gandalf/secubox-openwrt
gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7975b22ca3
secubox-openwrt/package/secubox/secubox-app-crowdsec
History
CyberMind-FR 252341e045 feat: Add complete CrowdSec integration for OpenWrt 24.10+ 
New packages:
- secubox-crowdsec-setup: Automated installation script with:
  - Prerequisites verification (RAM, flash, OpenWrt version)
  - syslog-ng4 configuration for log forwarding
  - CAPI registration and hub setup
  - nftables firewall bouncer configuration
  - Backup/rollback, repair, and uninstall modes

- luci-app-secubox-crowdsec: LuCI dashboard with:
  - Service status and statistics dashboard
  - Active decisions (bans) management
  - Security alerts viewer
  - Collections and bouncers management
  - UCI-based settings configuration

Enhanced existing packages:
- luci-app-crowdsec-dashboard: Added acquisition configuration wizard
- secubox-app-crowdsec: Improved defaults and configuration

Documentation:
- CROWDSEC-OPENWRT-24.md with architecture, installation, and troubleshooting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 17:58:17 +01:00
..
files feat: Add complete CrowdSec integration for OpenWrt 24.10+ 2026-01-09 17:58:17 +01:00
patches chore(secubox): rename netifyd package 2026-01-06 09:54:41 +01:00
Makefile feat: Add complete CrowdSec integration for OpenWrt 24.10+ 2026-01-09 17:58:17 +01:00
README.md feat: Add complete CrowdSec integration for OpenWrt 24.10+ 2026-01-09 17:58:17 +01:00

README.md

SecuBox App - CrowdSec

Version

  • Package: secubox-app-crowdsec
  • CrowdSec Core: v1.7.4
  • Release: 3
  • Last Updated: January 2025

Description

CrowdSec is an open-source, lightweight security engine that detects and responds to malicious behaviors. This SecuBox package provides CrowdSec for OpenWrt routers with automatic log acquisition configuration.

Key Features (v1.7.4)

  • WAF capability with DropRequest helper for request blocking
  • Refactored syslog acquisition using RestartableStreamer
  • Optional pure-go SQLite driver for better compatibility
  • Enhanced logging configuration with syslog media support
  • Configurable usage metrics export (api.server.disable_usage_metrics_export)
  • Fixed LAPI metrics cardinality issues with Prometheus
  • Data race prevention in Docker acquisition
  • Database query optimization for decision streams
  • Automatic OpenWrt log acquisition configuration
  • UCI-based acquisition management

Package Contents

  • Makefile: OpenWrt package definition for CrowdSec v1.7.4
  • files/: Configuration and init scripts
    • crowdsec.initd: Init script for service management
    • crowdsec.config: UCI configuration (with acquisition settings)
    • crowdsec.defaults: Default configuration with auto-detection
    • acquis.d/: Acquisition configuration templates
      • openwrt-syslog.yaml: System syslog logs
      • openwrt-dropbear.yaml: SSH/Dropbear logs
      • openwrt-firewall.yaml: iptables/nftables firewall logs
      • openwrt-uhttpd.yaml: uHTTPd web server logs

Installation

# From SecuBox build environment
cd /home/reepost/CyberMindStudio/_files/secubox-openwrt
make package/secubox/secubox-app-crowdsec/compile V=s

# Install on router
opkg install crowdsec_1.7.4-3_*.ipk

Configuration

UCI Configuration

CrowdSec uses UCI for configuration in /etc/config/crowdsec:

# View current configuration
uci show crowdsec

# Main settings
uci set crowdsec.crowdsec.data_dir='/srv/crowdsec/data'
uci set crowdsec.crowdsec.db_path='/srv/crowdsec/data/crowdsec.db'

# Acquisition settings
uci set crowdsec.acquisition.syslog_enabled='1'
uci set crowdsec.acquisition.firewall_enabled='1'
uci set crowdsec.acquisition.ssh_enabled='1'
uci set crowdsec.acquisition.http_enabled='0'
uci set crowdsec.acquisition.syslog_path='/var/log/messages'

# Hub settings
uci set crowdsec.hub.auto_install='1'
uci set crowdsec.hub.collections='crowdsecurity/linux crowdsecurity/iptables'
uci set crowdsec.hub.update_interval='7'

uci commit crowdsec

File Locations

  • Main config: /etc/crowdsec/config.yaml
  • Acquisition directory: /etc/crowdsec/acquis.d/
  • Legacy acquisition: /etc/crowdsec/acquis.yaml
  • Profiles: /etc/crowdsec/profiles.yaml
  • Local API: /etc/crowdsec/local_api_credentials.yaml
  • Data directory: /srv/crowdsec/data/

Log Acquisition Configuration

Automatic Detection

On first boot, the defaults script automatically:

  1. Detects OpenWrt log file configuration
  2. Identifies installed services (Dropbear, firewall)
  3. Generates appropriate acquisition configs
  4. Installs recommended Hub collections

Supported Log Sources

Log Source Default Collection Required
System Syslog Enabled crowdsecurity/linux
SSH/Dropbear Enabled crowdsecurity/linux
Firewall (iptables/nftables) Enabled crowdsecurity/iptables
HTTP (uHTTPd/nginx) Disabled crowdsecurity/http-cve

Custom Acquisition

Add custom acquisition configs to /etc/crowdsec/acquis.d/:

# /etc/crowdsec/acquis.d/custom.yaml
filenames:
  - /var/log/custom-app/*.log
labels:
  type: syslog

Syslog Service Mode

To run CrowdSec as a syslog server (receive logs from other devices):

uci set crowdsec.acquisition.syslog_listen_addr='0.0.0.0'
uci set crowdsec.acquisition.syslog_listen_port='514'
uci commit crowdsec
/etc/init.d/crowdsec restart

Service Management

# Start CrowdSec
/etc/init.d/crowdsec start

# Stop CrowdSec
/etc/init.d/crowdsec stop

# Restart CrowdSec
/etc/init.d/crowdsec restart

# Check status
/etc/init.d/crowdsec status

CLI Usage

CrowdSec CLI is available via cscli:

# Check version
cscli version

# Check acquisition status
cscli metrics show acquisition

# List decisions
cscli decisions list

# View alerts
cscli alerts list

# Manage collections
cscli collections list
cscli collections install crowdsecurity/nginx

# Manage Hub
cscli hub update
cscli hub upgrade

# Manage bouncers
cscli bouncers list
cscli bouncers add firewall-bouncer

Hub Collections for OpenWrt

Recommended Collections

# Core Linux detection (SSH brute-force, etc.)
cscli collections install crowdsecurity/linux

# Firewall log analysis (port scan detection)
cscli collections install crowdsecurity/iptables

# Syslog parsing
cscli parsers install crowdsecurity/syslog-logs

# Whitelists for reducing false positives
cscli parsers install crowdsecurity/whitelists

Optional Collections

# HTTP attack detection
cscli collections install crowdsecurity/http-cve

# nginx logs
cscli collections install crowdsecurity/nginx

# Smb/Samba
cscli collections install crowdsecurity/smb

Integration with SecuBox

This package integrates with:

  • luci-app-crowdsec-dashboard v0.5.0+
  • secubox-app-crowdsec-bouncer - Firewall bouncer
  • SecuBox Theme System
  • SecuBox Logging (secubox-log)

Dependencies

  • Go compiler (build-time)
  • SQLite3
  • OpenWrt base system

References

Changelog

v1.7.4-3 (2025-01)

  • Added automatic log acquisition configuration
  • Added UCI-based acquisition management
  • Added acquis.d directory with OpenWrt-specific templates
  • Improved Hub collection auto-installation
  • Added acquisition for syslog, SSH/Dropbear, firewall, HTTP
  • Enhanced defaults script with detection logic

v1.7.4-2 (2024-12)

  • Updated from v1.6.2 to v1.7.4
  • Added WAF/AppSec support
  • Improved syslog acquisition
  • Enhanced metrics export configuration
  • Fixed Prometheus cardinality issues

v1.6.2-1 (Previous)

  • Initial SecuBox integration
  • Basic OpenWrt compatibility patches

License

MIT License

Maintainer

CyberMind.fr - Gandalf gandalf@gk2.net