crowdsec integration
This commit is contained in:
parent
e1274a6082
commit
4a07eca696
|
@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
|
|
|
@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
|
|
|
@ -13,14 +13,20 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
|
|
|
@ -13,14 +13,20 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
|
|
|
@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY crowdsec/install.sh /tmp/install.sh
|
||||
RUN chmod +x /tmp/install.sh && \
|
||||
/tmp/install.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY entrypoint.sh /opt/entrypoint.sh
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
COPY fail2ban/ /opt/fail2ban
|
||||
COPY logs/ /opt/logs
|
||||
COPY lua/ /opt/lua
|
||||
COPY crowdsec/ /opt/crowdsec
|
||||
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
|
||||
RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
|
||||
chmod +x /opt/entrypoint.sh /opt/scripts/* && \
|
||||
mkdir /opt/entrypoint.d && \
|
||||
rm -f /var/log/nginx/* && \
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
init_by_lua_block {
|
||||
local cs = require "crowdsec.CrowdSec"
|
||||
local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf")
|
||||
if ok == nil then
|
||||
ngx.log(ngx.ERR, "[Crowdsec] " .. err)
|
||||
error()
|
||||
end
|
||||
ngx.log(ngx.ERR, "[Crowdsec] Initialisation done")
|
||||
}
|
|
@ -8,6 +8,7 @@ local use_whitelist_reverse = %USE_WHITELIST_REVERSE%
|
|||
local use_blacklist_ip = %USE_BLACKLIST_IP%
|
||||
local use_blacklist_reverse = %USE_BLACKLIST_REVERSE%
|
||||
local use_dnsbl = %USE_DNSBL%
|
||||
local use_crowdsec = %USE_CROWDSEC%
|
||||
local use_antibot_cookie = %USE_ANTIBOT_COOKIE%
|
||||
local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT%
|
||||
local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA%
|
||||
|
@ -81,6 +82,18 @@ if use_dnsbl and not dnsbl.cached() then
|
|||
end
|
||||
end
|
||||
|
||||
-- check if IP is in CrowdSec DB
|
||||
if use_crowdsec then
|
||||
local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
|
||||
if ok == nil then
|
||||
ngx.log(ngx.ERR, "[Crowdsec] " .. err)
|
||||
end
|
||||
if not ok then
|
||||
ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
end
|
||||
|
||||
-- cookie check
|
||||
if use_antibot_cookie then
|
||||
if not cookie.is_set("uri") then
|
||||
|
|
|
@ -90,6 +90,9 @@ http {
|
|||
%BLACKLIST_IP_CACHE%
|
||||
%BLACKLIST_REVERSE_CACHE%
|
||||
%DNSBL_CACHE%
|
||||
|
||||
# crowdsec init
|
||||
%USE_CROWDSEC%
|
||||
|
||||
# shared memory zone for limit_req
|
||||
%LIMIT_REQ_ZONE%
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
filenames:
|
||||
- /var/log/access.log
|
||||
- /var/log/error.log
|
||||
labels:
|
||||
type: nginx
|
||||
---
|
|
@ -0,0 +1,63 @@
|
|||
#!/bin/sh
|
||||
|
||||
function git_secure_clone() {
|
||||
repo="$1"
|
||||
commit="$2"
|
||||
folder=$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@")
|
||||
git clone "$repo"
|
||||
cd "$folder"
|
||||
git checkout "${commit}^{commit}"
|
||||
if [ $? -ne 0 ] ; then
|
||||
echo "[!] Commit hash $commit is absent from repository $repo !"
|
||||
exit 1
|
||||
fi
|
||||
cd ..
|
||||
}
|
||||
|
||||
NTASK=$(nproc)
|
||||
|
||||
# install build dependencies
|
||||
apk add --no-cache --virtual build git bash lua-dev mariadb-dev sqlite-dev gettext make go jq
|
||||
|
||||
# build and install crowdsec
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/crowdsecurity/crowdsec.git 2fdf7624da381af605baa46f319f2ed3015807e4
|
||||
cd crowdsec
|
||||
make -j $NTASK build
|
||||
./wizard.sh --bininstall
|
||||
sed -i 's/^machine_id:.*//' /etc/crowdsec/config/api.yaml
|
||||
sed -i 's/^password:.*//' /etc/crowdsec/config/api.yaml
|
||||
|
||||
# install nginx collection
|
||||
cscli update
|
||||
cscli install collection crowdsecurity/nginx
|
||||
sed -i "s/^filter:.*$/filter: \"evt.Line.Labels.type == 'nginx'\"/" /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
|
||||
sed -i 's/apply_on: message/apply_on: Line.Raw/g' /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
|
||||
|
||||
# build and install luasql
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/keplerproject/luasql.git 22d4a911f35cf851af9db71124e3998d96fb3fa1
|
||||
cd luasql
|
||||
make -j $NTASK sqlite3 mysql
|
||||
mkdir /usr/local/lib/lua/5.1/luasql
|
||||
cp src/*.so /usr/local/lib/lua/5.1/luasql
|
||||
|
||||
# install lualogging
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
|
||||
cd lualogging
|
||||
cp -r src/* /usr/local/lib/lua
|
||||
|
||||
# install cs-lua-lib
|
||||
cd /tmp
|
||||
git_secure_clone https://github.com/crowdsecurity/cs-lua-lib.git 97e55a555a8f6d46c1c2032825a4578090283301
|
||||
cd cs-lua-lib
|
||||
mkdir /usr/local/lib/lua/crowdsec
|
||||
cp lib/*.lua /usr/local/lib/lua/crowdsec
|
||||
cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
|
||||
rm /usr/local/lib/lua/crowdsec/lrucache.lua
|
||||
sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
|
||||
sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
|
||||
|
||||
# remove build dependencies
|
||||
apk del build
|
|
@ -143,6 +143,7 @@ ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
|
|||
USE_ANTIBOT="${USE_ANTIBOT-no}"
|
||||
ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
|
||||
ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
|
||||
USE_CROWDSEC="${USE_CROWDSEC-no}"
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
|
@ -567,6 +568,19 @@ if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
|
|||
fi
|
||||
fi
|
||||
|
||||
# CrowdSec setup
|
||||
if [ "$USE_CROWDSEC" = "yes" ] ; then
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "true"
|
||||
cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml
|
||||
cscli api register >> /etc/crowdsec/config/api.yaml
|
||||
cscli api pull
|
||||
echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
else
|
||||
replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
|
||||
replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "false"
|
||||
fi
|
||||
|
||||
# edit access if needed
|
||||
if [ "$WRITE_ACCESS" = "yes" ] ; then
|
||||
chown -R root:nginx /www
|
||||
|
@ -604,6 +618,11 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
|||
fail2ban-server > /dev/null
|
||||
fi
|
||||
|
||||
# start crowdsec
|
||||
if [ "$USE_CROWDSEC" = "yes" ] ; then
|
||||
crowdsec
|
||||
fi
|
||||
|
||||
# setup logrotate
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
|
||||
|
|
Loading…
Reference in New Issue