-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathcrowdsec.yml
277 lines (235 loc) · 10 KB
/
crowdsec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
---
- hosts: homelab
vars:
application: crowdsec
crowdsec_bouncer_key:
traefik: !vault |
$ANSIBLE_VAULT;1.1;AES256
39356134633137633537623839353762316637643265323765313833616132336237376639623639
3463363031643738363666366332306638656261353963300a396166303933633961323037323738
63643835396433303731316639666339623362313032636262626433336263363531643630316435
3263396138633362620a373664386131393531303232336230636235373762333737393437363832
66396337666131353861396665323337393762323062373462396166373861663636
docker_network: "{{ networks.pub }}"
handlers:
- name: Restart
community.docker.docker_container:
name: "{{ application }}"
restart: true
comparisons:
'*': ignore
tasks:
- name: Create config folder
ansible.builtin.file:
path: "{{ config_directory }}"
state: directory
owner: "{{ common_user }}"
group: "{{ common_group }}"
mode: "0771"
- name: Create config.yaml.local
ansible.builtin.copy:
content: |
common:
log_level: info
config_paths:
notification_dir: /etc/crowdsec/notifications.local/
api:
server:
log_level: warn
dest: "{{ config_directory }}/config.yaml.local"
owner: "{{ common_root_id }}"
group: "{{ common_root_group }}"
mode: "0644"
notify: Restart
- name: Create acquis.yaml
ansible.builtin.copy:
content: |
---
filenames:
- /var/log/traefik/access.log
- /var/log/traefik/traefik.log
labels:
type: traefik
dest: "{{ config_directory }}/acquis.yaml"
owner: "{{ common_root_id }}"
group: "{{ common_root_group }}"
mode: "0644"
notify: Restart
- name: Create email.yaml
ansible.builtin.copy:
content: |
type: email
name: email
log_level: info
{% raw %}
format: |
{{ range . -}}
{{ $alert := . -}}
{{ range .Decisions -}}
<p><a href=https://www.shodan.io/host/{{ .Value}}>{{ .Value}}</a> will get <b>{{ .Type}}</b> for next <b>{{ .Duration}}</b> for triggering <b>{{ .Scenario}}</b>.</p>
{{ end -}}
<ul>
{{ range .Events -}}
{{ range .Meta }}{{ if eq .Key "traefik_router_name"}}<li>{{ .Value}}: {{ end }}{{ end }}{{ range .Meta }}{{ if eq .Key "http_path" }}{{ .Value }}{{ end }}{{ end }}</li>
{{ end -}}
</ul>
{{ end -}}
{% endraw %}
smtp_host: {{ common_email_server }}
smtp_username: {{ common_email_username }}
smtp_password: {{ common_email_password }}
smtp_port: {{ common_email_port }}
sender_email: {{ common_email_username }}
receiver_emails:
- {{ application }}{{ common_email_to }}
encryption_type: starttls
auth_type: login
email_subject: CrowdSec Notification
timeout: 20s
dest: "{{ config_directory }}/email.yaml"
owner: "{{ common_root_id }}"
group: "{{ common_root_group }}"
mode: "0644"
notify: Restart
- name: Create slack.yaml
ansible.builtin.copy:
content: |
type: slack
name: slack
log_level: info
{% raw %}
format: |
{{ range . -}}
{{ $alert := . -}}
{{ range .Decisions -}}
<https://www.shodan.io/host/{{ .Value }}|{{ .Value }}> will get {{ .Type }} for next {{ .Duration }} for triggering {{ .Scenario }} on machine '{{ $alert.MachineID }}'.
{{ end -}}
{{ range .Events -}}
{{ range .Meta }}{{ if eq .Key "traefik_router_name" }}- {{ .Value }}: {{ end }}{{ end }}{{ range .Meta }}{{ if eq .Key "http_path" }}{{ .Value }}{{ end }}{{ end }}
{{ end -}}
{{ end -}}
{% endraw %}
webhook: ${SLACK_WEBHOOK}
dest: "{{ config_directory }}/slack.yaml"
owner: "{{ common_root_id }}"
group: "{{ common_root_group }}"
mode: "0644"
notify: Restart
- name: Create profiles.yaml.local
ansible.builtin.copy:
content: |
name: default_ip_remediation
debug: false
filters:
- Alert.Remediation == true && Alert.GetScope() == "Ip"
decisions:
- type: ban
duration: 8766h
notifications:
- email
- slack
on_success: break
on_failure: break
dest: "{{ config_directory }}/profiles.yaml.local"
owner: "{{ common_root_id }}"
group: "{{ common_root_group }}"
mode: "0644"
notify: Restart
- name: Create my-whitelists.yaml
ansible.builtin.copy:
content: |
name: crowdsecurity/my-whitelists
description: "Custom Whitelist"
whitelist:
reason: "my custom whitelists"
expression:
-
evt.Meta.http_status == '403' && evt.Parsed.traefik_router_name startsWith 'mattermost' && (evt.Meta.http_path contains '/api/v4/')
-
evt.Meta.http_status == '403' && evt.Parsed.traefik_router_name startsWith 'home-assistant' && (evt.Meta.http_path contains '/api/calendars/' || evt.Meta.http_path contains '/api/camera_proxy_stream/' || evt.Meta.http_path contains '/api/webhook/' || evt.Meta.http_path contains '/auth/token')
-
evt.Meta.http_status == '403' && evt.Parsed.traefik_router_name startsWith 'qbittorrent' && (evt.Meta.http_path contains '/favicon.ico' || evt.Meta.http_path contains '/api/v2/')
-
evt.Parsed.traefik_router_name startsWith 'actualbudget' && (evt.Meta.http_path contains '/data/migrations/' || evt.Meta.http_path == '/sync/sync')
-
evt.Parsed.traefik_router_name startsWith 'immich-server' && (evt.Meta.http_path startsWith '/api')
dest: "{{ config_directory }}/my-whitelists.yaml"
owner: "{{ common_root_id }}"
group: "{{ common_root_group }}"
mode: "0644"
notify: Restart
- name: Create container
ansible.builtin.include_role:
name: docker_container
vars:
image: crowdsecurity/crowdsec:v1.6.4
env:
# General
TZ: "{{ common_timezone }}"
# Hub management
COLLECTIONS: |-
{{
[
"crowdsecurity/traefik",
] | join(' ')
}}
# LAPI
USE_WAL: "true"
CUSTOM_HOSTNAME: "{{ application }}.{{ docker_network.name }}"
# Custom
SLACK_WEBHOOK: !vault |
$ANSIBLE_VAULT;1.1;AES256
35623830653133626136616530353934336561656531663234613765613535353137623430383934
3933643432643534643564393733666132356537373036320a613064353433346138623533643237
31663931356365646339653162306331646263636462623430626532353365303734326631613138
6334613339396161380a353232643735313862386539636366393364646134383532383835643032
35366562373565626133366663613363306434316535613935356162613633653036333839666339
37383863323935643938373162396261383833373361393165353531393239613464353335386264
63376361383564393136613864313166356661653935386464336361356565333465383035653234
35323465303734613034
# Console
# ENROLL_KEY: !vault |
# $ANSIBLE_VAULT;1.1;AES256
# 33623339333264363037303661616536353936393965613033633732336638633137336631643762
# 3466653162323565616466303930393839346336313661330a323066303238393338626539363937
# 37333838396433303836626138383132363961343831613466343034613364356434346530336439
# 6433303533643431390a636562643163313663623238646534366635373231663961303635663363
# 35313436613133643531333431326133353133343139656563666362336464643738
ENROLL_INSTANCE_NAME: "{{ application }}.{{ docker_network.name }}"
ENROLL_TAGS: "homelab"
# Bouncers
BOUNCER_KEY_traefik: "{{ crowdsec_bouncer_key.traefik }}"
volumes:
- "{{ config_directory }}/acquis.yaml:/etc/crowdsec/acquis.yaml"
- "{{ config_directory }}/config.yaml.local:/etc/crowdsec/config.yaml.local"
- "{{ config_directory }}/profiles.yaml.local:/etc/crowdsec/profiles.yaml.local"
- "{{ config_directory }}/email.yaml:/etc/crowdsec/notifications.local/email.yaml"
- "{{ config_directory }}/slack.yaml:/etc/crowdsec/notifications.local/slack.yaml"
- "{{ config_directory }}/config:/etc/crowdsec"
- "{{ config_directory }}/data:/var/lib/crowdsec/data"
- "{{ config_directory }}/my-whitelists.yaml:/etc/crowdsec/parsers/s02-enrich/my-whitelists.yaml"
- "{{ common_directory }}/traefik/logs:/var/log/traefik:ro"
labels:
'{
"chadburn.enabled": "true",
"chadburn.job-exec.{{ application }}-hub.user": "0",
"chadburn.job-exec.{{ application }}-hub.schedule": "@every 1h",
"chadburn.job-exec.{{ application }}-hub.command": "sh -c \"cscli hub update && cscli hub upgrade\"",
"chadburn.job-exec.{{ application }}-hub.tty": "false",
"chadburn.job-exec.{{ application }}-hub.no-overlap": "true"
}'
metrics:
- port: 6060
- name: Create traefik bouncer container
ansible.builtin.include_role:
name: docker_container
vars:
name: "{{ application }}-traefik-bouncer"
image: fbonalair/traefik-crowdsec-bouncer:0.5.0
ipv4_address: "{{ docker_network.prefix }}.250"
env:
CROWDSEC_AGENT_HOST: "{{ application }}.{{ docker_network.name }}:8080"
PORT: "8080"
CROWDSEC_BOUNCER_API_KEY: "{{ crowdsec_bouncer_key.traefik }}"
GIN_MODE: "release"
CROWDSEC_BOUNCER_LOG_LEVEL: "2"