« Linux : Crowdsec » : différence entre les versions
De www.yakakliker.org
Aucun résumé des modifications |
Aucun résumé des modifications |
||
| (3 versions intermédiaires par le même utilisateur non affichées) | |||
| Ligne 8 : | Ligne 8 : | ||
</syntaxhighlight> | </syntaxhighlight> | ||
* https://doc.crowdsec.net/u/getting_started/installation/linux/ | |||
https://doc.crowdsec.net/u/getting_started/installation/linux/ | |||
=== Configuration avec haproxy === | === Configuration avec haproxy === | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
sudo apt install crowdsec-haproxy-spoa-bouncer | sudo apt install crowdsec-haproxy-spoa-bouncer | ||
</syntaxhighlight>https://doc.crowdsec.net/u/bouncers/haproxy_spoa/?_gl=1*2w3pya*_gcl_aw*R0NMLjE3NjY0MTAwNDUuQ2p3S0NBaUE5YVBLQmhCaEVpd0F5ejgySjZTZ1QwR3ZrdkROdjNtMXF2MXlKWG8yU0tFUXRVTTVxMDBmRC1ENHBNSmtNYmFoTmRwM0h4b0NyandRQXZEX0J3RQ..*_gcl_au*OTU2ODY0NzI4LjE3NjY0MTAwNTE.*_ga*MTI1NjEzNjYwNS4xNzY2NDEwMDQ1*_ga_7GZ46W5WLE*czE3NjY0MTAwNDQkbzEkZzEkdDE3NjY0MTE0NDkkajYwJGwwJGgw | </syntaxhighlight> | ||
* https://doc.crowdsec.net/u/bouncers/haproxy_spoa/?_gl=1*2w3pya*_gcl_aw*R0NMLjE3NjY0MTAwNDUuQ2p3S0NBaUE5YVBLQmhCaEVpd0F5ejgySjZTZ1QwR3ZrdkROdjNtMXF2MXlKWG8yU0tFUXRVTTVxMDBmRC1ENHBNSmtNYmFoTmRwM0h4b0NyandRQXZEX0J3RQ..*_gcl_au*OTU2ODY0NzI4LjE3NjY0MTAwNTE.*_ga*MTI1NjEzNjYwNS4xNzY2NDEwMDQ1*_ga_7GZ46W5WLE*czE3NjY0MTAwNDQkbzEkZzEkdDE3NjY0MTE0NDkkajYwJGwwJGgw | |||
Add a SPOE agent configuration to /etc/haproxy/crowdsec.cfg:<syntaxhighlight lang="cfg"> | |||
<syntaxhighlight lang="cfg"> | |||
[crowdsec] | [crowdsec] | ||
spoe-agent crowdsec-agent | spoe-agent crowdsec-agent | ||
| Ligne 77 : | Ligne 77 : | ||
setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.html | setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.html | ||
</syntaxhighlight>An example that includes this snippet can also be found in <code>/usr/share/doc/crowdsec-haproxy-spoa-bouncer/examples/haproxy.cfg</code>. | </syntaxhighlight>An example that includes this snippet can also be found in <code>/usr/share/doc/crowdsec-haproxy-spoa-bouncer/examples/haproxy.cfg</code>. | ||
=== Installation avec Opnsense === | |||
https://docs.crowdsec.net/docs/getting_started/install_crowdsec_opnsense/ | |||
https://blog.raspot.in/fr/blog/installation-et-configuration-de-crowdsec-sur-opnsense | |||
=== Liens === | === Liens === | ||
https://doc.crowdsec.net/u/bouncers/haproxy_spoa/?_gl=1*2w3pya*_gcl_aw*R0NMLjE3NjY0MTAwNDUuQ2p3S0NBaUE5YVBLQmhCaEVpd0F5ejgySjZTZ1QwR3ZrdkROdjNtMXF2MXlKWG8yU0tFUXRVTTVxMDBmRC1ENHBNSmtNYmFoTmRwM0h4b0NyandRQXZEX0J3RQ..*_gcl_au*OTU2ODY0NzI4LjE3NjY0MTAwNTE.*_ga*MTI1NjEzNjYwNS4xNzY2NDEwMDQ1*_ga_7GZ46W5WLE*czE3NjY0MTAwNDQkbzEkZzEkdDE3NjY0MTE0NDkkajYwJGwwJGgw | * https://www.it-connect.fr/comment-proteger-son-serveur-linux-des-attaques-avec-crowdsec/ | ||
* https://doc.crowdsec.net/u/bouncers/haproxy_spoa/?_gl=1*2w3pya*_gcl_aw*R0NMLjE3NjY0MTAwNDUuQ2p3S0NBaUE5YVBLQmhCaEVpd0F5ejgySjZTZ1QwR3ZrdkROdjNtMXF2MXlKWG8yU0tFUXRVTTVxMDBmRC1ENHBNSmtNYmFoTmRwM0h4b0NyandRQXZEX0J3RQ..*_gcl_au*OTU2ODY0NzI4LjE3NjY0MTAwNTE.*_ga*MTI1NjEzNjYwNS4xNzY2NDEwMDQ1*_ga_7GZ46W5WLE*czE3NjY0MTAwNDQkbzEkZzEkdDE3NjY0MTE0NDkkajYwJGwwJGgw | |||
* https://blog.stephane-robert.info/docs/securiser/reseaux/crowdsec/ | |||
[[Catégorie:IPS]] | [[Catégorie:IPS]] | ||
[[Catégorie:Securite]] | [[Catégorie:Securite]] | ||
| Ligne 102 : | Ligne 111 : | ||
</script> | </script> | ||
</html> | </html> | ||
[[Catégorie:Crowdsec]] | |||
Dernière version du 22 décembre 2025 à 15:25
Installation
curl -s https://install.crowdsec.net | sudo sh
apt install crowdsec
sudo apt install crowdsec-firewall-bouncer-iptables
Configuration avec haproxy
sudo apt install crowdsec-haproxy-spoa-bouncer
Add a SPOE agent configuration to /etc/haproxy/crowdsec.cfg:
[crowdsec]
spoe-agent crowdsec-agent
messages crowdsec-ip crowdsec-http
option var-prefix crowdsec
option set-on-error error
timeout hello 100ms
timeout idle 30s
timeout processing 500ms
use-backend crowdsec-spoa
log global
## This message is used to customise the remediation from crowdsec-ip based on the host header
## src-ip is included as fallback in case crowdsec-ip message didn't fire
spoe-message crowdsec-http
args remediation=var(txn.crowdsec.remediation) crowdsec_captcha_cookie=req.cook(crowdsec_captcha_cookie) id=unique-id host=hdr(Host) method=method path=path query=query version=req.ver headers=req.hdrs body=req.body url=url ssl=ssl_fc src-ip=src src-port=src_port
event on-frontend-http-request
## This message should be the first to trigger in the chain
spoe-message crowdsec-ip
args id=unique-id src-ip=src src-port=src_port
event on-client-session
If you installed the haproxy spoe bouncer through package, you will find this configuration file in /usr/share/doc/crowdsec-haproxy-spoa-bouncer/examples
This crowdsec spoe agent configuration is then referenced in the main haproxy configuration file /etc/haproxy/haproxy.cfg and may be added at the bottom of the haproxy configuration file.
[...]
frontend http-in
bind *:80
filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg
http-request set-header X-Crowdsec-Remediation %[var(txn.crowdsec.remediation)]
## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
## Call lua script only for ban and captcha remediations (performance optimization)
http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" }
http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" }
## Handle captcha cookie management via HAProxy (new approach)
## Set captcha cookie when SPOA provides captcha_status (pending or valid)
http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found }
## Clear captcha cookie when cookie exists but no captcha_status (Allow decision)
http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found }
use_backend <whatever>
backend crowdsec-spoa
mode tcp
server s1 127.0.0.1:9000
In the global section of your haproxy.cfg, lua path configuration is also mandatory:
global
[...]
lua-prepend-path /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/?.lua
lua-load /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/crowdsec.lua
setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.html
setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.html
An example that includes this snippet can also be found in /usr/share/doc/crowdsec-haproxy-spoa-bouncer/examples/haproxy.cfg.
Installation avec Opnsense
https://docs.crowdsec.net/docs/getting_started/install_crowdsec_opnsense/
https://blog.raspot.in/fr/blog/installation-et-configuration-de-crowdsec-sur-opnsense
Liens
