I plan to set up CrowedSec for my home network. At the moment, I use fail2ban and I expect CrowdSec to be a step forward for more security and monitoring.
My setup consists of:
- OpenWrt router
- one pi with an nginx as reverse proxy for a few services hosted on another machine
- the services hosted in Podman pods, one of them is Nextcloud.
As I don’t like to add additional non Debian repositories to my machines, I plan to do:
- Set up CrowdSec local api and metabase with containers in a pod on my host
- Use the firewall-bouncer on the OpenWrt router (with local api=false, connecting to lapi pod)
- Add CrowdSec containers to the existing pods with parsers for the services running and pushing decisions to the
local api pod.
Is this a way to go?
Hey and thanks for your post
I don’t know anything about podman so there is a risk of me saying something wrong but apart from that it looks great. The biggest risk I can see is getting logs to your CrowdSec container. As I see it there’s no need to run more than one CrowdSec container. It would then both read logs, take decisions and feed the bouncer with blockings.
I don’t know how you plan to run metabase but I assume it’s in a dedicated container. If so you can probably use this article to set it up (I realize that it talk s about Metabase not running in a container but as I see it the point of the article is to discuss how to run metabase in another way than with the built-in function that downloads a docker container (which obviously won’t work for you).
I would advice you to join our Discors community as it is by far the most active community we have. The link is on top of every page here (unless you dismissed it - int that case the link is in a dedicated post).
I hope my advice makes good sense to you. If not, feel free to ask again.
Thank you very much for the answer.
I just tried to install the CrowdSec packages on my OpenWrt router (WRT3200ACM) and installation failed due to no space left on device. The installation downloaded a GeoIp database file which is just too big for the router.
So I will try to go forward with my approach as described above.
Podman uses containers grouped in pods with a single configuration file (like docker compose). In my setup I have different pods, one per service, with all neccessary containers. E.g. for Nextcloud it is a postgres, nginx, nextcloud-fpm and a second nextcloud-fpm for cron.
Each pod has a dedicated virtual disk, so I can move the pods between my machines (and have them easily backed up).
A CrowdSec on the host could access all the logs, but would need configuration changes whenever I move a pod.
Thus, the idea is to have a CrowdSec container in each pod, without lapi and only the collection needed for the pod’s service.
A dedicated lapi would be in another pod setup with the metabase container.
And the bouncer would be placed on the router.
That’s the idea. Using containers makes it unnessecary to install CrowdSec on the machine itself.
The CrodSec pod may be configured to access the logs on the services pods, but this wouldn’t work with pods on multiple machines so I believe, having the CrowdSec detection within each service pod makes more sense.
Thanks for the follow-up
On a different note that geo ip stuff is being changed: Idea/GeoIP: offline/update/share database · Issue #1196 · crowdsecurity/crowdsec · GitHub. It would be cool if you can comment and tell about your issue also.
I think your design sounds great. Please let us know how it goes - in many ways it’s an interesting setup.
Trying to set my Crowdsec up as described above:
I got my Podman pod running. Due to a few issues with access control on the mounted directory I had to switch to a MariaDB as Crowdsec database.
The pod currently consists of three containers: mariadb, crowdsec:crowdsec and metabase:metabase.
It has been a bit of puzzling but the pod is running.
Problems left: MariaDB has a few problems with some of the sql from metabase dashboard. I’ll have a look into that later.
I tried to install the bouncer and runned into problems installing it on my OpenWrt WRT 3200ACM. This is the link for details: crowdsec-firewall-bouncer: remove crowdsec package dependency · Issue #17406 · openwrt/packages · GitHub
Seems I have to wait until this is fixed.
I’ll go on with trying to get a parser into my Nextcloud-pod.
When/If I get my planned setup running satisfyingly, I’ll write a small list of what I’ve done in detail…
Thanks for the update. That would be great, thanks!