C
CrowdSecβ€’10mo ago
Hackstronaut

Help with multi-server setup

Hi everyone Is anyone willing to guide me in to the right direction with my multi-server setup as I seam to struggle with the correct configuration even tought I did read the wiki πŸ™‚ I do have the following setup: - Opnsense with CrowdSec Plugin > This does work and portscans for example are blocked. - Debian Server with Docker Container which includes Nginx Proxy Manager and Crowdsec in one Docker compose file. > In the compose file i have the local API disabled and added the LAPI of OPNsesnse with the correct user and password. This does work since cscli lapi status is successfull and shows that it does connect to the LAPI of the OPNsense. Additionally, I do have the collection crowdsecurity/nginx-proxy-manager installed and mapped the logs of nginx-proxy-manager to the crowdsec container. What I want is to monitor the logs on the reverse proxy and block the connections on the opnsense bouncer. I don't need advanced stuff like captchas or anything. cscli metrics show acquisition on the reverse proxy shows that the logs are parsed correctly I think. So...everything seams to look good but it's just that nothing happens. I scanned my server from a different external IP Adress with Burp Proxy and some active scan and I can see that the Lines read in the log increses but there are no alerts and no decisions except the one from portscans on the opnsense. So I am not really sure where to troubleshoot. Thanks for your time.
5 Replies
CrowdSec
CrowdSecβ€’10mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❀️
Hackstronaut
HackstronautOPβ€’10mo ago
I can add some screenshots of the configuration. This is the docker container with the mapped acquis.yaml file and the coresponding folder with the logs. Then there is a screenshot of the cscli metrics command. And then maybe the docker compose file 
services:
  npm:
    image: "jc21/nginx-proxy-manager:latest"
    container_name: npm
    restart: unless-stopped
    ports:
      - "80:80"
      - "81:81"
      - "443:443"
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

  crowdsec:
    image: crowdsecurity/crowdsec:latest
    container_name: crowdsec
    restart: always
    environment:
      COLLECTIONS: "crowdsecurity/nginx-proxy-manager"
      DISABLE_LOCAL_API: true
      AGENT_USERNAME: "[REDACTED]"
      AGENT_PASSWORD: "[REDACTED]"
      LOCAL_API_URL: "[REDACTED]"
    depends_on:
      - npm
    volumes:
      - ./data/logs:/root/data/logs
      - crowdsec-db:/var/lib/crowdsec/data/
      - crowdsec-config:/etc/crowdsec/
      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml

volumes:
  crowdsec-db:
  crowdsec-config:
services:
  npm:
    image: "jc21/nginx-proxy-manager:latest"
    container_name: npm
    restart: unless-stopped
    ports:
      - "80:80"
      - "81:81"
      - "443:443"
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

  crowdsec:
    image: crowdsecurity/crowdsec:latest
    container_name: crowdsec
    restart: always
    environment:
      COLLECTIONS: "crowdsecurity/nginx-proxy-manager"
      DISABLE_LOCAL_API: true
      AGENT_USERNAME: "[REDACTED]"
      AGENT_PASSWORD: "[REDACTED]"
      LOCAL_API_URL: "[REDACTED]"
    depends_on:
      - npm
    volumes:
      - ./data/logs:/root/data/logs
      - crowdsec-db:/var/lib/crowdsec/data/
      - crowdsec-config:/etc/crowdsec/
      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml

volumes:
  crowdsec-db:
  crowdsec-config:
No description
No description
iiamloz
iiamlozβ€’10mo ago
From the metrics, it seems to be working fine, most likely the testing is not aggressive enough to trigger a scenario. My recommendation is run a security tool like nikto as that will trigger a decision since its pretty agressive.
Hackstronaut
HackstronautOPβ€’10mo ago
Okay I will try it again with nikto and let you know, thanks. Thanks, yes it seams I did mess up with the testing, it works as it should πŸ™‚
CrowdSec
CrowdSecβ€’10mo ago
Resolving Help with multi-server setup This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?