« Linux : Crowdsec » : différence entre les versions

De www.yakakliker.org
VisuelWikicode
Aucun résumé des modifications
Aucun résumé des modifications
Ligne 1 : Ligne 1 :
=== Installation ===
<syntaxhighlight lang="bash">
curl -s https://install.crowdsec.net | sudo sh
apt install crowdsec
sudo apt install crowdsec-firewall-bouncer-iptables
</syntaxhighlight>
https://doc.crowdsec.net/u/getting_started/installation/linux/
=== Configuration avec haproxy ===
<syntaxhighlight lang="bash">
sudo apt install crowdsec-haproxy-spoa-bouncer
</syntaxhighlight>https://doc.crowdsec.net/u/bouncers/haproxy_spoa/?_gl=1*2w3pya*_gcl_aw*R0NMLjE3NjY0MTAwNDUuQ2p3S0NBaUE5YVBLQmhCaEVpd0F5ejgySjZTZ1QwR3ZrdkROdjNtMXF2MXlKWG8yU0tFUXRVTTVxMDBmRC1ENHBNSmtNYmFoTmRwM0h4b0NyandRQXZEX0J3RQ..*_gcl_au*OTU2ODY0NzI4LjE3NjY0MTAwNTE.*_ga*MTI1NjEzNjYwNS4xNzY2NDEwMDQ1*_ga_7GZ46W5WLE*czE3NjY0MTAwNDQkbzEkZzEkdDE3NjY0MTE0NDkkajYwJGwwJGgw
* Add a SPOE agent configuration to /etc/haproxy/crowdsec.cfg:
<syntaxhighlight lang="cfg">
[crowdsec]
spoe-agent crowdsec-agent
    messages    crowdsec-ip crowdsec-http
    option      var-prefix      crowdsec
    option      set-on-error    error
    timeout    hello          100ms
    timeout    idle            30s
    timeout    processing      500ms
    use-backend crowdsec-spoa
    log        global
## This message is used to customise the remediation from crowdsec-ip based on the host header
## src-ip is included as fallback in case crowdsec-ip message didn't fire
spoe-message crowdsec-http
    args remediation=var(txn.crowdsec.remediation) crowdsec_captcha_cookie=req.cook(crowdsec_captcha_cookie) id=unique-id host=hdr(Host) method=method path=path query=query version=req.ver headers=req.hdrs body=req.body url=url ssl=ssl_fc src-ip=src src-port=src_port
    event on-frontend-http-request
## This message should be the first to trigger in the chain
spoe-message crowdsec-ip
    args id=unique-id src-ip=src src-port=src_port
    event on-client-session
</syntaxhighlight>If you installed the haproxy spoe bouncer through package, you will find this configuration file in <code>/usr/share/doc/crowdsec-haproxy-spoa-bouncer/examples</code>
This crowdsec spoe agent configuration is then referenced in the main haproxy configuration file <code>/etc/haproxy/haproxy.cfg</code> and may be added at the bottom of the haproxy configuration file.<syntaxhighlight lang="cfg">
[...]
frontend http-in
    bind *:80
    filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg
    http-request set-header X-Crowdsec-Remediation %[var(txn.crowdsec.remediation)]
   
    ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
    http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
   
    ## Call lua script only for ban and captcha remediations (performance optimization)
    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" }
    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" }
   
    ## Handle captcha cookie management via HAProxy (new approach)
    ## Set captcha cookie when SPOA provides captcha_status (pending or valid)
    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found }
    ## Clear captcha cookie when cookie exists but no captcha_status (Allow decision)
    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found }
   
    use_backend <whatever>
backend crowdsec-spoa
    mode tcp
    server s1 127.0.0.1:9000
</syntaxhighlight>In the <code>global</code> section of your <code>haproxy.cfg</code>, lua path configuration is also mandatory:<syntaxhighlight lang="cfg">
global
    [...]
    lua-prepend-path /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/?.lua
    lua-load /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/crowdsec.lua
    setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.html
    setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.html
</syntaxhighlight>An example that includes this snippet can also be found in <code>/usr/share/doc/crowdsec-haproxy-spoa-bouncer/examples/haproxy.cfg</code>.
=== Liens ===
=== Liens ===
https://www.it-connect.fr/comment-proteger-son-serveur-linux-des-attaques-avec-crowdsec/
https://www.it-connect.fr/comment-proteger-son-serveur-linux-des-attaques-avec-crowdsec/
https://doc.crowdsec.net/u/bouncers/haproxy_spoa/?_gl=1*2w3pya*_gcl_aw*R0NMLjE3NjY0MTAwNDUuQ2p3S0NBaUE5YVBLQmhCaEVpd0F5ejgySjZTZ1QwR3ZrdkROdjNtMXF2MXlKWG8yU0tFUXRVTTVxMDBmRC1ENHBNSmtNYmFoTmRwM0h4b0NyandRQXZEX0J3RQ..*_gcl_au*OTU2ODY0NzI4LjE3NjY0MTAwNTE.*_ga*MTI1NjEzNjYwNS4xNzY2NDEwMDQ1*_ga_7GZ46W5WLE*czE3NjY0MTAwNDQkbzEkZzEkdDE3NjY0MTE0NDkkajYwJGwwJGgw
[[Catégorie:IPS]]
[[Catégorie:IPS]]
[[Catégorie:Securite]]
[[Catégorie:Securite]]
[[Catégorie:Linux]]
[[Catégorie:Linux]]

Version du 22 décembre 2025 à 15:01

Installation

curl -s https://install.crowdsec.net | sudo sh

apt install crowdsec

sudo apt install crowdsec-firewall-bouncer-iptables


https://doc.crowdsec.net/u/getting_started/installation/linux/

Configuration avec haproxy

sudo apt install crowdsec-haproxy-spoa-bouncer

https://doc.crowdsec.net/u/bouncers/haproxy_spoa/?_gl=1*2w3pya*_gcl_aw*R0NMLjE3NjY0MTAwNDUuQ2p3S0NBaUE5YVBLQmhCaEVpd0F5ejgySjZTZ1QwR3ZrdkROdjNtMXF2MXlKWG8yU0tFUXRVTTVxMDBmRC1ENHBNSmtNYmFoTmRwM0h4b0NyandRQXZEX0J3RQ..*_gcl_au*OTU2ODY0NzI4LjE3NjY0MTAwNTE.*_ga*MTI1NjEzNjYwNS4xNzY2NDEwMDQ1*_ga_7GZ46W5WLE*czE3NjY0MTAwNDQkbzEkZzEkdDE3NjY0MTE0NDkkajYwJGwwJGgw

  • Add a SPOE agent configuration to /etc/haproxy/crowdsec.cfg:
[crowdsec]
spoe-agent crowdsec-agent
    messages    crowdsec-ip crowdsec-http

    option      var-prefix      crowdsec
    option      set-on-error    error
    timeout     hello           100ms
    timeout     idle            30s
    timeout     processing      500ms
    use-backend crowdsec-spoa
    log         global

## This message is used to customise the remediation from crowdsec-ip based on the host header
## src-ip is included as fallback in case crowdsec-ip message didn't fire
spoe-message crowdsec-http
    args remediation=var(txn.crowdsec.remediation) crowdsec_captcha_cookie=req.cook(crowdsec_captcha_cookie) id=unique-id host=hdr(Host) method=method path=path query=query version=req.ver headers=req.hdrs body=req.body url=url ssl=ssl_fc src-ip=src src-port=src_port
    event on-frontend-http-request

## This message should be the first to trigger in the chain
spoe-message crowdsec-ip
    args id=unique-id src-ip=src src-port=src_port
    event on-client-session

If you installed the haproxy spoe bouncer through package, you will find this configuration file in /usr/share/doc/crowdsec-haproxy-spoa-bouncer/examples This crowdsec spoe agent configuration is then referenced in the main haproxy configuration file /etc/haproxy/haproxy.cfg and may be added at the bottom of the haproxy configuration file.

[...]

frontend http-in
    bind *:80
    filter spoe engine crowdsec config /etc/haproxy/crowdsec.cfg
    http-request set-header X-Crowdsec-Remediation %[var(txn.crowdsec.remediation)]
    
    ## Handle 302 redirect for successful captcha validation (native HAProxy redirect)
    http-request redirect code 302 location %[var(txn.crowdsec.redirect)] if { var(txn.crowdsec.remediation) -m str "allow" } { var(txn.crowdsec.redirect) -m found }
    
    ## Call lua script only for ban and captcha remediations (performance optimization)
    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "captcha" }
    http-request lua.crowdsec_handle if { var(txn.crowdsec.remediation) -m str "ban" }
    
    ## Handle captcha cookie management via HAProxy (new approach)
    ## Set captcha cookie when SPOA provides captcha_status (pending or valid)
    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_status) -m found } { var(txn.crowdsec.captcha_cookie) -m found }
    ## Clear captcha cookie when cookie exists but no captcha_status (Allow decision)
    http-after-response set-header Set-Cookie %[var(txn.crowdsec.captcha_cookie)] if { var(txn.crowdsec.captcha_cookie) -m found } !{ var(txn.crowdsec.captcha_status) -m found }
    
    use_backend <whatever>

backend crowdsec-spoa
    mode tcp
    server s1 127.0.0.1:9000

In the global section of your haproxy.cfg, lua path configuration is also mandatory:

global
    [...]
    lua-prepend-path /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/?.lua
    lua-load /usr/lib/crowdsec-haproxy-spoa-bouncer/lua/crowdsec.lua
    setenv CROWDSEC_BAN_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/ban.html
    setenv CROWDSEC_CAPTCHA_TEMPLATE_PATH /var/lib/crowdsec-haproxy-spoa-bouncer/html/captcha.html

An example that includes this snippet can also be found in /usr/share/doc/crowdsec-haproxy-spoa-bouncer/examples/haproxy.cfg.

Liens

https://www.it-connect.fr/comment-proteger-son-serveur-linux-des-attaques-avec-crowdsec/

https://doc.crowdsec.net/u/bouncers/haproxy_spoa/?_gl=1*2w3pya*_gcl_aw*R0NMLjE3NjY0MTAwNDUuQ2p3S0NBaUE5YVBLQmhCaEVpd0F5ejgySjZTZ1QwR3ZrdkROdjNtMXF2MXlKWG8yU0tFUXRVTTVxMDBmRC1ENHBNSmtNYmFoTmRwM0h4b0NyandRQXZEX0J3RQ..*_gcl_au*OTU2ODY0NzI4LjE3NjY0MTAwNTE.*_ga*MTI1NjEzNjYwNS4xNzY2NDEwMDQ1*_ga_7GZ46W5WLE*czE3NjY0MTAwNDQkbzEkZzEkdDE3NjY0MTE0NDkkajYwJGwwJGgw

Récupérée de « http://www.yakakliker.org/index.php?title=Linux_:_Crowdsec&oldid=1827 »