Stormshield
๐ Documentation ๐ Hub ๐ฌ Discourse
Overviewโ
The Stormshield Remediation syncs IP bans from Crowdsec with Stormshield appliances.
Installationโ
Using pipโ
pip install crowdsec-stormshield-bouncer
Using dockerโ
docker pull crowdsecurity/stormshield-bouncer
See docker specific documentation here.
Setupโ
Run the following command to generate the base configuration file. This will generate a configuration file named cfg.yaml in the current directory.
crowdsec-stormshield-bouncer -g > cfg.yaml
You need to edit this file to configure the Remediation Component. Make sure you give the correct LAPI key and URL. The stormshield configuration should be updated with the correct values. The container will use SSH to connect to the firewall and the API to update the blacklist. Make sure the firewall is configured to allow SSH and API access from the machine running the container.
See how to enable ssh access on the firewall here. Usually the username and password is the same as the web interface.
You can generate a LAPI key using the following command on the machine with CrowdSec installed.
cscli bouncers add crowdsec-stormshield-bouncer
Please refer to configuration reference section for more details on the configuration options.
Running the Remediation Componentโ
After configuring the Remediation Component, you can run it using the following command:
crowdsec-stormshield-bouncer -c cfg.yaml
How it Worksโ
The Remediation Component will poll the CrowdSec LAPI every update_frequency interval.
It will then fetch the list of IP bans and sync them with the Stormshield's appliance's black list
Since CrowdSec provides huge number of banned IPs, using the Stormshield API solely is not possible. The API only allows adding one IP at a time to blacklist directly. Which is extremely slow.
To overcome this limitation, the Remediation Component will use SSH to connect to the firewall appliance to:
- Create 2 groups 1.Crowdsec and 2.CrowdsecDeleteGroup
- Create objects for all the new banned IPs and expired bans.
- Add all the banned IPs to the CrowdSec group. Add all the expired bans to the CrowdsecDeleteGroup. This is done by modifying the
/data/Main/ConfigFiles/objectgroupand/data/Main/ConfigFiles/objectfiles
Then the Remediation Component will use the Stormshield API to:
- Add the CrowdSec group to the blacklist.
- Remove the CrowdsecDeleteGroup from the blacklist.
Finally Remediation Component empties the CrowdsecDeleteGroup using ssh.
This process is repeated every update_frequency interval.
Configuration Referenceโ
crowdsec:
lapi_key: <CROWDSEC_LAPI_KEY>
lapi_url: "http://localhost:8080/"
update_frequency: 30s
include_scenarios_containing: []
exclude_scenarios_containing: []
only_include_decisions_from: []
insecure_skip_verify: false
key_path: "" # Used for TLS authentification with CrowdSec LAPI
cert_path: "" # Used for TLS authentification with CrowdSec LAPI
ca_cert_path: "" # Used for TLS authentification with CrowdSec LAPI
# Stormshield Config
stormshield:
host: <STORMSHIELD_HOST>
ssh_port: 22 # SSH port
ssh_username: admin
ssh_password: <STORMSHIELD_SSH_PASSWORD> # optional if using private key auth
ssh_private_key_path: <SSH_PRIVATE_KEY_PATH> # optional if using password auth
api_username: admin
api_password: <STORMSHIELD_API_PASSWORD>
api_port: 443
api_ssl_verify_host: false
# Log Config
log_level: info
log_media: "stdout"
log_dir: "/var/log/"
crowdsec.lapi_urlโ
The URL of CrowdSec LAPI. It should be accessible from the bouncer.
crowdsec.lapi_keyโ
It can be obtained by running the following on the machine CrowdSec LAPI is deployed on.
sudo cscli -oraw bouncers add # -oraw flag can discarded for human friendly output.
crowdsec.update_frequencyโ
The bouncer will poll the CrowdSec every update_frequency interval.
Value can be in seconds (eg 30s), minutes (eg 5m), hours (eg 1h), days (eg 1d), weeks (eg 1w), months (eg 1M) or years (eg 1y).
crowdsec.include_scenarios_containingโ
Ignore IPs banned for triggering scenarios not containing either of provided word. Example value ["ssh", "http"]
crowdsec.exclude_scenarios_containingโ
Ignore IPs banned for triggering scenarios containing either of provided word. Example value ["ssh", "http"]
crowdsec.only_include_decisions_fromโ
Only include IPs banned due to decisions orginating from provided sources. eg value ["cscli", "crowdsec"]
crowdsec.insecure_skip_verifyโ
Skip TLS verification when connecting to CrowdSec LAPI.
crowdsec.key_pathโ
Path to the private key file to use for TLS authentication with CrowdSec LAPI.
crowdsec.cert_pathโ
Path to the certificate file to use for TLS authentication with CrowdSec LAPI.
crowdsec.ca_cert_pathโ
Path to the CA certificate file to use for TLS authentication with CrowdSec LAPI.
stormshield.hostโ
The IP address or hostname of the Stormshield firewall.
stormshield.ssh_portโ
The SSH port of the Stormshield firewall.
stormshield.ssh_usernameโ
The SSH username of the Stormshield firewall.
stormshield.ssh_passwordโ
The SSH password of the Stormshield firewall.
stormshield.ssh_private_key_pathโ
The path to the SSH private key of the Stormshield firewall.
stormshield.api_usernameโ
The API username of the Stormshield firewall.
stormshield.api_passwordโ
The API password of the Stormshield firewall.
stormshield.api_portโ
The API port of the Stormshield firewall.
stormshield.api_ssl_verify_hostโ
Verify the SSL certificate of the Stormshield firewall.
log_levelโ
The log level for the bouncer. Example value: "info"
Valid values: "debug", "info", "warning", "error"
log_modeโ
The log mode for the bouncer.
Valid values: "stdout", "stderr", "file"
log_dirโ
The directory to store the logs in. This is only applicable when log_mode is set to "file".