Comment installer crowdsec sur son raspberry-pi
Installation du dépôt crowdsec. Le script mettra les dépôts à jour (apt update)
❯ curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
Detected operating system as debian/bookworm.
Checking for curl...
Detected curl...
Checking for gpg...
Detected gpg...
Detected apt version as 2.6.1
Running apt-get update... done.
Installing debian-archive-keyring which is needed for installing
apt-transport-https on many Debian systems.
Installing apt-transport-https... done.
Installing /etc/apt/sources.list.d/crowdsec_crowdsec.list...done.
Importing packagecloud gpg key... Packagecloud gpg key imported to /etc/apt/keyrings/crowdsec_crowdsec-archive-keyring.gpg
done.
Running apt-get update... done.
The repository is setup! You can now install packages.Installation de l'agent crowdsec
❯ sudo apt install crowdsec
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
libboost-program-options1.74.0 libcamera-apps-lite libcamera0 libexif12 libgstreamer-plugins-base1.0-0 libgstreamer1.0-0 liborc-0.4-0 libprotobuf32 libtiff5 libunwind8 libwebp6
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
crowdsec
0 upgraded, 1 newly installed, 0 to remove and 36 not upgraded.
Need to get 40.3 MB of archives.
After this operation, 173 MB of additional disk space will be used.
Get:1 https://packagecloud.io/crowdsec/crowdsec/debian bookworm/main arm64 crowdsec arm64 1.6.2 [40.3 MB]
Fetched 40.3 MB in 3s (12.9 MB/s)
Preconfiguring packages ...
Selecting previously unselected package crowdsec.
(Reading database ... 77118 files and directories currently installed.)
Preparing to unpack .../crowdsec_1.6.2_arm64.deb ...
You can always run the configuration again interactively by using '/usr/share/crowdsec/wizard.sh -c'
Unpacking crowdsec (1.6.2) ...
Setting up crowdsec (1.6.2) ...
Creating /etc/crowdsec/acquis.yaml
INFO[2024-06-01 09:07:01] crowdsec_wizard: using journald for 'nginx'
INFO[2024-06-01 09:07:02] crowdsec_wizard: service 'ssh': /var/log/auth.log
INFO[2024-06-01 09:07:02] crowdsec_wizard: service 'linux': /var/log/syslog
Machine '4c9bb5c43ec446038a3a879f0234e480J1EWbkWqzbLdfWJx' successfully added to the local API.
API credentials written to '/etc/crowdsec/local_api_credentials.yaml'.
Updating hub
INFO Wrote index to /etc/crowdsec/hub/.index.json
INFO[2024-06-01 09:07:06] crowdsec_wizard: Installing collection 'crowdsecurity/linux'
updated /var/lib/crowdsec/data/GeoLite2-City.mmdb
updated /var/lib/crowdsec/data/GeoLite2-ASN.mmdb
installed crowdsecurity/linux
INFO[2024-06-01 09:07:10] crowdsec_wizard: Installing collection 'crowdsecurity/nginx'
updated /var/lib/crowdsec/data/bad_user_agents.regex.txt
updated /var/lib/crowdsec/data/http_path_traversal.txt
updated /var/lib/crowdsec/data/sensitive_data.txt
updated /var/lib/crowdsec/data/sqli_probe_patterns.txt
updated /var/lib/crowdsec/data/xss_probe_patterns.txt
updated /var/lib/crowdsec/data/backdoors.txt
updated /var/lib/crowdsec/data/admin_interfaces.txt
updated /var/lib/crowdsec/data/trendy_cves.txt
updated /var/lib/crowdsec/data/thinkphp_cve_2018-20062.txt
updated /var/lib/crowdsec/data/log4j2_cve_2021_44228.txt
updated /var/lib/crowdsec/data/jira_cve_2021-26086.txt
installed crowdsecurity/nginx
installed crowdsecurity/whitelists
Created symlink /etc/systemd/system/multi-user.target.wants/crowdsec.service → /lib/systemd/system/crowdsec.service.
Get started with CrowdSec:
* Detailed guides are available in our documentation: https://docs.crowdsec.net
* Configuration items created by the community can be found at the Hub: https://hub.crowdsec.net
* Gain insights into your use of CrowdSec with the help of the console https://app.crowdsec.net
You can always run the configuration again interactively by using '/usr/share/crowdsec/wizard.sh -c'installation du bouncer iptables
❯ sudo apt install crowdsec-firewall-bouncer-iptables
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
libboost-program-options1.74.0 libcamera-apps-lite libcamera0 libexif12 libgstreamer-plugins-base1.0-0 libgstreamer1.0-0 liborc-0.4-0 libprotobuf32 libtiff5 libunwind8 libwebp6
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
ipset libipset13
The following NEW packages will be installed:
crowdsec-firewall-bouncer-iptables ipset libipset13
0 upgraded, 3 newly installed, 0 to remove and 36 not upgraded.
Need to get 3,251 kB of archives.
After this operation, 12.5 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian bookworm/main arm64 libipset13 arm64 7.17-1 [65.8 kB]
Get:2 http://deb.debian.org/debian bookworm/main arm64 ipset arm64 7.17-1 [45.7 kB]
Get:3 https://packagecloud.io/crowdsec/crowdsec/debian bookworm/main arm64 crowdsec-firewall-bouncer-iptables arm64 0.0.28 [3,139 kB]
Fetched 3,251 kB in 1s (2,836 kB/s)
Selecting previously unselected package libipset13:arm64.
(Reading database ... 77176 files and directories currently installed.)
Preparing to unpack .../libipset13_7.17-1_arm64.deb ...
Unpacking libipset13:arm64 (7.17-1) ...
Selecting previously unselected package ipset.
Preparing to unpack .../ipset_7.17-1_arm64.deb ...
Unpacking ipset (7.17-1) ...
Selecting previously unselected package crowdsec-firewall-bouncer-iptables.
Preparing to unpack .../crowdsec-firewall-bouncer-iptables_0.0.28_arm64.deb ...
Unpacking crowdsec-firewall-bouncer-iptables (0.0.28) ...
Setting up libipset13:arm64 (7.17-1) ...
Setting up ipset (7.17-1) ...
Setting up crowdsec-firewall-bouncer-iptables (0.0.28) ...
cscli/crowdsec is present, generating API key
API Key successfully created
Created symlink /etc/systemd/system/multi-user.target.wants/crowdsec-firewall-bouncer.service → /etc/systemd/system/crowdsec-firewall-bouncer.service.
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+rpt2+deb12u4) ...On peut maintenant lister les bouncers
❯ sudo cscli bouncers list
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name IP Address Valid Last API pull Type Version Auth Type
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
cs-firewall-bouncer-1717226177 127.0.0.1 ✔ 2024-06-01T07:18:02Z crowdsec-firewall-bouncer v0.0.28-debian-pragmatic-af6e7e25822c2b1a02168b99ebbf8458bc6 api-key
728e5
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────Enroll your CrowdSec Security Engine is as easy as:
❯ sudo cscli console enroll clwvsezkr0003jp082ncrlswu you will need to accept the connection in the console.
Installing shell completion ❯ cscli completion bash | sudo tee /etc/bash_completion.d/cscli
❯ sudo cscli scenarios list ❯ sudo cscli scenarios install crowdsecurity/iptables-scan-multi_ports ❯ sudo systemctl reload crowdsec
❯ sudo cscli scenarios list
SCENARIOS
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name 📦 Status Version Local Path
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/apache_log4j2_cve-2021-44228 ✔ enabled 0.6 /etc/crowdsec/scenarios/apache_log4j2_cve-2021-44228.yaml
crowdsecurity/CVE-2017-9841 ✔ enabled 0.2 /etc/crowdsec/scenarios/CVE-2017-9841.yaml
crowdsecurity/CVE-2019-18935 ✔ enabled 0.2 /etc/crowdsec/scenarios/CVE-2019-18935.yaml
crowdsecurity/CVE-2022-26134 ✔ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-26134.yaml
crowdsecurity/CVE-2022-35914 ✔ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-35914.yaml
crowdsecurity/CVE-2022-37042 ✔ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-37042.yaml
crowdsecurity/CVE-2022-40684 ✔ enabled 0.3 /etc/crowdsec/scenarios/CVE-2022-40684.yaml
crowdsecurity/CVE-2022-41082 ✔ enabled 0.4 /etc/crowdsec/scenarios/CVE-2022-41082.yaml
crowdsecurity/CVE-2022-41697 ✔ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-41697.yaml
crowdsecurity/CVE-2022-42889 ✔ enabled 0.3 /etc/crowdsec/scenarios/CVE-2022-42889.yaml
crowdsecurity/CVE-2022-44877 ✔ enabled 0.3 /etc/crowdsec/scenarios/CVE-2022-44877.yaml
crowdsecurity/CVE-2022-46169 ✔ enabled 0.2 /etc/crowdsec/scenarios/CVE-2022-46169.yaml
crowdsecurity/CVE-2023-22515 ✔ enabled 0.1 /etc/crowdsec/scenarios/CVE-2023-22515.yaml
crowdsecurity/CVE-2023-22518 ✔ enabled 0.2 /etc/crowdsec/scenarios/CVE-2023-22518.yaml
crowdsecurity/CVE-2023-49103 ✔ enabled 0.3 /etc/crowdsec/scenarios/CVE-2023-49103.yaml
crowdsecurity/f5-big-ip-cve-2020-5902 ✔ enabled 0.2 /etc/crowdsec/scenarios/f5-big-ip-cve-2020-5902.yaml
crowdsecurity/fortinet-cve-2018-13379 ✔ enabled 0.3 /etc/crowdsec/scenarios/fortinet-cve-2018-13379.yaml
crowdsecurity/grafana-cve-2021-43798 ✔ enabled 0.2 /etc/crowdsec/scenarios/grafana-cve-2021-43798.yaml
crowdsecurity/http-admin-interface-probing ✔ enabled 0.4 /etc/crowdsec/scenarios/http-admin-interface-probing.yaml
crowdsecurity/http-backdoors-attempts ✔ enabled 0.6 /etc/crowdsec/scenarios/http-backdoors-attempts.yaml
crowdsecurity/http-bad-user-agent ✔ enabled 1.2 /etc/crowdsec/scenarios/http-bad-user-agent.yaml
crowdsecurity/http-crawl-non_statics ✔ enabled 0.7 /etc/crowdsec/scenarios/http-crawl-non_statics.yaml
crowdsecurity/http-cve-2021-41773 ✔ enabled 0.2 /etc/crowdsec/scenarios/http-cve-2021-41773.yaml
crowdsecurity/http-cve-2021-42013 ✔ enabled 0.2 /etc/crowdsec/scenarios/http-cve-2021-42013.yaml
crowdsecurity/http-cve-probing ✔ enabled 0.2 /etc/crowdsec/scenarios/http-cve-probing.yaml
crowdsecurity/http-generic-bf ✔ enabled 0.6 /etc/crowdsec/scenarios/http-generic-bf.yaml
crowdsecurity/http-open-proxy ✔ enabled 0.5 /etc/crowdsec/scenarios/http-open-proxy.yaml
crowdsecurity/http-path-traversal-probing ✔ enabled 0.4 /etc/crowdsec/scenarios/http-path-traversal-probing.yaml
crowdsecurity/http-probing ✔ enabled 0.4 /etc/crowdsec/scenarios/http-probing.yaml
crowdsecurity/http-sensitive-files ✔ enabled 0.4 /etc/crowdsec/scenarios/http-sensitive-files.yaml
crowdsecurity/http-sqli-probing ✔ enabled 0.4 /etc/crowdsec/scenarios/http-sqli-probing.yaml
crowdsecurity/http-wordpress-scan ✔ enabled 0.2 /etc/crowdsec/scenarios/http-wordpress-scan.yaml
crowdsecurity/http-xss-probing ✔ enabled 0.4 /etc/crowdsec/scenarios/http-xss-probing.yaml
crowdsecurity/iptables-scan-multi_ports ✔ enabled 0.2 /etc/crowdsec/scenarios/iptables-scan-multi_ports.yaml
crowdsecurity/jira_cve-2021-26086 ✔ enabled 0.3 /etc/crowdsec/scenarios/jira_cve-2021-26086.yaml
crowdsecurity/netgear_rce ✔ enabled 0.3 /etc/crowdsec/scenarios/netgear_rce.yaml
crowdsecurity/nginx-req-limit-exceeded ✔ enabled 0.3 /etc/crowdsec/scenarios/nginx-req-limit-exceeded.yaml
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 ✔ enabled 0.3 /etc/crowdsec/scenarios/pulse-secure-sslvpn-cve-2019-11510.y
aml
crowdsecurity/spring4shell_cve-2022-22965 ✔ enabled 0.3 /etc/crowdsec/scenarios/spring4shell_cve-2022-22965.yaml
crowdsecurity/ssh-bf ✔ enabled 0.3 /etc/crowdsec/scenarios/ssh-bf.yaml
crowdsecurity/ssh-slow-bf ✔ enabled 0.4 /etc/crowdsec/scenarios/ssh-slow-bf.yaml
crowdsecurity/thinkphp-cve-2018-20062 ✔ enabled 0.6 /etc/crowdsec/scenarios/thinkphp-cve-2018-20062.yaml
crowdsecurity/vmware-cve-2022-22954 ✔ enabled 0.3 /etc/crowdsec/scenarios/vmware-cve-2022-22954.yaml
crowdsecurity/vmware-vcenter-vmsa-2021-0027 ✔ enabled 0.2 /etc/crowdsec/scenarios/vmware-vcenter-vmsa-2021-0027.yaml
ltsich/http-w00tw00t ✔ enabled 0.2 /etc/crowdsec/scenarios/http-w00tw00t.yaml
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
❯ sudo cscli collections list
COLLECTIONS
─────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name 📦 Status Version Local Path
─────────────────────────────────────────────────────────────────────────────────────────────────────────────
crowdsecurity/base-http-scenarios ✔ enabled 1.0 /etc/crowdsec/collections/base-http-scenarios.yaml
crowdsecurity/http-cve ✔ enabled 2.6 /etc/crowdsec/collections/http-cve.yaml
crowdsecurity/linux ✔ enabled 0.2 /etc/crowdsec/collections/linux.yaml
crowdsecurity/nginx ✔ enabled 0.2 /etc/crowdsec/collections/nginx.yaml
crowdsecurity/sshd ✔ enabled 0.3 /etc/crowdsec/collections/sshd.yaml
─────────────────────────────────────────────────────────────────────────────────────────────────────────────