Achieve security excellence without breaking the budget!

Download guide

CrowdSec arrives on OPNsense

The latest addition to CrowdSec was OPNsense, a FreeBSD distribution designed for security. OPNsense is easy to set up and offers a firewall and routing software to secure a network. It can be compared to pfSense from which it is derived. It is therefore widely used by companies.

This tutorial covers how to install the CrowdSec plugin on OPNsense. This is an English version of the article published on February 24th by Korben.

Still under development, this open-source port allows you to set up rules at the OPNsense firewall level, relying on CrowdSec’s shared blocking lists. Beyond the OPNsense interface, which will allow you to set up the firewall rules, you will also be able to exploit CrowdSec to the maximum of its capabilities by using the command line agent, and set up your specific bouncers, or manage the list of rules in place.

Image

OPNsense Rule List

In this tutorial, you will see how to enable SSH login on OPNsense because you need that to install CrowdSec (since it’s not yet available via official channels) and to manage it using cscli. Managing in this context means installing and updating collections, parsers, and other administrative tasks.

To install the CrowdSec plugin on OPNsense, you need to enable the SSH server on OPNsense. But first, we need to create an SSH key. To do this, open a local terminal on your machine and enter the following command:

ssh-keygen -t rsa

Answer the questions and you will have a set of public/private SSH keys. Now you have to send the public key to OPNsense to authorize the connection.

Display your key with the cat command:

cat id_rsa.pub

Then in OPNsense, go to System > Access > Users. Then edit the user you want to associate the key with. In that case, we added a user “korben” in the admin group. Don’t forget to configure a shell for it too (/bin/sh for example).

Then in the “Authorized keys” field, paste the public key:

Image

Next, we will enable SSH. To do this, go to the System > Settings > OPNsense Administration menu and under the “Secure Shell” section, check “Enable Secure Shell”.

Image

And that’s it. Now we can SSH access our OPNsense server using the SSH key:

ssh -i NOMCLEPRIVEE korben@192.168.xxx.xxx

Then, you have to download the CrowdSec plugin and unzip it. You will then have 3 files in .txz. You can then transfer them to OPNsense with the SCP command like this:

scp -i opnsense opnsense_22.1-freebsd_13-oscrowdsec_0.0.5/* korben@192.168.xxx.xxx:~/

To install the packages on OPNsense, you must be root.

su –

Then you have to do it in this order:

pkg add ./crowdsec-1.3.0.txz
pkg add ./crowdsec-firewall-bouncer-0.0.22_2.txz
pkg add ./os-crowdsec-0.0.5.txz

Image

The plugin will then be available in the OPNsense admin interface. It is up to you to activate the agent and the Firewall bouncer if you plan to use it.

Image

Once the last plug-in is downloaded and installed on OPNsense, you will only have to activate it through the OPNsense admin interface to link the 2 tools. Out-of-the-box protections include ssh and HTTP brute force attacks on the admin interface. Please read the technical documentation on this subject. And support is available through the GitHub issues or the #bsd channel on Discord.

A typical multi-server scenario where OPNsense acts as the fronted to multiple machines, each with its own CrowdSec agent, is covered by the article on how to set up a CrowdSec multi-server installation and referenced in the documentation.

Image

Editing a blocking rule using CrowdSec lists

Done! This is how you can use CrowdSec on your OPNsense machine. If you have any questions, feel free to jump to CrowdSec’s Discord server or GitHub for support.

You may also like

am i under attack
Product Updates

Am I Under Attack: Cut Through the Noise to Detect Sophisticated and Targeted Attacks with CrowdSec’s New feature

Am I Under Attack leverages advanced AI algorithms to detect anomalies in your logs indicating more sophisticated or targeted attacks.

new and advanced ip lookup search
Product Updates

Introducing the New and Advanced IP Lookup Search

In a previous article, we introduced the CTI Report, this time, we are taking it a step further and introducing new and advanced search options for our IP lookup.  You now have access to multiple search options to accurately and effectively explore the CrowdSec CTI.   Let’s take a look. IP lookup search These new search […]

Discover CrowdSec’s Free Third-Party Blocklists
Product Updates

Discover CrowdSec’s Free Third-Party Blocklists

In case you missed it, we recently announced the new Blocklists Catalog in the CrowdSec Console. In the catalog, you can find several blocklists centralized in one place, including third-party blocklists that are free to all users.  All users on the CrowdSec Console can subscribe their Security Engines to third-party blocklists to secure their systems […]