Setup on OpenWRT

crowdsec
1

First, I am a complete novice with this stuff so please bear that in mind when responding.

I have OpenWRT x86 installed on a mini pc and am curious to check out Crowdsec but have not found any sort of guide for setting things up on OpenWRT.

Ive installed the crowdsec, crowdsec-firewall-bouncer,and luci-app-crowdsec-firewall-bouncer packages via the Luci interface.

Anything else I need to do to get things up and running?

Thanks in advance

2

Have you ran through the post installation guide? Post Installation Steps | CrowdSec

3

I have run through the Post Installation and seem to be stuck.
I have completed the following;

Installed crowdsec, crowdsec-firewall-bouncer and luci-app-crowdsec-firewall-bouncer packages in OpenWRT
Created a Crowdsec account

I think the next step is to enroll an engine.
If I ssh into my Openwrt and run the sudo cscli console enroll $ENROLLMENT_KEY
I get the following

-ash: sudo: not found

Did I miss any steps?

4

There is no need to sudo in openwrt. You land in the sh shell when you login via root.

5

That was the issue. Thanks!!

6

Edit: I instaleled the Firewall bouncer in OpenWRT but do not know how to configure it. My Crowdsec console says no remediation components installed.

I know the next step is to install a bouncer.
I believe this is the page I need to follow

Im not sure if I am supposed to install the IPTables, NFTables or pf?

7

OK, I have the engine and bouncer up and running.
According to the Post Installation guide, the following command should tell me what log sources are already detected,

cscli metrics show acquisition

The only output I get is
ATA[2025-01-19T03:39:27Z] accepts 0 arg(s), received 2

Thanks for any tips

8

This indicates the engine version is old, can you run cscli version

9

Here you go:

2025/01/19 15:16:22 version: v1.6.0-openwrt-1.6.0-1
2025/01/19 15:16:22 Codename:
2025/01/19 15:16:22 BuildDate: 2024-12-28_16:14:29
2025/01/19 15:16:22 GoVersion: 1.21.13
2025/01/19 15:16:22 Platform: linux
2025/01/19 15:16:22 libre2: WebAssembly
2025/01/19 15:16:22 Constraint_parser: >= 1.0, <= 3.0
2025/01/19 15:16:22 Constraint_scenario: >= 1.0, <= 3.0
2025/01/19 15:16:22 Constraint_api: v1
2025/01/19 15:16:22 Constraint_acquis: >= 1.0, < 2.0

Also,

When I run, opkg install crowdsec, I get
Package crowdsec (1.6.0-1) installed in root is up to date.
But I get a message in the Console saying v1.6.4 available with a link !

10

Late reply, but sharing my experience for those who stumble upon this post in the future.

I have crowdsec up an running on my OpenWRT for a couple of months now, and it has been working great for me. But seeing OP emphasizing being a novice, I think I will start with some quick concepts that I have picked up since I started using crowdsec:

Two main components - the crowdsec engine and the crowdsec bouncer.

Crowdsec Engine - The component used to store blocklists from app.crowdsec.net, plus detection features to generate and store blocklists from intrusion attempts to your own services.

Crowdsec Bouncer - The component to actually block attempts to connect to your network based on blocklists stored in your engine.

For me, I ended up configuring only my bouncer on Openwrt. It works flawlessly and data gets fetched from my crowdsec engine running on my Synology NAS that runs a mail server.

So my Engine subscribes to four public blocklists from crowdsec, and it also generates 2 additional blocklists based on the log file from my mail server. These blocklists all go to my crowdsec bouncer running on my Openwrt gateway router to block malicious attempts to enter my network.

Simple as that (concept wise). As to how to set things up, it took me quite some time to configure and fine tune my engine, but bouncer setup on Openwrt was pretty straightforward.

When I run cscli metrics show acquisition on my engine, I get something like this:

╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Acquisition Metrics                                                                                             │
├───────────────────────┬────────────┬──────────────┬────────────────┬────────────────────────┬───────────────────┤
│ Source                │ Lines read │ Lines parsed │ Lines unparsed │ Lines poured to bucket │ Lines whitelisted │
├───────────────────────┼────────────┼──────────────┼────────────────┼────────────────────────┼───────────────────┤
│ file:/maillog/maillog │ 5.86k      │ 478          │ 5.38k          │ 7                      │ -                 │
╰───────────────────────┴────────────┴──────────────┴────────────────┴────────────────────────┴───────────────────╯