Quick how-to for firewall bouncer on Ubiquity EdgeRouter

Hi!

I would like to share my recipe for running a CrowdSec
firewall bouncer on an EdgeOS router – it was tested on a ER-6P and it worked
quite well for the last 4 months on my company’s router.

I’m assuming the following:

  • you have admin access to a Linux VM or PC with Ubuntu or Arch
  • you have basic Linux CLI skills (can open terminal and run commands)
  • you are familiar with SSH and EdgeOS configuration
  • you are running a separate machine with CrowdSec’s LocalAPI
    (running full CrowdSec installation on router should be possible,
    but I didn’t test it)
  • your router is available at yourroutersaddress. Every time you see this word
    in the instructions replace it with your real router’s address
    (for ex. 192.168.1.1)

Things you should run on your PC are prefixed with pc ,
the ones to run on your router router and the ones run on a LocalAPI Server - la.

Anyway, let’s get into business:

  1. You have to install Go toolchain and Git on your Linux PC or VM:

    Debian/Ubuntu:

    pc $ sudo apt install git golang-go

    Arch:

    pc $ sudo pacman -S go git

  2. Then, clone CrowdSec bouncer repository to folder on your PC:

    pc $ git clone https://github.com/crowdsecurity/cs-firewall-bouncer.git

  3. Now you have to establish your router’s architecture.
    For modern Cavium-based routers (ER-4, ER-6P, ER-12, …) it’s mips64.
    For Mediatek-based ones (ER-X, ER-10X, …) it’s mips.
    In doubt, just SSH into your router and run

    router $ uname -a

    You’ll get someting similar to:

    Linux yourroutersname 4.14.54-UBNT #1 SMP Tue May 11 13:23:28 UTC 2021 mips GNU/Linux

    Your architecture is the last word before GNU/Linux. In this case it’s mips.

  4. Build your CrowdSec bouncer’s binary

    pc $ export GOOS=linux
    pc $ # export GOARCH=<your router's architecture> # for example
    pc $ export GOARCH=mips64
    pc $ make
    
  5. After a short while, the build process should finish and you’ll have a
    bouncer binary in your current folder named crowdsec-firewall-bouncer.

  6. Connect to your LocalAPI server and create a bouncer token:

    la $ cscli bouncers add yourroutersname

    You’ll get a response similar to:

    
    Api key for 'yourroutersname':
    
    aaaaaaaaaabbbbbbbbbbccccccccddff
    
    Please keep this key since you will not be able to retrieve it!
    

    Save the API key, it will be needed on next step.

  7. It’s time to SSH to your router and prepare your bouncers configuration.
    We’ll install everything int the /config folder as it’s the only location
    I know that survives firmware upgrades.

    pc $ ssh yourroutersaddress
    router $ sudo -i
    
    router # mkdir -p /config/user-data/crowdsec/bouncers
    
    router # cat >/config/user-data/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml <<EOF
    mode: ipset
    pid_dir: /var/run/
    update_frequency: 10s
    daemonize: true
    log_mode: file
    log_dir: /var/log/
    log_level: info
    api_url: <your LocalApi's URL>
    api_key: <your LocalApi's bouncer key from step 6.>
    disable_ipv6: false
    deny_action: DROP
    deny_log: false
    EOF
    
    router # cat > /config/user-data/crowdsec-firewall-bouncer.service <<EOF
    [Unit]
    Description=The firewall bouncer for CrowdSec
    After=syslog.target network.target remote-fs.target nss-lookup.target crowdsec.service
    
    [Service]
    Type=notify
    ExecStartPre=-/sbin/ipset destroy crowdsec-blacklists
    ExecStartPre=-/sbin/ipset destroy crowdsec6-blacklists
    ExecStartPre=-/sbin/ipset create crowdsec-blacklists hash:net timeout 3600                                    ExecStartPre=-/sbin/ipset create crowdsec6-blacklists hash:net timeout 3600
    ExecStart=/config/user-data/crowdsec-firewall-bouncer -c /config/user-data/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
    ExecStartPost=/bin/sleep 0.1
    
    [Install]
    WantedBy=multi-user.target
    EOF
    
    router # ln -s /config/user-data/crowdsec-firewall-bouncer.service /etc/systemd/system
    
    
  8. Now we have to configure EdgeRouter’s firewall to use CrowdSec’s IPSets.
    Adapt to your configuration if needed.

    router # configure
    router # set firewall group address-group crowdsec-blacklists description "Blacklist managed by CrowdSec"
    router # set firewall name WAN_IN rule 35 action drop
    router # set firewall name WAN_IN rule 35 description "Drop Crowdsec list"
    router # set firewall name WAN_IN rule 35 protocol all
    router # set firewall name WAN_IN rule 35 source group address-group crowdsec-blacklists
    router # commit; save
    router # exit
    

    The address-groups created by EdgeOS are not the right type (for example they don’t have timeout set),
    that’s why they are recreated in bouncer’s systemD unit definiton.

  9. Now wee need to copy our bouncer’s binary from our PC to EdgeRouter.
    From the git checkout directory on your local pc from step 2. run:

    pc $ scp crowdsec-firewall-bouncer yourroutersaddress:/config/user-data/crowdsec-firewall-bouncer

  10. Now the final step: On your router run

    router # systemctl restart crowdsec-firewall-bouncer

    and your router should start blocking malicious traffic in few seconds.

    You can watch logs by running

    router # tail -f /var/log/crowdsec-firewall-bouncer.log

That’s it!

I tried to proof this tutorial, but I’m sure there are at least some errors and omissions. Feel free
to post your corrections into this thread, I’ll try to update this guide accordingly.

Enjoy!

2 Likes

That’s great, thank you very much :slight_smile:

Is there any issues you faced or suggested improvements based on your experience ?

thankyou so much! your guide (2nd half) was extremely helpful as i’m trying to do the same on OpenWrt and no instructions are available…

i did not manage to get it running yet (no log is created) so difficult to debug… but I would have been really lost without these simple step by step guide…

I wonder why it’s so hard to find simple guides like this? many seem to just address peices or are oversimplified and miss critical steps…

Wow, nice to hear it was useful to someone :slight_smile: Regarding your problems with CrowdSec bouncer on OpenWRT:

  • mine is writing logs to /var/log/crowdsec-firewall.bouncer.log, check if you have anything there,

  • if there is no log file, check if the bouncer is really runing, by running on your router:

    pgrep cs-firewall-bouncer
    

    if you don’t get a process ID, then it’s not running

  • in that case, run

    cs-firewall-bouncer -t -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
    

    It will check if you have any problems with your configuration.

Best of luck!

2 Likes

Thank you for valuable information Tried this on Edgerouter-x and i am seeing this error

systemctl status crowdsec-firewall-bouncer.service

  • crowdsec-firewall-bouncer.service - The firewall bouncer for CrowdSec
    Loaded: loaded (/config/user-data/crowdsec-firewall-bouncer.service; linked; vendor preset: enabled)
    Active: failed (Result: exit-code) since Wed 2022-01-19 15:22:52 EST; 10min ago
    Process: 5109 ExecStart=/config/user-data/crowdsec-firewall-bouncer -c /config/user-data/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml (code=exited, status=203/EXEC)
    Process: 5104 ExecStartPre=/sbin/ipset create crowdsec6-blacklists hash:net timeout 3600 (code=exited, status=0/SUCCESS)
    Process: 5101 ExecStartPre=/sbin/ipset create crowdsec-blacklists hash:net timeout 3600 (code=exited, status=0/SUCCESS)
    Process: 5098 ExecStartPre=/sbin/ipset destroy crowdsec6-blacklists (code=exited, status=0/SUCCESS)
    Process: 5095 ExecStartPre=/sbin/ipset destroy crowdsec-blacklists (code=exited, status=0/SUCCESS)
    Main PID: 5109 (code=exited, status=203/EXEC)

i have compiled the binary using MIPS …any idea how i can i get this corrected ?

Hi! Please run

/config/user-data/crowdsec-firewall-bouncer -t -c /config/user-data/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml

and post results.

root@EdgeRouter~# /config/user-data/crowdsec-firewall-bouncer -t -c /config/user-data/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
-vbash: /config/user-data/crowdsec-firewall-bouncer: cannot execute binary file

also tried using the configure prompt
root@EdgeRouter# /config/user-data/crowdsec-firewall-bouncer -t -c /config/user-data/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
vbash: /config/user-data/crowdsec-firewall-bouncer: cannot execute binary file
[edit]

These are commands i have ran on the linux box
root@homeassistant:/tmp#git clone GitHub - crowdsecurity/cs-firewall-bouncer: Crowdsec bouncer written in golang for firewalls
root@homeassistant:/tmp/cs-firewall-bouncer# export GOARCH=mips
root@homeassistant:/tmp/cs-firewall-bouncer# export GOOS=linux
root@homeassistant:/tmp/cs-firewall-bouncer# make
root@homeassistant:/tmp/cs-firewall-bouncer# scp crowdsec-firewall-bouncer root@10.0.0.1:/config/user-data/crowdsec-firewall-bouncer

Here is my router uname -a Information
root@EdgeRouter# uname -a
Linux EdgeRouter 4.14.54-UBNT #1 SMP Tue May 11 13:23:28 UTC 2021 mips GNU/Linux