DietPi-Software | CrowdSec

[klausagnoletti]

Creating a software request

Formal software information

• Software title | CrowdSec
• Short description | CrowdSec is free and open souce, crowd sourced threat intelligence. In it's essense it's a moderne, more advanced version of Fail2Ban - but so much more.
• Official URL (if available) | https://crowdsec.net/
• GitHub URL (if available) | https://github.com/crowdsecurity/crowdsec
• (Official) install documentation | https://doc.crowdsec.net/docs/getting_started/install_crowdsec (rpi installation is at the bottom)

Are there similar/alternative software titles available with DietPi-Software?

• Fail2Ban

What makes your requested software better than the above solutions, if available?

(Disclaimer: I am head of community at CrowdSec and an avid user myself. I wouldn't work there if I didn't think the software was great. Just as I think DietPi is damn cool btw)

• First of all, CrowdSec is open source and free crowd sourced threat intelligence. This means that all installations of CrowdSec agent by default sends (anonymized) intelligence that it has collected by parsing logs to a collective database. This colletive database of bad ip is shared with all other CrowdSec installs.
• Secondly, while CrowdSec was originally meant as a modern version of Fail2Ban and it makes sense to compare with f2b when trying to explain what CrowdSec is, it actually doesn't do CrowdSec any justice since it's way more advanced (and undergoing a lot of improvements really fast). First of all it's modular. Everyone can contribute datasources to get more data into CrowdSec (right now data from files, cloudtrail, syslogd, journald is supported). Once data is in CrowdSec everything's an object which is assessed via very flexible scenarios. This means that on top of all the usual stuff f2b can do, CrowdSec can be used to fight DDoS on L7 by determining what normal usage of a website is (via scenarios). So whenever CrowdSec determines non-normal usage (via e.g. leaky bucket algoritm) it will block traffic via 'bouncers'. There's bouncers for nginx, wordpress, php in general, cloudflare, pf, iptables, nftables and more. And blocking doesn't nescessarily mean a hard block; On L7 blockings users can be forced through a CAPTCHA by country, ASN or ip. In this way no real users are denied access.
• Thirdly, there's support for notification via various plugins to Splunk, Slack and a general HTTP plugin that can be used to send notifications to Elastic, Teams, Telegram and many others. CrowdSec is written in Go so plugins can also be contributed.
• Fourthly, there's a few posibilites for observability via prometheus and a fancy web console (hosted by CrowdSec but free to use).
• As if that wasn't enough I recently did a talk at ShellCon that goes throught the architecture and talks more about the current and future possibilities: http://www.youtube.com/watch?v=vZgl00UcATw&t=138m26s

How can DietPi make the installation easier or compatible, than following the install instructions or do APT installation, if available?

• There are no precompiled binaries available for the various arm platform. CrowdSec compiles fine, so no problem on that side. Official installation instructions tells you how to compile the software yourself. That sucks.

Can you provide the installation steps that you would suggest DietPi-Software to do?

1. Basically what the installation on Debian does; installs agent, bouncer, auto detects services that can be protected out of the box and enables that.
2. Detects whether f2b is already installed and makes sure there's no conflicts.

Are you willing to help maintaining the software installation, e.g. in case of needed setup changes due to updates etc.? This is not needed, but could speed up our decision to implement it, as man power is always a topic 😉.

I am not a developer, so sadly no. But I would not rule out that we would pay someone to do the initial work and maintaining. For instance via financially supporting DietPi. Shoot me a mail at klaus@crowdsec.net so we can discuss the possibilities.

Vote for this software on FeatHub: https://feathub.com/MichaIng/DietPi/

I really wanted to do this but I wasn't able to login: "We're sorry, but something went wrong.".

[MichaIng]

Many thanks for your suggestion.

So in a way it combines an online database for IPs which try to e.g. brute-force a service (like StopForumSpam for spammers) with a firewall like Fail2Ban, right? Sounds like a reasonable approach, so I can contribute e.g. with logs about bots who try to access common Wordpress or other login/RPC interfaces to a database so that others can block requests from those bots in the first place.

I really wanted to do this but I wasn't able to login: "We're sorry, but something went wrong.".

Basically FeatHub is dead. Their HTTPS certificate expired a while ago. While one can ignore it with browsers, it breaks authentication against GitHub. We're not yet sure how to proceed with requests voting, probably going with "thumbs up" here on the GitHub issues is the easiest solution, so to not rely on any 3rd party provider. Hence, if anyone else wants to have this, please vote for it here by giving the OP a thumbs up.

[klausagnoletti]

Hey and thanks

What you're describing is definately a part of what we're trying to achieve. It's turning into a db of ips performing all sorts of attacks as well as a companion toolbox to mitigate all sorts of attacks.

Would you be interested in CrowdSec 'sponsoring' a port and maintainance of it? Would that be possible to speed up the process?

Another thing to consider could be that we (or actually anyone else) could update our documentation so that installing on DietPi would be in the official documentation being by far the easiest way to get CrowdSec on any of the devices supported by DietPi. I am sure it would generate attention towards DietPi as the general usage of CrowdSec just keep on rises. Hopefully it could affect DietPi as well.

Thanks for the update on Feathub. That's a bummer.

[MichaIng]

Actually it is pretty easy to install since Debian (and Raspbian) ships packages since Bullseye: https://packages.debian.org/bullseye/crowdsec

Those are not up-to-date, so I prefer to go with CrowdSec's own APT repository: https://packagecloud.io/install/repositories/crowdsec/crowdsec/config_file.list?os=debian&dist=bullseye&source=script

Tested and realised that the official repo is x86_64/arm64 only, so on ARMs (matching what you already said) we'd need to go with Debian's older packages or ship own ones. But wow, you even provide a Bookworm suite already 👍.
Same for the pre-compiled binaries (x86_64): https://github.com/crowdsecurity/crowdsec/releases

What I struggled to find is actual build instructions. All links about "build it from source" point to install instructions based on pre-compiled (x86_64) binaries/packages but not to actual source build instructions 😄:

• https://github.com/crowdsecurity/crowdsec#from-source
• https://github.com/crowdsecurity/crowdsec#arrow_down-install-it-

Finally I found it here: https://doc.crowdsec.net/docs/getting_started/install_crowdsec#running-crowdsec-on-raspberry-pi-osraspbian
But also those are not precisely to build CrowdSec "on" Raspberry Pi, but "for" Raspberry Pi, overriding the autodetected architecture and installing the cross-compiler explicitly 😉. I mean yeah, it is written in Go and it has a Makefile, but I'm still always looking into official build instructions, to avoid unnecessary trail&error loops, finding all necessary development headers etc 😉. I'll try to compile it the next days and contribute it to your readme and/or docs, when succeeding 🙂.

Next is then to see whether there are further setup steps, e.g. integration with other software titles, we may want to apply on DietPi. With Fail2Ban we currently only enable it OOTB for OpenSSH resp. Dropbear, but generally enabling it for other installed software titles with web interface and/or API would be quite nice. I'll also have a look what it does OOTB.

---

EDIT: Correction, the official APT repo ships ARMv8/arm64 packages as well:

2021-10-20 19:36:36 root@Building-ARMv8-Bullseye:~# apt show crowdsec
Package: crowdsec
Version: 1.2.0-1
Maintainer: Crowdsec Team <debian@crowdsec.net>
Installed-Size: 74.3 MB
Download-Size: 17.9 MB
APT-Sources: https://packagecloud.io/crowdsec/crowdsec/debian bullseye/main arm64 Packages
Description: Crowdsec - An open-source, lightweight agent to detect and respond to bad behaviours. It also automatically benefits from our global community-wide IP reputation database

[klausagnoletti]

Hi again

The crowdsec package in bullseye is just the agent (which doesn't block anything). Also it's rather old and probably won't work with many bouncers anyway. Bouncers block traffic so without them it's not really much fun. So I wouldn't recommend anyone not using CrowdSec's own builds :)

Thanks for your building comments. If you run in to issues let me know and I can set you up with a developer who can help you out.

Thanks for looking into it. Highly appreciated :-)

[MichaIng]

The crowdsec package in bullseye is just the agent (which doesn't block anything)

Ah okay, good to know. Probably we can provide an armv6hf package which matches the one provided at packagecloud.io and is then compatible with ARMv6 and ARMv7 systems.

[klausagnoletti]

Sounds great! Let me know if there's anything I can do to help.

[klausagnoletti]

I don't want to sound like an impatient ass here but do you have any idea about the time horizon for this? Also, can we contribute part of a developer for this? Would that make sense?

[MichaIng]

Let me move this to discussions, which we use now as new voting system, since FeatHub is broken.