Page MenuHomeVyOS Platform

Crowdsec in VyOS (Blocking only)
Open, WishlistPublicFEATURE REQUEST

Description

Crowdsec is an open-source distrubuted like IPS which consists of

  • LAPI Server which holds the local blocked IP's and can get/send IP's from/to the Crowdsec Central API
  • Agent that can monitor logfiles for anomalies and send those IP's to the LAPI
  • Bouncers which can get the blocked IP's from the LAPI and take actions accordingly (Create nft rule, up HAProxy config, etc...)

My idea would be to use a bouncer only on VyOS. So in order to make this useful, one needs to run their own LAPI somewhere and connect VyOS to it.

Just like sshguard does, it can create it's own IPv4/IPv6 table with the needed chains, and update that when needed. That way, all traffic is dynamically blocked by Crowdsec.

Configuring could be done like:

set service ips crowdsec disable
set service ips crowdsec update-frequency 10s
set service ips crowdsec api-url https://api.server.tld:8080/
set service ips crowdsec api-key xxxxx

And the config yaml:

mode: nftables
pid_dir: /var/run/
update_frequency: {% update-frequency %}
daemonize: true
log_mode: file
log_dir: /var/log/
log_level: info
log_compression: true
log_max_size: 100
log_max_backups: 3
log_max_age: 30
api_url: {% api-url %}
api_key: {% api-key %}
insecure_skip_verify: false
disable_ipv6: false
deny_action: DROP
deny_log: false
supported_decisions_types:
  - ban
deny_log_prefix: "crowdsec: "
blacklists_ipv4: crowdsec-blacklists
blacklists_ipv6: crowdsec6-blacklists

## nftables
nftables:
  ipv4:
    enabled: true
    set-only: false
    table: crowdsec
    chain: crowdsec-chain
  ipv6:
    enabled: true
    set-only: false
    table: crowdsec6
    chain: crowdsec6-chain

If this is a feature that is wanted I can have a stab at it to see how far I can get.

Details

Version
-
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

roedie triaged this task as Wishlist priority.
roedie edited a custom field.
Unknown Object (User) subscribed.Feb 16 2023, 8:21 PM

This would be a great feature to have on VyOS.

syncer edited projects, added VyOS Rolling; removed VyOS 1.5 Circinus.
syncer moved this task from Need Triage to Backlog - Feature Requests on the VyOS Rolling board.