IDS/IPS Integration

We have native CLI for containers “set container name foo xxx”

Hey! Just jumping in here have you had any thoughts of using CrowdSec? - crowdsec.net

1 Like

You beat me to this one :grin:

Crowdsec would indeed be a nice addition. Very lightweight.

I would prefer that much more than snort or suricata.

As I see crowdsec works with iptables, we use nftables

wget https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh
os=Debian dist=bullseye ./script.deb.sh

apt install crowdsec

root@r14:/home/vyos# cscli collections list
INFO[06-08-2022 01:50:37 PM] Ignoring file /etc/crowdsec/parsers/s02-enrich/geoip-enrich.yaml of type parsers 
-----------------------------------------------------------------------------------------------------------------
 NAME                                 📦 STATUS    VERSION  LOCAL PATH                                           
-----------------------------------------------------------------------------------------------------------------
 crowdsecurity/apache2                ✔️  enabled  0.1      /etc/crowdsec/collections/apache2.yaml               
 crowdsecurity/dovecot                ✔️  enabled  0.1      /etc/crowdsec/collections/dovecot.yaml               
 crowdsecurity/iptables               ✔️  enabled  0.1      /etc/crowdsec/collections/iptables.yaml              
 crowdsecurity/linux                  ✔️  enabled  0.2      /etc/crowdsec/collections/linux.yaml                 
 crowdsecurity/nginx                  ✔️  enabled  0.1      /etc/crowdsec/collections/nginx.yaml                 
 crowdsecurity/sshd                   ✔️  enabled  0.1      /etc/crowdsec/collections/sshd.yaml                  
 crowdsecurity/whitelist-good-actors  ✔️  enabled  0.1      /etc/crowdsec/collections/whitelist-good-actors.yaml 
 crowdsecurity/base-http-scenarios    ✔️  enabled  0.3      /etc/crowdsec/collections/base-http-scenarios.yaml   
 crowdsecurity/modsecurity            ✔️  enabled  0.1      /etc/crowdsec/collections/modsecurity.yaml           
 crowdsecurity/naxsi                  ✔️  enabled  0.1      /etc/crowdsec/collections/naxsi.yaml                 
 crowdsecurity/vsftpd                 ✔️  enabled  0.1      /etc/crowdsec/collections/vsftpd.yaml                
 crowdsecurity/wordpress              ✔️  enabled  0.1      /etc/crowdsec/collections/wordpress.yaml             
 crowdsecurity/mysql                  ✔️  enabled  0.1      /etc/crowdsec/collections/mysql.yaml                 
 crowdsecurity/postfix                ✔️  enabled  0.2      /etc/crowdsec/collections/postfix.yaml               
-----------------------------------------------------------------------------------------------------------------
root@r14:/home/vyos# 

Not sure exectly as I’m not crowdsec user :slight_smile:

Update nftables also supported bouncers

CrowdSec reads logs from different sources (files, streams …) to parse, normalize and enrich them before matching them to threats patterns called scenarios.

Surricata and other reads packets and their patterns it is different solutions

Hey!

I’m head of moderation on our discord. Feel free to join us if you want to discus more?

Aydan

Hi,

I would only use a bouncer on the VyOS device which would update a network-group that is used in a firewall rule for instance. Local services might be monitored just for some basic protection.

The way we use this is running the crowdsec agent on servers with public services and block attackers at the edge of the network straight away using a bouncer.

I think I could write a simple bouncer which updates a network group in config, or we just use the basic nftables bouncer to update an nft ipset.

Sander

1 Like

I can write a simple PoC using a network group, or use nftables directly, which would be preferred @syncer ?

It depends on what exactly you are wanting to protect.
If it is simple ssh brute forces, you can use

set service ssh dynamic-protection

It uses sshguard but in theory, you can set up custom logs to parse
There are a lot of modules that are not used in VyOS like apach2, dovecot, MySQL, and so on.
A simple PoC will be useful