disabled |
simply modify value<syntaxhighlight lang="bash"> config setprop crowdsec FilterAnyLANIP enabled </syntaxhighlight> you can then issue<syntaxhighlight lang="bash"> signal-event smeserver-crowdsec-update </syntaxhighlight>
CLI usage
while you can have a lot of info online on your crowdsec app interface, you have some interesting commands<syntaxhighlight lang="bash">
- cscli metrics show acquisition bouncers parsers whitelists
╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Acquisition Metrics │ ├─────────────────────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤ │ Source │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │ ├─────────────────────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤ │ file:/var/log/audit/audit.log │ 4.86k │ 1.43k │ 3.44k │ - │ - │ │ file:/var/log/dovecot/dovecot.log │ 3 │ 1 │ 2 │ - │ - │ │ file:/var/log/maillog │ 18 │ - │ 18 │ - │ - │ │ file:/var/log/messages │ 1.03k │ - │ 1.03k │ - │ - │ │ file:/var/log/qpsmtpd/qpsmtpd.log │ 314 │ 9 │ 305 │ - │ - │ │ file:/var/log/secure │ 2 │ - │ 2 │ - │ - │ │ file:/var/log/sqpsmtpd/sqpsmtpd.log │ 146 │ 16 │ 130 │ - │ - │ │ file:/var/log/uqpsmtpd/uqpsmtpd.log │ 110 │ 10 │ 100 │ - │ - │ ╰─────────────────────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯ ╭───────────────────────────────────────────────────────────────────────────────────╮ │ Bouncer Metrics (cs-firewall-bouncer-1782358017) since 2026-06-25 05:39:13 +0000 │ │ UTC │ ├────────────────────────────┬──────────────────┬─────────────────┬─────────────────┤ │ Origin │ active_decisions │ dropped │ processed │ │ │ IPs │ bytes │ packets │ bytes │ packets │ ├────────────────────────────┼──────────────────┼───────┼─────────┼───────┼─────────┤ │ CAPI (community blocklist) │ 19.82k │ 8.63k │ 198 │ - │ - │ │ cscli (manual decisions) │ 0 │ 0 │ 0 │ - │ - │ │ lists:firehol_botscout_7d │ 1.07k │ - │ - │ - │ - │ │ lists:firehol_greensnow │ 3.65k │ - │ - │ - │ - │ │ lists:tor-exit-nodes │ 1.44k │ 0 │ 0 │ - │ - │ ├────────────────────────────┼──────────────────┼───────┼─────────┼───────┼─────────┤ │ Total │ 25.98k │ 8.63k │ 198 │ 7.58M │ 38.58k │ ╰────────────────────────────┴──────────────────┴───────┴─────────┴───────┴─────────╯ ╭───────────────────────────────────────────────────────────────────╮ │ Parser Metrics │ ├───────────────────────────────────────┬───────┬────────┬──────────┤ │ Parsers │ Hits │ Parsed │ Unparsed │ ├───────────────────────────────────────┼───────┼────────┼──────────┤ │ child-child-crowdsecurity/auditd-logs │ 4.86k │ 1.43k │ 3.44k │ │ child-crowdsecurity/auditd-logs │ 4.86k │ 1.43k │ 3.44k │ │ child-crowdsecurity/dovecot-logs │ 9 │ 1 │ 8 │ │ child-crowdsecurity/qpsmtpd-logs │ 35 │ 35 │ - │ │ child-crowdsecurity/sshd-logs │ 32 │ - │ 32 │ │ child-crowdsecurity/sshd-success-logs │ 2 │ - │ 2 │ │ child-crowdsecurity/syslog-logs │ 1.05k │ 1.05k │ - │ │ crowdsecurity/auditd-logs │ 4.86k │ 1.43k │ 3.44k │ │ crowdsecurity/dateparse-enrich │ 1.46k │ 1.46k │ - │ │ crowdsecurity/dovecot-logs │ 3 │ 1 │ 2 │ │ crowdsecurity/geoip-enrich │ 1 │ 1 │ - │ │ crowdsecurity/non-syslog │ 5.43k │ 5.43k │ - │ │ crowdsecurity/public-dns-allowlist │ 1.46k │ 1.46k │ - │ │ crowdsecurity/qpsmtpd-logs │ 35 │ 35 │ - │ │ crowdsecurity/qpsmtpd-whitelist │ 35 │ 35 │ - │ │ crowdsecurity/sshd-logs │ 2 │ - │ 2 │ │ crowdsecurity/sshd-success-logs │ 2 │ - │ 2 │ │ crowdsecurity/syslog-logs │ 1.05k │ 1.05k │ - │ │ crowdsecurity/whitelists │ 1.43k │ 1.43k │ - │ ╰───────────────────────────────────────┴───────┴────────┴──────────╯ ╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ Whitelist Metrics │ ├────────────────────────────────────┬───────────────────────────────────────────────────────┬──────┬─────────────┤ │ Whitelist │ Reason │ Hits │ Whitelisted │ ├────────────────────────────────────┼───────────────────────────────────────────────────────┼──────┼─────────────┤ │ crowdsecurity/public-dns-allowlist │ public DNS server │ 1461 │ - │ │ crowdsecurity/qpsmtpd-whitelist │ IP de confiance pour le serveur de messagerie qpsmtpd │ 35 │ - │ │ crowdsecurity/whitelists │ private ipv4/ipv6 ip/ranges │ 1426 │ - │ ╰────────────────────────────────────┴───────────────────────────────────────────────────────┴──────┴─────────────╯
</syntaxhighlight><syntaxhighlight lang="bash">
- cscli collections list
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
COLLECTIONS
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name 📦 Status Version Local Path
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/apache2 ✔️ enabled 0.2 /etc/crowdsec/collections/apache2.yaml crowdsecurity/auditd ✔️ enabled 0.7 /etc/crowdsec/collections/auditd.yaml crowdsecurity/base-http-scenarios ✔️ enabled 1.4 /etc/crowdsec/collections/base-http-scenarios.yaml crowdsecurity/dovecot ✔️ enabled 0.2 /etc/crowdsec/collections/dovecot.yaml crowdsecurity/http-cve ✔️ enabled 3.0 /etc/crowdsec/collections/http-cve.yaml crowdsecurity/linux ✔️ enabled 0.4 /etc/crowdsec/collections/linux.yaml crowdsecurity/mariadb ✔️ enabled 0.2 /etc/crowdsec/collections/mariadb.yaml crowdsecurity/mysql ✔️ enabled 0.2 /etc/crowdsec/collections/mysql.yaml crowdsecurity/postfix ✔️ enabled 0.5 /etc/crowdsec/collections/postfix.yaml crowdsecurity/proftpd ✔️ enabled 0.2 /etc/crowdsec/collections/proftpd.yaml crowdsecurity/smb ✔️ enabled 0.2 /etc/crowdsec/collections/smb.yaml crowdsecurity/sshd ✔️ enabled 0.9 /etc/crowdsec/collections/sshd.yaml crowdsecurity/whitelist-good-actors ✔️ enabled 0.4 /etc/crowdsec/collections/whitelist-good-actors.yaml
────────────────────────────────────────────────────────────────────────────────────────────────────────────────
</syntaxhighlight><syntaxhighlight lang="bash">
- cscli parsers list
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
PARSERS
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name 📦 Status Version Local Path
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/apache2-logs ✔️ enabled 1.5 /etc/crowdsec/parsers/s01-parse/apache2-logs.yaml crowdsecurity/auditd-logs ✔️ enabled 0.9 /etc/crowdsec/parsers/s01-parse/auditd-logs.yaml crowdsecurity/dateparse-enrich ✔️ enabled 0.2 /etc/crowdsec/parsers/s02-enrich/dateparse-enrich.yaml crowdsecurity/dovecot-logs ✔️ enabled 0.9 /etc/crowdsec/parsers/s01-parse/dovecot-logs.yaml crowdsecurity/geoip-enrich ✔️ enabled 0.5 /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml crowdsecurity/http-logs ✔️ enabled 1.3 /etc/crowdsec/parsers/s02-enrich/http-logs.yaml crowdsecurity/mariadb-logs ✔️ enabled 0.4 /etc/crowdsec/parsers/s01-parse/mariadb-logs.yaml crowdsecurity/mysql-logs ✔️ enabled 0.4 /etc/crowdsec/parsers/s01-parse/mysql-logs.yaml crowdsecurity/postfix-logs ✔️ enabled 0.9 /etc/crowdsec/parsers/s01-parse/postfix-logs.yaml crowdsecurity/postscreen-logs ✔️ enabled 0.3 /etc/crowdsec/parsers/s01-parse/postscreen-logs.yaml crowdsecurity/proftpd-logs ✔️ enabled 0.3 /etc/crowdsec/parsers/s01-parse/proftpd-logs.yaml crowdsecurity/public-dns-allowlist ✔️ enabled 0.1 /etc/crowdsec/parsers/s02-enrich/public-dns-allowlist.yaml crowdsecurity/qpsmtpd-logs 🏠 enabled,local /etc/crowdsec/parsers/s01-parse/qpsmtpd-parser.yaml crowdsecurity/qpsmtpd-whitelist 🏠 enabled,local /etc/crowdsec/parsers/s02-enrich/qpsmtpd-whitelist.yaml crowdsecurity/smb-logs ✔️ enabled 0.2 /etc/crowdsec/parsers/s01-parse/smb-logs.yaml crowdsecurity/sshd-logs ✔️ enabled 3.1 /etc/crowdsec/parsers/s01-parse/sshd-logs.yaml crowdsecurity/sshd-success-logs ✔️ enabled 0.1 /etc/crowdsec/parsers/s01-parse/sshd-success-logs.yaml crowdsecurity/syslog-logs ✔️ enabled 1.0 /etc/crowdsec/parsers/s00-raw/syslog-logs.yaml crowdsecurity/whitelists 🏠 enabled,local /etc/crowdsec/parsers/s02-enrich/whitelists.yaml
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
</syntaxhighlight>
Uninstall
dnf remove {{#var:smecontribname}} {{#var:contribname}}
Bugs
Please raise bugs under the SME-Contribs section in Template:BugzillaFileBug and select the {{#var:smecontribname}} component or use Template:BugzillaFileBug
Below is an overview of the current issues for this contrib:{{#bugzilla:columns=id,product,version,status,summary|sort=id|order=desc|component={{#var:smecontribname}} |noresultsmessage=No open bugs found.}}
Changelog
Only released version in smecontrib are listed here.
{{ #smechangelog: {{#var:smecontribname}} }}
