crowdsec integration

2020-11-06 16:56:16 +01:00 · 2020-11-06 16:56:16 +01:00 · 4a07eca696
parent e1274a6082
commit 4a07eca696
11 changed files with 148 additions and 5 deletions
--- a/8
+++ b/8
@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*

+COPY crowdsec/install.sh /tmp/install.sh
+RUN chmod +x /tmp/install.sh && \
+    /tmp/install.sh && \
+    rm -rf /tmp/*
+
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
+COPY crowdsec/ /opt/crowdsec

-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
    mkdir /opt/entrypoint.d && \
    rm -f /var/log/nginx/* && \
--- a/8
+++ b/8
@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*

+COPY crowdsec/install.sh /tmp/install.sh
+RUN chmod +x /tmp/install.sh && \
+    /tmp/install.sh && \
+    rm -rf /tmp/*
+
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
+COPY crowdsec/ /opt/crowdsec

-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
    mkdir /opt/entrypoint.d && \
    rm -f /var/log/nginx/* && \
--- a/8
+++ b/8
@ -13,14 +13,20 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*

+COPY crowdsec/install.sh /tmp/install.sh
+RUN chmod +x /tmp/install.sh && \
+    /tmp/install.sh && \
+    rm -rf /tmp/*
+
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
+COPY crowdsec/ /opt/crowdsec

-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
    mkdir /opt/entrypoint.d && \
    rm -f /var/log/nginx/* && \
--- a/8
+++ b/8
@ -13,14 +13,20 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*

+COPY crowdsec/install.sh /tmp/install.sh
+RUN chmod +x /tmp/install.sh && \
+    /tmp/install.sh && \
+    rm -rf /tmp/*
+
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
+COPY crowdsec/ /opt/crowdsec

-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
    mkdir /opt/entrypoint.d && \
    rm -f /var/log/nginx/* && \
--- a/8
+++ b/8
@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*

+COPY crowdsec/install.sh /tmp/install.sh
+RUN chmod +x /tmp/install.sh && \
+    /tmp/install.sh && \
+    rm -rf /tmp/*
+
 COPY entrypoint.sh /opt/entrypoint.sh
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
 COPY fail2ban/ /opt/fail2ban
 COPY logs/ /opt/logs
 COPY lua/ /opt/lua
+COPY crowdsec/ /opt/crowdsec

-RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \
+RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \
    chmod +x /opt/entrypoint.sh /opt/scripts/* && \
    mkdir /opt/entrypoint.d && \
    rm -f /var/log/nginx/* && \
--- a/confs/crowdsec.conf
+++ b/confs/crowdsec.conf
@ -0,0 +1,9 @@
+init_by_lua_block {
+	local cs = require "crowdsec.CrowdSec"
+	local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf")
+	if ok == nil then
+		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
+		error()
+	end
+	ngx.log(ngx.ERR, "[Crowdsec] Initialisation done")
+}
--- a/confs/main-lua.conf
+++ b/confs/main-lua.conf
@ -8,6 +8,7 @@ local use_whitelist_reverse	= %USE_WHITELIST_REVERSE%
 local use_blacklist_ip		= %USE_BLACKLIST_IP%
 local use_blacklist_reverse	= %USE_BLACKLIST_REVERSE%
 local use_dnsbl			= %USE_DNSBL%
+local use_crowdsec		= %USE_CROWDSEC%
 local use_antibot_cookie	= %USE_ANTIBOT_COOKIE%
 local use_antibot_javascript	= %USE_ANTIBOT_JAVASCRIPT%
 local use_antibot_captcha	= %USE_ANTIBOT_CAPTCHA%
@ -81,6 +82,18 @@ if use_dnsbl and not dnsbl.cached() then
 	end
 end

+-- check if IP is in CrowdSec DB
+if use_crowdsec then
+	local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr)
+	if ok == nil then
+		ngx.log(ngx.ERR, "[Crowdsec] " .. err)
+	end
+	if not ok then
+		ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'")
+		ngx.exit(ngx.HTTP_FORBIDDEN)
+	end
+end
+
 -- cookie check
 if use_antibot_cookie then
 	if not cookie.is_set("uri") then
--- a/confs/nginx.conf
+++ b/confs/nginx.conf
@ -90,6 +90,9 @@ http {
 	%BLACKLIST_IP_CACHE%
 	%BLACKLIST_REVERSE_CACHE%
 	%DNSBL_CACHE%
+
+	# crowdsec init
+	%USE_CROWDSEC%
 	
 	# shared memory zone for limit_req
 	%LIMIT_REQ_ZONE%
--- a/crowdsec/acquis.yaml
+++ b/crowdsec/acquis.yaml
@ -0,0 +1,6 @@
+filenames:
+  - /var/log/access.log
+  - /var/log/error.log
+labels:
+  type: nginx
+---
--- a/crowdsec/install.sh
+++ b/crowdsec/install.sh
@ -0,0 +1,63 @@
+#!/bin/sh
+
+function git_secure_clone() {
+	repo="$1"
+	commit="$2"
+	folder=$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@")
+	git clone "$repo"
+	cd "$folder"
+	git checkout "${commit}^{commit}"
+	if [ $? -ne 0 ] ; then
+		echo "[!] Commit hash $commit is absent from repository $repo !"
+		exit 1
+	fi
+	cd ..
+}
+
+NTASK=$(nproc)
+
+# install build dependencies
+apk add --no-cache --virtual build git bash lua-dev mariadb-dev sqlite-dev gettext make go jq
+
+# build and install crowdsec
+cd /tmp
+git_secure_clone https://github.com/crowdsecurity/crowdsec.git 2fdf7624da381af605baa46f319f2ed3015807e4
+cd crowdsec
+make -j $NTASK build
+./wizard.sh --bininstall
+sed -i 's/^machine_id:.*//' /etc/crowdsec/config/api.yaml
+sed -i 's/^password:.*//' /etc/crowdsec/config/api.yaml
+
+# install nginx collection
+cscli update
+cscli install collection crowdsecurity/nginx
+sed -i "s/^filter:.*$/filter: \"evt.Line.Labels.type == 'nginx'\"/" /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
+sed -i 's/apply_on: message/apply_on: Line.Raw/g' /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml
+
+# build and install luasql
+cd /tmp
+git_secure_clone https://github.com/keplerproject/luasql.git 22d4a911f35cf851af9db71124e3998d96fb3fa1
+cd luasql
+make -j $NTASK sqlite3 mysql
+mkdir /usr/local/lib/lua/5.1/luasql
+cp src/*.so /usr/local/lib/lua/5.1/luasql
+
+# install lualogging
+cd /tmp
+git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15
+cd lualogging
+cp -r src/* /usr/local/lib/lua
+
+# install cs-lua-lib
+cd /tmp
+git_secure_clone https://github.com/crowdsecurity/cs-lua-lib.git 97e55a555a8f6d46c1c2032825a4578090283301
+cd cs-lua-lib
+mkdir /usr/local/lib/lua/crowdsec
+cp lib/*.lua /usr/local/lib/lua/crowdsec
+cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf
+rm /usr/local/lib/lua/crowdsec/lrucache.lua
+sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
+sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua
+
+# remove build dependencies
+apk del build
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -143,6 +143,7 @@ ANTIBOT_URI="${ANTIBOT_URI-/challenge}"
 USE_ANTIBOT="${USE_ANTIBOT-no}"
 ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}"
 ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}"
+USE_CROWDSEC="${USE_CROWDSEC-no}"

 # install additional modules if needed
 if [ "$ADDITIONAL_MODULES" != "" ] ; then
@ -567,6 +568,19 @@ if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
 	fi
 fi

+# CrowdSec setup
+if [ "$USE_CROWDSEC" = "yes" ] ; then
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;"
+	replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "true"
+	cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml
+	cscli api register >> /etc/crowdsec/config/api.yaml
+	cscli api pull
+	echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root
+else
+	replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" ""
+	replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "false"
+fi
+
 # edit access if needed
 if [ "$WRITE_ACCESS" = "yes" ] ; then
 	chown -R root:nginx /www
@ -604,6 +618,11 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then
 	fail2ban-server > /dev/null
 fi

+# start crowdsec
+if [ "$USE_CROWDSEC" = "yes" ] ; then
+	crowdsec
+fi
+
 # setup logrotate
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
 replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"