Detect and Block Port Scanning on pfSense with CrowdSec

Many of our users are running a firewall in front of the services they protect. Most commonly, they utilize multiple servers, each with an installation of the CrowdSec Security Engine, Log Processor, or both.

CrowdSec supports a number of firewall types like OpenWRT and OPNSense. But, up until now, we have been missing the integration with pfSense.

‍

In the example architecture above, the only machine that would not have a CrowdSec component is the one running the pfSense firewall. This means attacks against the exposed services on the firewall itself would not be detected by CrowdSec (you would have to rely on other solutions) and the blocklists would not be enforced by the other machines in the network that are not already running a Remediation Component.

Introducing the new CrowdSec package for pfSense

Today, we are proud to introduce the new CrowdSec package for pfSense which provides access to:

• A centralized Firewall Remediation Component that applies the blocklists to the whole network at once
• A Log Processor to detect attacks to the pfSense services — port scan, HAProxy, etc. (optional)
• A Security Engine in the pfSense machine itself (optional)

Before we dig in and explore this new integration let’s go over a few requirements. 

In this article, we assume you are installing all three, which is also an easy way to try out CrowdSec for the first time. If the volume of the logs grows over time or you need a particular configuration, you can always move the optional components to a separate machine.

Note: At the time of writing, the package has been submitted to the fpSense developers for review but is not yet available through the official repository. When it is, it will be possible to install it with a couple of clicks. For now, we will show you how to perform a manual installation and update this article over time.

Installing the packages

Open an SSH connection to the firewall. If you don't want to enable SSH, you can enter shell commands in Diagnostics / Command Prompt.

One by one, copy and paste the following five long lines:

IGNORE_OSVERSION=yes pkg add https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/download/v0.1/abseil-20230125.3.pkg

IGNORE_OSVERSION=yes pkg add https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/download/v0.1/re2-20230901.pkg

IGNORE_OSVERSION=yes pkg add https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/download/v0.1/crowdsec-1.5.5.pkg

IGNORE_OSVERSION=yes pkg add https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/download/v0.1/crowdsec-firewall-bouncer-0.0.28_1.pkg

IGNORE_OSVERSION=yes pkg add https://github.com/crowdsecurity/pfSense-pkg-crowdsec/releases/download/v0.1/pfSense-pkg-crowdsec-0.1.pkg

Don't run anything else than pkg add, just verify that you see Extracting... done each time, and that there are no obvious errors.

This should be the output of your last command:

If you wonder why IGNORE_OSVERSION is required, it's because the package is installed in a slightly newer (or older) FreeBSD release than the machine it was built on, but it's still compatible.

It is possible that a pfSense update removes the unofficial packages. In this case, you just need to run the installation again and CrowdSec will keep running with the same settings.

Configuration

Following the steps outlined above, you should see three new menus.

• Services / CrowdSec
• Status / CrowdSec 
• Diagnostics / CrowdSec Metrics

To activate the new package, navigate to the Services / CrowdSec menu.

Services / CrowdSec

Here you can enable or disable the three components. As mentioned before, for the sake of this tutorial, I’ll enable all three.

For the new LAPI host and LAPI port that are available, leave the default values.

Note: For more advanced use cases with a multi-machine setup, you should keep in mind that a LAPI is used to share information between machines (attacks, decisions). If you have other instances of CrowdSec running and want to connect them, you'll have to decide at some point where to run your LAPI service to make sure all machines work together.

• To use the LAPI on pfSense, change the LAPI host to the LAN address of the pfSense machine and configure the Log Processors to use it.
• To use the LAPI on a different server, disable the Local API and configure the Remote LAPI section with the appropriate credentials.

You can switch from local to remote LAPI at any time and the CrowdSec configuration will be updated automatically.

Leave Remote LAPI disabled, at least for now.

In the next section, you can leave the defaults for Log level and Metrics. There is no option to disable the metrics here, but they are exposed only on 127.0.0.1. 

Note: When reporting a reproducible issue with CrowdSec or the Remediation Component, please change the log level to Debug. You will find all the logs in /var/log/crowdsec/.

The last section defines the rules that pfSense will apply to the blocklists. Leave the default values here as well.

Click Save at the end of the page and you'll see a confirmation that settings are saved.

Now check the status of the running services. You can use the menu or the icon bar at the top of the settings page.

Status / CrowdSec 

Here you can see at a glance:

• The status of the services (click on Running services to stop/restart them)
• The Log Processors (machines) and Remediation Components (bouncers)
• The collections, parsers, and postoverflows installed from the Hub. The Hub is updated automatically once per day.
• The alerts and decisions taken upon direct threats on your services — these tables won't show data coming from the community blocklist. To see them, connect via SSH and run `cscli alerts list -a` and `cscli decisions list -a`.

If you are familiar with CrowdSec you have noticed that these tables correspond to the cscli [machines|bouncers...] list commands. They are provided to quickly check the configuration and events, but to install new objects you'll have to use cscli in a shell.

In the Collections tab, you can see that firewallservices/pf is enabled by default. This means CrowdSec is detecting port scan attempts to the WAN interface.

To test it, run this command against the WAN address:

# nmap -sS -sV [WAN_IP]

After a few seconds, you can see on the Alerts and Decisions tables that CrowdSec has detected your simulated attack and proceeded to ban the offending IP address. You can delete it from the decisions if you want to un-ban it.

The last menu that was added by CrowdSec allows you to see in real time the parsed logs and other information to ensure your custom configuration is working properly.

Diagnostics / CrowdSec Metrics

See the activity around filter.log? That’s where your port scan was detected.

If you add new collections for the software that is running in the firewall machine, make sure you have the appropriate acquisition file too.

For example, to parse the HAProxy logs, create the following file in /usr/local/etc/crowdsec/acquis.d/haproxy.yml:

filenames:
  - /var/log/haproxy.log
force_inotify: true
poll_without_inotify: true
labels:
  type: syslog
  

Conclusion

We hope this short tutorial sparked your interest!

If you want to get the most out of the CrowdSec ecosystem, make sure to enroll your firewall in the CrowdSec Console.

• Create an account at https://app.crowdsec.net/signup or log in if you already have one.
• Get an enrollment key at https://app.crowdsec.net/security-engines by clicking Add Security Engine.
• On the pfSense machine, run cscli console enroll <ENROLL-KEY>.
• Validate the operation in the CrowdSec Console.

All the existing documentation for the Linux version of CrowdSec applies to FreeBSD as well. Be aware that the configuration is in /usr/local/etc/crowdsec, and there is no systemctl command to apply the changes but you can restart the services through the pfSense interface.

See the main documentation at Getting Started / Security Engine / pfSense on our website.