Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Create a subfolder in your main appdata folder, used to tell services, and crowdsec, to write log files in it. These log files will be centralized and analyzed by crowdsec. In this guide, this subfolder is named "shared/crowdsec" (appdata/shared/crowdsec).
Go to apps tab in unraid, and install the container crowdsec from Ibracorp.
Port : The port Crowdsec is using.
appdata : Your Crowdsec appdata folder (usually appdata/crowdsec).
data : The data folder your Crowdsec container will be using (subfolder in your crowdsec appdata folder).
syslog path : not relevant (I think), leave it as default.
COLLECTIONS : The collections Crowdsec will use, for example crowdsecurity/traefik for Traefik, LePresidente/authelia for authelia. Do not use quote marks " as this will cause issues with newer versions. It works fine without them.
var log : crowdsec's log folder, map this to a subfolder in your shared folder (appdata/shared/crowdsec).
auth logs to be analyzed (optional it seems): map this to a subfolder in your crowdsec shared folder (appdata/shared/crowdsec/auth for example). This value doesn't seem to be used in this unraid docker scenario, and is more relevant to a SSH config.
crowdsec logs to analyze : map it to your crowdsec shared folder (appdata/shared/crowdsec).
Main Collections: crowdsecurity/traefik crowdsecurity/http-cve
Now we have to tell Authelia to write its log file to the shared folder, so that crowdsec can parse it and respond accordingly.
First, edit your Authelia docker template, to map the Authelia log output folder to the shared folder :
Then edit the configuration.yml
file in Authelia appdata folder (appdata/authelia), in order to enable logging. (The values maybe already there but edited out, so just search for them).
And then, edit your docker crowdsec template to enable Authelia collection, by adding LePresidente/authelia
to the COLLECTIONS variable :
And finally, edit your acquis.yml
file in your crowdsec's appdata folder (appdata/crowdsec) to add these lines : (don't leave any empty spaces)
Restart your containers, crowdsec and authelia.
Use the "Useful Commands" cscli collections list
and cscli metrics
to check your collections and metrics, that should be ok!
The aim here is to implement a CrowdSec bouncer for the router Traefik to block malicious IPs to access your services. For this, it leverages Traefik v2 ForwardAuth middleware and queries CrowdSec with client IP.
If the client IP is on the ban list, it will get an HTTP code 403 response. Otherwise, the request will continue as usual.
Parsers take log formats and break them down into readable information for the CrowdSec app. We will be using the Traefik parser to take the Traefik access logs and pass that information over to the CrowdSec app to make decisions.​​
Bouncers react to decisions made by CrowdSec. In this case, the Traefik bouncer will take the decision made by CrowdSec and either allow or deny the traffic going through Traefik. CrowdSec on its own will just make the decisions to ban IPs. It will do this by connecting back to the mothership to get the information required to make the decisions locally. Check out available bouncers on the hub​
Check out available bouncers on the hub
A scenario is a behavior, i.e. is it a brute force attack that is happening. You can choose which Scenarios you would like to check the traffic against. In this Traefik collection, we will be using the typical http behaviors.
Go inside the CrowdSec Docker console and run
PLEASE NOTE
This is the only time the API will be shown, make sure to note down this API key somewhere safe.
Go to the apps tab, and download the container crowdsec-traefik-bouncer.
Get the API Key that we generated above and past it on this option
leave it as it is
Put the CrowdSec Container IP with port
Edit your traefik static configuration file (traefik.yml) in your traefik appdata folder. (use nano command or code server, very useful, tutorial here https://www.youtube.com/watch?v=7FMCBjUVaYQ&t=1s )
If your logs don't show the external IP of the users hitting the Traefik proxy and only show the IP of the docker gateway (eg.: 172.19.x.x in this case) then edit the traefik.yml file and your docker gateway IP under trusted IPs.
Create a path mapping in your traefik template, so that the log file is written in the shared folder previously created.
Once again, edit your traefik static configuration file (traefik.yml), then edit your dynamic configuration file (fileConfig.yml)
The address is for the bouncer-traefik container and the port is always 8080
obs the container has no exposed port with the host
Adding the dashboard using a custom container setup on Unraid.
The following page has been submitted by a community member and has not been extensively tested. Please submit any edits you think need to be made.
Going over https://docs.crowdsec.net/docs/observability/dashboard/ and reading on the github issue https://github.com/crowdsecurity/crowdsec/issues/1567, I decided the best way to go about adding the dashboard would be to manually setup a container in docker.
In Unraid, click Docker, then at the bottom click Add Container. Click Advanced
Docker Hub URL: https://hub.docker.com/r/metabase/metabase
Icon URL: https://github.com/crowdsecurity/crowdsec-docs/blob/main/crowdsec-docs/static/img/crowdsec_logo.png?raw=true
WebUI: http://0.0.0.0:3000 ( Change this if you change port on Host Port 1 )
Name: crowdsec-dashboard
Overview: Crowdsec metabase dashboard
Repository: metabase/metabase
Network type: ( I used a custom docker network )
Fixed IP: (Empty)
Console Shell Command: Shell
Privileged: Off
Host Port 1: 3000 ( Change if needed )
DB Location(Rename if wanted): Use Variable
--- Name: DB Location
--- Key: MB_DB_FILE
--- Value: /metabase.db
Host Key 1 (Rename if wanted): Use Variable
--- Name: Host Key 1
--- Key: depends_on
--- Value: crowdsec
Host Path 1 (Rename if wanted): Use Path
--- Name: Host Path 1
--- Container Path: /metabase-data/
--- Host Path: (Location of crowdsec.db)​
Click apply and start the container. Click and open the web page, fill in the information and choose sqlite.
Go into your crowdsec appdata and change permissions. I used chmod 777 crowdsec.db, but there are better ways to do this. From there the location used will be /metabase-data/crowdsec.db
Now we have to tell Vaultwarden to write its log file to the shared folder, so that CrowdSec can parse it and respond accordingly.
First, edit your Vaultwarden docker template, to map the Vaultwarden log output folder to the shared folder :
Add these extra parameters to your Vaultwarden template, enable the "advanced view" when editing your container, by clicking the upper right "basic view" slider :
-e LOG_FILE=/log/vaultwarden.log -e LOG_LEVEL=warn -e EXTENDED_LOGGING=true
Like this :
Restart your Vaultwarden container.
Edit your docker CrowdSec template to enable Vaultwarden collection, by adding Dominic-Wagner/vaultwarden
to the COLLECTIONS variable :
Finally, edit your acquis.yml
file in your CrowdSec's appdata folder (appdata/crowdsec) to add these lines : (don't leave any empty spaces)
Restart CrowdSec container.
Use the "Useful Commands" cscli collections list
and cscli metrics
to check your collections and metrics, that should be ok!
This method has not been verified yet, but seems to work
We will be adapting this method on official CrowdSec hub to enable Nextcloud collection.
Run a console command in your CrowdSec container (click on its icon and then console
)
Install Nextcloud collection by pasting this command :
cscli collections install crowdsecurity/nextcloud
Create the following mapping in your Nextcloud docker template :
Restart Nextcloud container.
Edit your acquis.yml
file in your CrowdSec's appdata folder (appdata/crowdsec) to add these lines : (don't leave any empty spaces)
Restart CrowdSec container.
Use the "Useful Commands" cscli collections list
and cscli metrics
to check your collections and metrics, that should be ok!