OPNsense
The OPNsense plugin
OPNsense, the widely known firewall and routing software, is based on FreeBSD. The standard packages that we provide for FreeBSD (agent+lapi and bouncer) can also run on OPNsense, but need more integration with the rest of the system (for example, to feed the firewall tables).
By installing the CrowdSec
plugin, available through the OPNsense repositories, you can:
- use the OPNsense server as LAPI for other agents and bouncers
- deploy an agent on OPNsense and scan its logs for attacks
- block attackers from your whole network with a single firewall bouncer
- list the hub plugins (parsers, scenarios..) and decisions on the OPNsense admin interface
Plugin installation
With OPNsense 22.1, if you are using a RAM filesystem for /var
(you can verify System > Settings > Miscellaneous > Disk/Memory Settings
) you need to disable it before proceeding, because the Security Engine
keeps a small persistent database in /var/db
. When the /var
directory is in RAM, the database is re-created from scratch at each reboot. The ram disk was changed to /var/log
for 22.7, which does not interfere with the database.
With OPNsense 22.1:
# pkg install os-crowdsec-devel
With OPNsense >= 22.7:
Download CrowdSec from the System > Firmware > Plugins
menu. It will deploy three packages:
os-crowdsec
, the plugin itselfcrowdsec
crowdsec-firewall-bouncer
On the Settings tab, select the first three checkboxes: IDS, LAPI and IPS. Click Apply.
Do not enable/start the agent and bouncer services with sysrc
or /etc/rc.conf
like you would on a standard freebsd system, because the plugin takes care of that (in a different way).
The parsers, scenarios and all objects from the CrowdSec Hub are periodically upgraded. The crowdsecurity/freebsd and crowdsecurity/opnsense collections are installed by default.
Testing the plugin
A quick way to test that everything is working correctly is to execute the following command. Your ssh session should freeze and you should be kicked out from the firewall. You will not be able to connect to it (from the same IP address) for two minutes. It might be a good idea to have a secondary IP from which you can connect, should anything go wrong.
[root@OPNsense ~]# cscli decisions add -t ban -d 2m -i <your_ip_address> # replace with your connecting IP address
This is a more secure way to test than attempting to brute-force yourself: the default ban period is 4 hours, and crowdsec reads the logs from the beginning, so it could ban you even if you failed ssh login 10 times in 30 seconds two hours before installing it.
You can find a list of all available flags with cscli decisions add --help
.
How do I find my connecting IP address to test?
We have provided some examples below to help you find your connecting IP address. Depending on your shell / environment, you may need to use a different command.
[root@OPNsense ~]# echo $SSH_CLIENT | awk '{print $1}'
[root@OPNsense ~]# w -h | awk '{print $3}' | sort -u
Remote LAPI setup (optional)
You may have a need to put the LAPI service on a different machine, possibly because you already have it, or opnsense is running on a slow machine or... well - your servers, your right to choose. But you'll have to manually tweak the configuration (thanks Jarno Rankinen).
Be aware: the list of machines and bouncers shown in the Overview tab will be incorrect. In the current version, the crowdsec instance on OPNsense has no way (and no permission) to retrieve the list of machines and bouncers from the LAPI if it resides on another server, so it displays the local (and outdated) information.
The following steps assume you already have set up a central LAPI server that is reachable by the OPNsense instance. You will also need SSH access with root permissions to both OPNsense and LAPI server.
-
On the LAPI server, edit
config.yaml
(/usr/local/etc/crowdsec/
on FreeBSD,/etc/crowdsec/
on Linux).If
api.server.listen_uri
is localhost, you need to change it to something reachable by OPNsense, for example192.168.122.214:8080
. Updatelocal_api_credentials.yaml
too, but with the http:// this time:http://192.168.122.214:8080
. Restart CrowdSec. -
In the Settings tab, unselect
Enable LAPI
and selectManual LAPI configuration
. Ignore the other two LAPI options (they are the url and port to use when listening, not where to connect). Click Apply. -
Register the opnsense machine to the LAPI server:
[root@OPNsense ~]# cscli lapi register -u http://192.168.122.214:8080
On the LAPI server, run
[root@lapi-server ~]# cscli machines list
---------------------------------------------------------------------------------------------------...
NAME IP ADDRESS LAST UPDATE STATUS ...
---------------------------------------------------------------------------------------------------...
be689d27c623aa393d1c8604eda5d1b47a62526b2e2e0201 192.168.122.214 2022-07-05T14:15:36Z ✔️ v1.3.4...
97f403614b44aa27d60c1ff8adb93d6fae8f9d9697e1a98c 192.168.122.246 2022-07-05T14:21:43Z 🚫 ...
---------------------------------------------------------------------------------------------------...
[root@lapi-server ~]# cscli machines validate 97f403614b44aa27d60c1ff8adb93d6fae8f9d9697e1a98c
INFO[05-07-2022 04:34:54 PM] machine 'edb8a102b4d54bdba9d5c70e5b4e766dqJvFTxnYsk8gyMsG' validated successfully -
Add the bouncer:
[root@lapi-server ~]# cscli bouncers add opnsense
Api key for 'opnsense':
a8605055a065fd06b86ecac84e9e9ae4
Please keep this key since you will not be able to retrieve it!You can use any other name instead of opnsense.
-
On the OPNsense machine, edit
/usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
. Fill theapi_key
andapi_url
fields. Then restart both services, either withservice oscrowdsec restart
or by clickingApply
again in the Settings tab.
For more information on the topic:
-
How to set up a CrowdSec multi-server installation (tutorial on crowdsec.net or Linux Journal)
-
Improve The CrowdSec Multi-Server Installation With HTTPS Between Agents (Linux Journal)