diff --git a/ansible/roles/common/tasks/services/set_crowdsec.yaml b/ansible/roles/common/tasks/services/set_crowdsec.yaml index 04e6720..8e078f8 100644 --- a/ansible/roles/common/tasks/services/set_crowdsec.yaml +++ b/ansible/roles/common/tasks/services/set_crowdsec.yaml @@ -36,10 +36,15 @@ ansible.builtin.set_fact: acquisd_list: fw: - collection: "crowdsecurity/suricata" + collection: + - "crowdsecurity/suricata" + parser: [] config: "suricata.yaml" auth: - collection: "crowdsecurity/caddy" + collection: + - "crowdsecurity/caddy" + parser: + - "crowdsecurity/nextcloud-whitelist" config: "caddy.yaml" - name: Deploy crowdsec-update service files @@ -181,7 +186,8 @@ block: - name: Install crowdsec collection ansible.builtin.command: - cmd: "cscli collections install {{ acquisd_list[node['name']]['collection'] }}" + cmd: "cscli collections install {{ item }}" + loop: "{{ acquisd_list[node['name']]['collection'] }}" become: true changed_when: "'overwrite' not in is_collection_installed.stderr" failed_when: @@ -189,6 +195,17 @@ - "'already installed' not in is_collection_installed.stderr" register: "is_collection_installed" + - name: Install crowdsec parser + ansible.builtin.command: + cmd: "cscli parsers install {{ item }}" + loop: "{{ acquisd_list[node['name']]['parser'] }}" + become: true + changed_when: "'overwrite' not in is_parser_installed.stderr" + failed_when: + - is_parser_installed.rc != 0 + - "'already installed' not in is_parser_installed.stderr" + register: "is_parser_installed" + - name: Create crowdsec acquis.d directory ansible.builtin.file: path: "/etc/crowdsec/acquis.d" diff --git a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 index 38d72d5..fed75d1 100644 --- a/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 +++ b/config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2 @@ -18,9 +18,4 @@ whitelist: - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'" # opencloud chunk request false positive - "evt.Meta.target_fqdn == '{{ services['opencloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/js/chunks/'" - # nextcloud chunk request false positive (crowdsecurity/http-crawl-non_statics) - - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/apps/viewer/js/'" - - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/dist/'" - # nextcloud upload directory request 404 error false positive (crowdsecurity/http-probing) - - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_path contains '/remote.php/dav/files/'" {% endif %} diff --git a/docs/issues/crowdsec/260502_nextcloud.md b/docs/issues/crowdsec/260502_nextcloud.md index 79e826b..2c610c9 100644 --- a/docs/issues/crowdsec/260502_nextcloud.md +++ b/docs/issues/crowdsec/260502_nextcloud.md @@ -14,18 +14,18 @@ - fw ban users' IP address. ## Reason -- Nextcloud uses chunks for actions, and uploading and downloading - - chunks on '/apps/viewer/js', '/dist/' - - `crowdsecurity/http-crawl-non_statics` -- Nextcloud keeps checking directory which is uploading - - upload directory '/remote.php/dav/files/' - - `crowdsecurity/http-probing` +- Nextcloud has a lot of workflows which can be caught from crowdsec ## Timeline - 2026-05-02: Release nextcloud - 2026-05-02: Find the false positive case, and add whitelist +- 2026-05-03: Install crowdsecurity/nextcloud-whitelist parser +- 2026-05-03: Make previous expressions annotation ## Solution +- Install crowdsecurity/nextcloud-whitelist on auth node + +### Deprecated solution - Access to fw - Check the ban list with `sudo cscli alerts list` - Read the ban case with `sudo cscli alerts inspect $NUMBER`