The majority of modern IT infrastructures already includes some form of the security appliance. Our users requested some way to integrate CrowdSec at the appliance level, within their pre-existing ecosystem. In this article, we’ll show you how to make it happen, using the new crowdsec-blocklist-mirror component.
Overview
Leveraging the firewall’s ability to pull IP blocklists from external HTTP URLs, we’ll deploy a crowdsec-blocklist-mirror in the network and configure the appliance to pull IP lists from it.
For this example we are going to use FortiGate, but the steps are similar for other vendors.
Deploying Blocklist Mirror
For this, you’ll need a machine that is accessible from the appliance. You can deploy the blocklist mirror in multiple ways, either by installing from a Linux package manager or deploying with docker. This machine should also be able to access the CrowdSec Local API. The Local API can either be installed on the same machine or can be deployed elsewhere.
For this tutorial we’ll assume that CrowdSec Local API is already installed and listening at port 8080. The OS being used here is ubuntu.
Install Blocklist Mirror
Make sure you have set up the CrowdSec repository. See this to learn how. Then run:
sudo apt install crowdsec-blocklist-mirror
Or if you’re using a RPM-based Linux distribution, run
sudo yum install crowdsec-blocklist-mirror
Configure Blocklist Mirror
After this, we will check and eventually modify the config file located at /etc/crowdsec/bouncers/crowdsec-blocklist-mirror.yaml
Make sure that the lapi_url parameter is correct. If your Local API is deployed on some other machine, please change the lapi_url to the appropriate address and set the lapi_key to a key generated by running the command sudo cscli bouncers add blocklistMirror on the LAPI machine.
By default the blocklist mirror server listens at 127.0.0.1:41412, let’s change this to 0.0.0.0:80 to make this simpler. We can do this by setting listen_uri parameter to 0.0.0.0:80
To load a new configuration use this command:
sudo systemctl restart crowdsec-blocklist-mirror
You can now see the blocklist being served at http://127.0.0.1/security/blocklist.
You can do things like setting authentication, multiple endpoints, TLS etc by tweaking the configuration. Learn more here.
Configure firewall appliance to pull blocklist
This tutorial assumes you are using a FortiGate firewall. Please note that for other vendors steps may vary.
Configuring external blocklist
Open the FortiGate dashboard and navigate to Security Fabric -> External Connectors and click on Create New button.
Scroll down and select Threat Feed -> IP Address and create a connector
Make sure that the appliance can access the URL. This URL should be the one where the blocklist we deployed earlier is serving the IP-list. Finally, click OK.
After a while you can see that this threat feed will be filled. These are from blocklist mirror.
Create a firewall policy referencing the blocklist
You can now create a firewall policy/policy which will deny access to your infrastructure if the incoming IP is present in blocklist. To do this you can navigate to Policy & Objects and click on the Create New button.
Specify the fields as required, and you need to reference the blocklist by selecting it in the Source dropdown
All you have to do next is save the policy and enable it by clicking OK.
Great job!
To sum up
In this way we leveraged CrowdSec in a firewall appliance by using blocklist mirror bouncer. You can further configure the blocklist mirror with authentication, TLS and other security goodies. If you have a question or a suggestion feel free to reach out to us on Discord.