Skip to main content

Stormshield

CrowdSec

📚 Documentation 💠 Hub 💬 Discourse

Overview

The Stormshield Remediation syncs IP bans from Crowdsec with Stormshield appliances.

Installation

Using pip

pip install crowdsec-stormshield-bouncer

Using docker

docker pull crowdsecurity/stormshield-bouncer

See docker specific documentation here.

Setup

Run the following command to generate the base configuration file. This will generate a configuration file named cfg.yaml in the current directory.

crowdsec-stormshield-bouncer -g > cfg.yaml

You need to edit this file to configure the Remediation Component. Make sure you give the correct LAPI key and URL. The stormshield configuration should be updated with the correct values. The container will use SSH to connect to the firewall and the API to update the blacklist. Make sure the firewall is configured to allow SSH and API access from the machine running the container.

See how to enable ssh access on the firewall here. Usually the username and password is the same as the web interface.

You can generate a LAPI key using the following command on the machine with CrowdSec installed.

cscli bouncers add crowdsec-stormshield-bouncer

Please refer to configuration reference section for more details on the configuration options.

Running the Remediation Component

After configuring the Remediation Component, you can run it using the following command:

crowdsec-stormshield-bouncer -c cfg.yaml

How it Works

The Remediation Component will poll the CrowdSec LAPI every update_frequency interval. It will then fetch the list of IP bans and sync them with the Stormshield's appliance's black list

Since CrowdSec provides huge number of banned IPs, using the Stormshield API solely is not possible. The API only allows adding one IP at a time to blacklist directly. Which is extremely slow.

To overcome this limitation, the Remediation Component will use SSH to connect to the firewall appliance to:

  • Create 2 groups 1.Crowdsec and 2.CrowdsecDeleteGroup
  • Create objects for all the new banned IPs and expired bans.
  • Add all the banned IPs to the CrowdSec group. Add all the expired bans to the CrowdsecDeleteGroup. This is done by modifying the /data/Main/ConfigFiles/objectgroup and /data/Main/ConfigFiles/object files

Then the Remediation Component will use the Stormshield API to:

  • Add the CrowdSec group to the blacklist.
  • Remove the CrowdsecDeleteGroup from the blacklist.

Finally Remediation Component empties the CrowdsecDeleteGroup using ssh.

This process is repeated every update_frequency interval.

Configuration Reference

crowdsec:
lapi_key: <CROWDSEC_LAPI_KEY>
lapi_url: "http://localhost:8080/"
update_frequency: 30s
include_scenarios_containing: []
exclude_scenarios_containing: []
only_include_decisions_from: []
insecure_skip_verify: false
key_path: "" # Used for TLS authentification with CrowdSec LAPI
cert_path: "" # Used for TLS authentification with CrowdSec LAPI
ca_cert_path: "" # Used for TLS authentification with CrowdSec LAPI

# Stormshield Config
stormshield:
host: <STORMSHIELD_HOST>

ssh_port: 22 # SSH port
ssh_username: admin
ssh_password: <STORMSHIELD_SSH_PASSWORD> # optional if using private key auth
ssh_private_key_path: <SSH_PRIVATE_KEY_PATH> # optional if using password auth

api_username: admin
api_password: <STORMSHIELD_API_PASSWORD>
api_port: 443
api_ssl_verify_host: false

# Log Config
log_level: info
log_media: "stdout"
log_dir: "/var/log/"

crowdsec.lapi_url

The URL of CrowdSec LAPI. It should be accessible from the bouncer.

crowdsec.lapi_key

It can be obtained by running the following on the machine CrowdSec LAPI is deployed on.


sudo cscli -oraw bouncers add # -oraw flag can discarded for human friendly output.

crowdsec.update_frequency

The bouncer will poll the CrowdSec every update_frequency interval.

Value can be in seconds (eg 30s), minutes (eg 5m), hours (eg 1h), days (eg 1d), weeks (eg 1w), months (eg 1M) or years (eg 1y).

crowdsec.include_scenarios_containing

Ignore IPs banned for triggering scenarios not containing either of provided word. Example value ["ssh", "http"]

crowdsec.exclude_scenarios_containing

Ignore IPs banned for triggering scenarios containing either of provided word. Example value ["ssh", "http"]

crowdsec.only_include_decisions_from

Only include IPs banned due to decisions orginating from provided sources. eg value ["cscli", "crowdsec"]

crowdsec.insecure_skip_verify

Skip TLS verification when connecting to CrowdSec LAPI.

crowdsec.key_path

Path to the private key file to use for TLS authentication with CrowdSec LAPI.

crowdsec.cert_path

Path to the certificate file to use for TLS authentication with CrowdSec LAPI.

crowdsec.ca_cert_path

Path to the CA certificate file to use for TLS authentication with CrowdSec LAPI.

stormshield.host

The IP address or hostname of the Stormshield firewall.

stormshield.ssh_port

The SSH port of the Stormshield firewall.

stormshield.ssh_username

The SSH username of the Stormshield firewall.

stormshield.ssh_password

The SSH password of the Stormshield firewall.

stormshield.ssh_private_key_path

The path to the SSH private key of the Stormshield firewall.

stormshield.api_username

The API username of the Stormshield firewall.

stormshield.api_password

The API password of the Stormshield firewall.

stormshield.api_port

The API port of the Stormshield firewall.

stormshield.api_ssl_verify_host

Verify the SSL certificate of the Stormshield firewall.

log_level

The log level for the bouncer. Example value: "info"

Valid values: "debug", "info", "warning", "error"

log_mode

The log mode for the bouncer.

Valid values: "stdout", "stderr", "file"

log_dir

The directory to store the logs in. This is only applicable when log_mode is set to "file".