Installing CrowdSec on OPNsense (Day 27)

CrowdSec is a security tool that detects and blocks malicious IPs using a collaborative approach to share threat intelligence across users.

I initially planned to run CrowdSec just on Traefik, but having it at the firewall level provides more protection for all devices on the network.

Installation

CrowdSec has a convenient plugin for OPNsense that makes installation straightforward:

1. Navigate to System → Firmware → Plugins
2. Search for and install os-crowdsec

Configuration

Once installed, you'll find CrowdSec under the Services tab:

1. Go to Services → CrowdSec → Settings
2. Enable the following options:
   1. Enable Log Processor (IDS) - This is the detection component
   2. Enable LAPI - Unless you're connecting to LAPI on another machine
   3. Enable Remediation Component (IPS) - This actively blocks detected threats
   4. Enable log for rules - Optional, but useful for troubleshooting

Rules

By default, CrowdSec creates floating rules to block incoming connections from malicious IP addresses.

However, we can use the automatically created crowdsec_blacklists and crowdsec6_blacklists aliases to create custom floating rules that block all outgoing connections to malicious IPs.

This is useful in case a device on the network is already compromised and tries to connect back to the IP blocklisted.

Testing the Setup

To verify that CrowdSec is working properly, you can temporarily ban an IP address:

cscli decisions add -t ban -d 1m -i <IP address>

This will ban the specified IP for one minute.

If you use your own IP, expect your connection to freeze, confirming that the ban is working.

To view active decisions (bans):

cscli decisions list

Todo

CrowdSec also has a Prometheus endpoint for metrics collection, so will look into integrating with Grafana for visualization.