initial commit

2024-04-30 10:41:32 +02:00 · 2024-04-30 10:41:32 +02:00 · 6cd95904f4
commit 6cd95904f4
parent 304d5ec159
6 changed files with 179 additions and 0 deletions
--- a/apps/crowdsec/config.json
+++ b/apps/crowdsec/config.json
@ -0,0 +1,29 @@
+{
+  "$schema": "../schema.json",
+  "name": "Crowdsec",
+  "port": 8679,
+  "available": true,
+  "exposable": true,
+  "id": "crowdsec",
+  "tipi_version": 1,
+  "version": "latest",
+  "categories": [
+    "security",
+    "utilities"
+  ],
+  "description": "CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), it uses Grok patterns to parse logs and YAML scenarios to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM-based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read below for more.",
+  "short_desc": "CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.",
+  "author": "crowdsecurity",
+  "source": "https://github.com/crowdsecurity/crowdsec",
+  "form_fields": [
+    {
+      "type": "password",
+      "label": "Bouncer API Key (Important: For initial start, use a random string and change it later as specified in the description!",
+      "required": true,
+      "env_variable": "CROWDSEC_BOUNCER_API_KEY"
+    }
+  ],
+  "supported_architectures": [
+    "amd64"
+  ]
+}
--- a/apps/crowdsec/data/crowdsec-dashboard/data/metabase.db
+++ b/apps/crowdsec/data/crowdsec-dashboard/data/metabase.db
--- a/apps/crowdsec/data/crowdsec/acquis.yaml
+++ b/apps/crowdsec/data/crowdsec/acquis.yaml
@ -0,0 +1,11 @@
+filenames:
+ - /var/log/auth.log
+ - /var/log/syslog
+labels:
+  type: syslog
+---
+filenames:
+  - /var/log/traefik/*.log
+labels:
+  type: traefik
+---
--- a/apps/crowdsec/docker-compose.yml
+++ b/apps/crowdsec/docker-compose.yml
@ -0,0 +1,83 @@
+version: "3.8"
+
+services:
+  crowdsec:
+    container_name: crowdsec
+    image: crowdsecurity/crowdsec:latest
+    restart: unless-stopped
+    depends_on:
+      - runtipi-reverse-proxy
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ${APP_DATA_DIR}/data/crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
+      - ${APP_DATA_DIR}/data/crowdsec/db:/var/lib/crowdsec/data
+      - /var/log/auth.log:/var/log/auth.log:ro
+      - /var/log/syslog.log:/var/log/syslog.log:ro
+      - /var/log/traefik:/var/log/traefik:ro
+      # other containers will output their log files too
+      # sudo mkdir /var/log/crowdsec
+      - /var/log/crowdsec:/var/log/crowdsec:ro
+    environment:
+      - COLLECTIONS="crowdsecurity/linux crowdsecurity/traefik crowdsecurity/http-cve crowdsecurity/whitelist-good-actors crowdsecurity/sshd"
+    networks:
+      - tipi_main_network
+
+  crowdsec-bouncer-traefik:
+    container_name: crowdsec-bouncer-traefik
+    image: fbonalair/traefik-crowdsec-bouncer:latest
+    restart: unless-stopped
+    depends_on:
+      - crowdsec
+    environment:
+      # the CROWDSEC_BOUNCER_API_KEY needs to be created of the crowdsec container with:
+      # `docker compose exec -t crowdsec cscli bouncers add crowdsec-bouncer-traefik`
+      - CROWDSEC_BOUNCER_API_KEY=${CROWDSEC_BOUNCER_API_KEY}
+      - CROWDSEC_AGENT_HOST=crowdsec:8080
+    networks:
+      - tipi_main_network
+
+  crowdsec-dashboard:
+    container_name: crowdsec-dashboard
+    #we're using a custom Dockerfile so that metabase pops with pre-configured dashboards
+    #build: ./crowdsec_config/dashboard
+    image: metabase/metabase
+    restart: unless-stopped
+    ports:
+      - ${APP_PORT}:3000
+    environment:
+      - MB_DB_FILE=/data/metabase.db
+      - MGID=${GID-1000}
+    depends_on:
+      - crowdsec
+    volumes:
+      - ${APP_DATA_DIR}/data/crowdsec-dashboard/data:/data
+      - ${APP_DATA_DIR}/data/crowdsec/db:/metabase-data
+    labels:
+      # Main
+      traefik.enable: true
+      traefik.http.middlewares.crowdsec-web-redirect.redirectscheme.scheme: https
+      traefik.http.services.crowdsec.loadbalancer.server.port: 3000
+      # Web
+      traefik.http.routers.crowdsec-insecure.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.crowdsec-insecure.entrypoints: web
+      traefik.http.routers.crowdsec-insecure.service: crowdsec
+      traefik.http.routers.crowdsec-insecure.middlewares: crowdsec-web-redirect
+      # Websecure
+      traefik.http.routers.crowdsec.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.crowdsec.entrypoints: websecure
+      traefik.http.routers.crowdsec.service: crowdsec
+      traefik.http.routers.crowdsec.tls.certresolver: myresolver
+      # Local domain
+      traefik.http.routers.crowdsec-local-insecure.rule: Host(`crowdsec.${LOCAL_DOMAIN}`)
+      traefik.http.routers.crowdsec-local-insecure.entrypoints: web
+      traefik.http.routers.crowdsec-local-insecure.service: crowdsec
+      traefik.http.routers.crowdsec-local-insecure.middlewares: crowdsec-web-redirect
+      # Local domain secure
+      traefik.http.routers.crowdsec-local.rule: Host(`crowdsec.${LOCAL_DOMAIN}`)
+      traefik.http.routers.crowdsec-local.entrypoints: websecure
+      traefik.http.routers.crowdsec-local.service: crowdsec
+      traefik.http.routers.crowdsec-local.tls: true
+
+networks:
+  backend_network:
--- a/apps/crowdsec/metadata/description.md
+++ b/apps/crowdsec/metadata/description.md
@ -0,0 +1,56 @@
+# Crowdsec
+
+CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI
+
+CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on fail2ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), it uses Grok patterns to parse logs and YAML scenarios to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM-based infrastructures (by decoupling detection and remediation). Once detected you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IP can be sent to CrowdSec for curation before being shared among all users to further improve everyone's security. See FAQ or read below for more.
+
+## App Links
+
+<https://www.crowdsec.net/>
+
+<https://github.com/crowdsecurity/crowdsec>
+
+<https://hub.docker.com/r/crowdsecurity/crowdsec>
+
+## Bouncer API Key
+
+The app stack contains the crowdsec service and a bouncer. The bouncer needs an API Key to connect to the service.
+Since the API Key needs to be generated after the initial start, you must provide a temporary dummy Bouncer API Key for the stack to run.
+
+After you started the app, head to a console and use `docker compose exec -t crowdsec cscli bouncers add crowdsec-bouncer-traefik` to get the Bouncer API Key. Use this Key in the settings of the app instead of dummy Bouncer API Key and restart the app.
+
+## Traefik Integration
+
+add the following files and / or settings:
+
+- tipi-compose.yml
+
+  ```yml
+  services:
+    runtipi-reverse-proxy:
+      volumes:
+        - /var/log/traefik/:/var/log/
+  ```
+
+- traefik.yml
+
+  ```yml
+  entryPoints:
+    websecure:
+      http:
+        middlewares:
+          - crowdsec-bouncer@file
+  ```
+
+- dynamic.yml
+
+  ```yml
+  http:
+    middlewares:
+      crowdsec-bouncer:
+        forwardauth:
+          address: http://crowdsec-bouncer-traefik:8080/api/v1/forwardAuth
+          trustForwardHeader: true
+  ```
+
+restart runtipi to apply the settings.
--- a/apps/crowdsec/metadata/logo.jpg
+++ b/apps/crowdsec/metadata/logo.jpg