-
Notifications
You must be signed in to change notification settings - Fork 1
/
crowdsec.sh
94 lines (75 loc) · 2.78 KB
/
crowdsec.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#!/bin/bash
##########################################################################################
# CROWDSEC INSTALLATION
##########################################################################################
# Debian 12 / Ubuntu 22.04+ LTS x86_64
# Carsten Rieger IT-Services (https://www.c-rieger.de)
##########################################################################################
install()
{
#echo ""
#echo " » fail2ban wird entfernt // remove fail2ban"
#echo ""
#systemctl stop fail2ban.service
#systemctl disable fail2ban.service
#systemctl mask fail2ban.service
#apt-get remove fail2ban --purge -y
echo ""
echo " » Crowdsec wird heruntergeladen+installiert // crowdsec will be downloaded+installed"
echo ""
curl -s https://packagecloud.io/install/repositories/crowdsec/crowdsec/script.deb.sh | sudo bash
apt-get install crowdsec -y
apt-get install crowdsec-firewall-bouncer-nftables -y
}
configure()
{
echo ""
echo " » Crowdsec wird konfiguriert // crowdsec will be configured"
echo ""
SRCDIR=$( cd /var/www/nextcloud; sudo -u www-data php occ config:system:get datadirectory ) || {
echo -e "Error reading data directory. Is NextCloud running and configured?";
exit 1;
}
systemctl enable --now crowdsec.service
cscli collections install crowdsecurity/nextcloud
cscli collections install crowdsecurity/apache2
cscli collections install crowdsecurity/sshd
systemctl reload crowdsec && systemctl restart crowdsec
cp /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.yaml.bak
cat <<EOF >>/etc/crowdsec/acquis.yaml
#Nextcloud by c-rieger.de
filenames:
- $SRCDIR/nextcloud.log
labels:
type: Nextcloud
---
EOF
# get IP
IFACE="$( ip r | grep "default via" | awk '{ print $5 }' | head -1 )"
IP="$( ip a show dev "$IFACE" | grep global | grep -oP '\d{1,3}(.\d{1,3}){3}' | head -1 )"
cat > /etc/crowdsec/parsers/s02-enrich/personal-whitelist.yaml << EOF
name: crowdsecurity/whitelists
description: "Whitelist events from my personal ips"
whitelist:
reason: "internal traffic from my personal ips"
ip:
- "$IP"
- "127.0.0.1/8"
EOF
# whitelist for sury
echo "ips:
- 169.150.247.37
- 169.150.247.38
- 169.150.247.39" > /etc/crowdsec/capi_whitelists.yaml
echo "api:
server:
capi_whitelists_path: \"/etc/crowdsec/capi_whitelists.yaml\"" > /etc/crowdsec/config.yaml.local
# enable WAL for local sqlite db
grep -q use_wal /etc/crowdsec/config.yaml || sudo sed -i "/db_config:/a\ use_wal: true" /etc/crowdsec/config.yaml
#restart services
systemctl reload crowdsec && systemctl restart crowdsec.service crowdsec-firewall-bouncer.service
# get rid of sury blacklist
for i in 37 38 39; do cscli decisions delete --ip "169.150.247.$i"; done
#cron update job
echo "0 2 * * * /usr/bin/cscli hub update && /usr/bin/cscli hub upgrade > /dev/null 2>&1" >> /var/spool/cron/crontabs/root
}