gandalf/secubox-openwrt
gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7975b22ca3
secubox-openwrt/package/secubox/secubox-app-crowdsec/files/crowdsec.defaults
CyberMind-FR 252341e045 feat: Add complete CrowdSec integration for OpenWrt 24.10+ 
New packages:
- secubox-crowdsec-setup: Automated installation script with:
  - Prerequisites verification (RAM, flash, OpenWrt version)
  - syslog-ng4 configuration for log forwarding
  - CAPI registration and hub setup
  - nftables firewall bouncer configuration
  - Backup/rollback, repair, and uninstall modes

- luci-app-secubox-crowdsec: LuCI dashboard with:
  - Service status and statistics dashboard
  - Active decisions (bans) management
  - Security alerts viewer
  - Collections and bouncers management
  - UCI-based settings configuration

Enhanced existing packages:
- luci-app-crowdsec-dashboard: Added acquisition configuration wizard
- secubox-app-crowdsec: Improved defaults and configuration

Documentation:
- CROWDSEC-OPENWRT-24.md with architecture, installation, and troubleshooting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 17:58:17 +01:00

318 lines
8.4 KiB
Bash
Raw Blame History

#!/bin/sh
#
# CrowdSec UCI Defaults Script
# Configures CrowdSec on first install with automatic acquisition setup
#
CONFIG=/etc/crowdsec/config.yaml
ACQUIS_DIR=/etc/crowdsec/acquis.d
UCI_CONFIG=/etc/config/crowdsec
# Load UCI functions
. /lib/functions.sh
# Get UCI values with defaults
get_uci_value() {
local section="$1"
local option="$2"
local default="$3"
local value
value=$(uci -q get "crowdsec.${section}.${option}")
echo "${value:-$default}"
}
# Configure data paths
setup_paths() {
local data_dir
local db_path
data_dir=$(get_uci_value "crowdsec" "data_dir" "/srv/crowdsec/data")
db_path=$(get_uci_value "crowdsec" "db_path" "/srv/crowdsec/data/crowdsec.db")
sed -i "s,^\(\s*data_dir\s*:\s*\).*\$,\1$data_dir," $CONFIG
sed -i "s,^\(\s*db_path\s*:\s*\).*\$,\1$db_path," $CONFIG
# Create data dir & permissions if needed
if [ ! -d "${data_dir}" ]; then
mkdir -m 0755 -p "${data_dir}"
fi
}
# Create machine-id if not exists
setup_machine_id() {
if [ ! -f /etc/machine-id ]; then
cat /proc/sys/kernel/random/uuid | tr -d "-" > /etc/machine-id
echo "Created machine-id"
fi
}
# Register local API machine
register_lapi() {
if grep -q "login:" /etc/crowdsec/local_api_credentials.yaml 2>/dev/null; then
echo "Local API already registered"
else
echo "Registering local API machine..."
cscli -c /etc/crowdsec/config.yaml machines add -a -f /etc/crowdsec/local_api_credentials.yaml
fi
}
# Register with Central API (CAPI) for threat intelligence sharing
register_capi() {
if ! grep -q "login:" /etc/crowdsec/online_api_credentials.yaml 2>/dev/null; then
echo "Registering with Central API (CAPI)..."
if cscli capi register 2>/dev/null; then
echo "Successfully registered with Central API"
else
echo "WARNING: CAPI registration failed - will run in local-only mode"
# Create minimal credentials file to prevent errors
echo "url: https://api.crowdsec.net/" > /etc/crowdsec/online_api_credentials.yaml
fi
else
echo "Central API already registered"
fi
}
# Update hub index
update_hub() {
local update_interval
update_interval=$(get_uci_value "hub" "update_interval" "7")
if [ "$update_interval" = "0" ]; then
echo "Hub auto-update disabled"
return 0
fi
if [ ! -f /etc/crowdsec/hub/.index.json ] || \
[ $(find /etc/crowdsec/hub/.index.json -mtime +${update_interval} 2>/dev/null | wc -l) -gt 0 ]; then
echo "Updating hub index..."
cscli hub update 2>/dev/null || true
fi
}
# Install collections and parsers from Hub
install_hub_items() {
local auto_install
local collections
local parsers
auto_install=$(get_uci_value "hub" "auto_install" "1")
if [ "$auto_install" != "1" ]; then
echo "Hub auto-install disabled"
return 0
fi
# Install collections
collections=$(get_uci_value "hub" "collections" "crowdsecurity/linux crowdsecurity/iptables")
for collection in $collections; do
echo "Installing collection: $collection"
cscli collections install "$collection" 2>/dev/null || true
done
# Install additional parsers
parsers=$(get_uci_value "hub" "parsers" "crowdsecurity/syslog-logs crowdsecurity/whitelists")
for parser in $parsers; do
echo "Installing parser: $parser"
cscli parsers install "$parser" 2>/dev/null || true
done
# Upgrade all hub items
cscli hub upgrade 2>/dev/null || true
}
# Generate dynamic acquisition configuration
generate_acquisition_config() {
local syslog_enabled
local firewall_enabled
local ssh_enabled
local http_enabled
local syslog_path
local kernel_log_path
local auth_log_path
# Ensure acquis.d directory exists
mkdir -p "$ACQUIS_DIR"
# Get acquisition settings from UCI
syslog_enabled=$(get_uci_value "acquisition" "syslog_enabled" "1")
firewall_enabled=$(get_uci_value "acquisition" "firewall_enabled" "1")
ssh_enabled=$(get_uci_value "acquisition" "ssh_enabled" "1")
http_enabled=$(get_uci_value "acquisition" "http_enabled" "0")
syslog_path=$(get_uci_value "acquisition" "syslog_path" "/var/log/messages")
kernel_log_path=$(get_uci_value "acquisition" "kernel_log_path" "/var/log/kern.log")
auth_log_path=$(get_uci_value "acquisition" "auth_log_path" "/var/log/auth.log")
# Generate syslog acquisition config
if [ "$syslog_enabled" = "1" ]; then
echo "Configuring syslog acquisition..."
cat > "$ACQUIS_DIR/openwrt-syslog.yaml" << EOF
# OpenWrt System Syslog Acquisition
# Auto-generated by crowdsec.defaults
# Monitors system logs for security events
filenames:
- ${syslog_path}
- /var/log/syslog
labels:
type: syslog
EOF
else
rm -f "$ACQUIS_DIR/openwrt-syslog.yaml"
fi
# Generate firewall acquisition config
if [ "$firewall_enabled" = "1" ]; then
echo "Configuring firewall log acquisition..."
cat > "$ACQUIS_DIR/openwrt-firewall.yaml" << EOF
# OpenWrt Firewall Logs Acquisition
# Auto-generated by crowdsec.defaults
# Monitors iptables/nftables firewall logs for port scans
filenames:
- ${kernel_log_path}
- /var/log/firewall.log
labels:
type: syslog
EOF
# Ensure iptables collection is installed
cscli collections install crowdsecurity/iptables 2>/dev/null || true
else
rm -f "$ACQUIS_DIR/openwrt-firewall.yaml"
fi
# Generate SSH/auth acquisition config
if [ "$ssh_enabled" = "1" ]; then
echo "Configuring SSH/auth log acquisition..."
# SSH logs typically go to syslog on OpenWrt
# The syslog acquisition will capture them
# Just ensure the linux collection is installed for SSH scenarios
cscli collections install crowdsecurity/linux 2>/dev/null || true
fi
# Generate HTTP acquisition config (disabled by default)
if [ "$http_enabled" = "1" ]; then
echo "Configuring HTTP log acquisition..."
cat > "$ACQUIS_DIR/openwrt-http.yaml" << EOF
# OpenWrt HTTP Server Logs Acquisition
# Auto-generated by crowdsec.defaults
filenames:
- /var/log/uhttpd/access.log
- /var/log/nginx/access.log
labels:
type: syslog
EOF
else
rm -f "$ACQUIS_DIR/openwrt-http.yaml"
fi
}
# Configure syslog service acquisition (if CrowdSec acts as syslog server)
configure_syslog_service() {
local listen_addr
local listen_port
listen_addr=$(get_uci_value "acquisition" "syslog_listen_addr" "127.0.0.1")
listen_port=$(get_uci_value "acquisition" "syslog_listen_port" "10514")
# Only create syslog service config if non-default port is configured
if [ "$listen_port" != "10514" ] || [ "$listen_addr" != "127.0.0.1" ]; then
echo "Configuring syslog service acquisition..."
cat > "$ACQUIS_DIR/syslog-service.yaml" << EOF
# Syslog Service Acquisition
# Auto-generated by crowdsec.defaults
# CrowdSec acts as a syslog server to receive logs
source: syslog
listen_addr: ${listen_addr}
listen_port: ${listen_port}
labels:
type: syslog
EOF
fi
}
# Detect and configure OpenWrt-specific log sources
detect_openwrt_logs() {
echo "Detecting OpenWrt log sources..."
# Check if syslog-ng is installed and configured
if [ -f /etc/syslog-ng.conf ]; then
echo "syslog-ng detected"
fi
# Check if rsyslog is configured
if [ -f /etc/rsyslog.conf ]; then
echo "rsyslog detected"
fi
# Check if log_file is configured in OpenWrt system config
local log_file
log_file=$(uci -q get system.@system[0].log_file)
if [ -n "$log_file" ]; then
echo "OpenWrt log_file configured: $log_file"
# Update syslog path in UCI
uci set crowdsec.acquisition.syslog_path="$log_file"
uci commit crowdsec
fi
# Check for Dropbear (SSH server)
if [ -f /etc/init.d/dropbear ]; then
echo "Dropbear SSH server detected"
fi
# Check for firewall (fw3 or fw4)
if [ -f /etc/init.d/firewall ]; then
echo "OpenWrt firewall detected"
fi
}
# Main execution
main() {
echo "=========================================="
echo "CrowdSec Configuration - First Boot Setup"
echo "=========================================="
# Setup paths and directories
setup_paths
# Create machine-id
setup_machine_id
# Register with LAPI
register_lapi
# Register with CAPI
register_capi
# Update Hub index
update_hub
# Install Hub collections and parsers
install_hub_items
# Detect OpenWrt log sources
detect_openwrt_logs
# Generate acquisition configuration
generate_acquisition_config
# Configure syslog service if needed
configure_syslog_service
echo "=========================================="
echo "CrowdSec configuration complete!"
echo "=========================================="
echo ""
echo "Next steps:"
echo " 1. Enable and start CrowdSec: /etc/init.d/crowdsec enable && /etc/init.d/crowdsec start"
echo " 2. Check acquisition status: cscli metrics show acquisition"
echo " 3. View decisions: cscli decisions list"
echo ""
}
# Run main function
main
exit 0
Reference in New Issue View Git Blame Copy Permalink