Stormshield
📚 Documentation 💠Hub 💬 Discourse
Overview​
The Stormshield Remediation syncs IP bans from Crowdsec with Stormshield appliances.
Installation​
Using pip​
pip install crowdsec-stormshield-bouncer
Using docker​
docker pull crowdsecurity/stormshield-bouncer
See docker specific documentation here.
Setup​
Run the following command to generate the base configuration file. This will generate a configuration file named cfg.yaml in the current directory.
crowdsec-stormshield-bouncer -g > cfg.yaml
You need to edit this file to configure the Remediation Component. Make sure you give the correct LAPI key and URL. The stormshield configuration should be updated with the correct values. The container will use SSH to connect to the firewall and the API to update the blacklist. Make sure the firewall is configured to allow SSH and API access from the machine running the container.
See how to enable ssh access on the firewall here. Usually the username and password is the same as the web interface.
You can generate a LAPI key using the following command on the machine with CrowdSec installed.
cscli bouncers add crowdsec-stormshield-bouncer
Please refer to configuration reference section for more details on the configuration options.
Running the Remediation Component​
After configuring the Remediation Component, you can run it using the following command:
crowdsec-stormshield-bouncer -c cfg.yaml
How it Works​
The Remediation Component will poll the CrowdSec LAPI every update_frequency interval.
It will then fetch the list of IP bans and sync them with the Stormshield's appliance's black list
Since CrowdSec provides huge number of banned IPs, using the Stormshield API solely is not possible. The API only allows adding one IP at a time to blacklist directly. Which is extremely slow.
To overcome this limitation, the Remediation Component will use SSH to connect to the firewall appliance to:
- Create 2 groups 1.Crowdsec and 2.CrowdsecDeleteGroup
- Create objects for all the new banned IPs and expired bans.
- Add all the banned IPs to the CrowdSec group. Add all the expired bans to the CrowdsecDeleteGroup. This is done by modifying the
/data/Main/ConfigFiles/objectgroupand/data/Main/ConfigFiles/objectfiles
Then the Remediation Component will use the Stormshield API to:
- Add the CrowdSec group to the blacklist.
- Remove the CrowdsecDeleteGroup from the blacklist.
Finally Remediation Component empties the CrowdsecDeleteGroup using ssh.
This process is repeated every update_frequency interval.
Configuration Reference​
crowdsec:
lapi_key: <CROWDSEC_LAPI_KEY>
lapi_url: "http://localhost:8080/"
update_frequency: 30s
include_scenarios_containing: []
exclude_scenarios_containing: []
only_include_decisions_from: []
insecure_skip_verify: false
key_path: "" # Used for TLS authentification with CrowdSec LAPI
cert_path: "" # Used for TLS authentification with CrowdSec LAPI
ca_cert_path: "" # Used for TLS authentification with CrowdSec LAPI
# Stormshield Config
stormshield:
host: <STORMSHIELD_HOST>
ssh_port: 22 # SSH port
ssh_username: admin
ssh_password: <STORMSHIELD_SSH_PASSWORD> # optional if using private key auth
ssh_private_key_path: <SSH_PRIVATE_KEY_PATH> # optional if using password auth
api_username: admin
api_password: <STORMSHIELD_API_PASSWORD>
api_port: 443
api_ssl_verify_host: false
# Log Config
log_level: info
log_media: "stdout"
log_dir: "/var/log/"
crowdsec.lapi_url​
The URL of CrowdSec LAPI. It should be accessible from the bouncer.
crowdsec.lapi_key​
It can be obtained by running the following on the machine CrowdSec LAPI is deployed on.
sudo cscli -oraw bouncers add # -oraw flag can discarded for human friendly output.
crowdsec.update_frequency​
The bouncer will poll the CrowdSec every update_frequency interval.
Value can be in seconds (eg 30s), minutes (eg 5m), hours (eg 1h), days (eg 1d), weeks (eg 1w), months (eg 1M) or years (eg 1y).
crowdsec.include_scenarios_containing​
Ignore IPs banned for triggering scenarios not containing either of provided word. Example value ["ssh", "http"]
crowdsec.exclude_scenarios_containing​
Ignore IPs banned for triggering scenarios containing either of provided word. Example value ["ssh", "http"]
crowdsec.only_include_decisions_from​
Only include IPs banned due to decisions orginating from provided sources. eg value ["cscli", "crowdsec"]
crowdsec.insecure_skip_verify​
Skip TLS verification when connecting to CrowdSec LAPI.
crowdsec.key_path​
Path to the private key file to use for TLS authentication with CrowdSec LAPI.
crowdsec.cert_path​
Path to the certificate file to use for TLS authentication with CrowdSec LAPI.
crowdsec.ca_cert_path​
Path to the CA certificate file to use for TLS authentication with CrowdSec LAPI.
stormshield.host​
The IP address or hostname of the Stormshield firewall.
stormshield.ssh_port​
The SSH port of the Stormshield firewall.
stormshield.ssh_username​
The SSH username of the Stormshield firewall.
stormshield.ssh_password​
The SSH password of the Stormshield firewall.
stormshield.ssh_private_key_path​
The path to the SSH private key of the Stormshield firewall.
stormshield.api_username​
The API username of the Stormshield firewall.
stormshield.api_password​
The API password of the Stormshield firewall.
stormshield.api_port​
The API port of the Stormshield firewall.
stormshield.api_ssl_verify_host​
Verify the SSL certificate of the Stormshield firewall.
log_level​
The log level for the bouncer. Example value: "info"
Valid values: "debug", "info", "warning", "error"
log_mode​
The log mode for the bouncer.
Valid values: "stdout", "stderr", "file"
log_dir​
The directory to store the logs in. This is only applicable when log_mode is set to "file".
