Last active
February 29, 2024 10:50
-
-
Save LaurenceJJones/6c6e7ddbfbc56be375a7532dcb4b5a3e to your computer and use it in GitHub Desktop.
crowdsec init script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
########## | |
## Maintained by Laurence from CrowdSec | |
## Discord: https://discord.gg/crowdsec | |
## Website: https://www.crowdsec.net/ | |
## Docs: https://docs.crowdsec.net/ | |
########## | |
# Linode users can use the UI to change these variables | |
# Digital ocean users uncomment and change these variables | |
# ------------------------------------------------------------------------------ | |
#VERSION="1.6.0" # Crowdsec version to install please check https://github.com/crowdsecurity/crowdsec/releases/latest | |
#COLLECTIONS="" # Additional collections you may want installed after auto detection | |
#CONSOLEKEY="" # Console enroll key signup at https://app.crowdsec.net/ | |
#FIREWALL="nftables" # nftables or iptables | |
# ------------------------------------------------------------------------------ | |
# ------------------------------------------------------------------------------ | |
# Script start | |
# You shouldn't need to scroll past here unless you want to know what it does | |
# ------------------------------------------------------------------------------ | |
## These are used to set defaults and are the used variables in the script | |
# ------------------------------------------------------------------------------ | |
CROWDSEC_VERSION="${VERSION:-1.6.0}" | |
COLLECTIONS="$COLLECTIONS" | |
CONSOLE_ENROLL="$CONSOLEKEY" | |
FIREWALL="${FIREWALL:-nftables}" | |
# ------------------------------------------------------------------------------ | |
## You don't need to change these unless you want to change the defaults | |
## Database config | |
MAX_ITEMS="100000" # How many items to keep in the database before flushing old ones | |
MAX_AGE="14d" # How long to keep items in the database before flushing them | |
# ------------------------------------------------------------------------------ | |
# General helpers | |
# ------------------------------------------------------------------------------ | |
detect_distro() { | |
if [ -f /etc/debian_version ]; then | |
echo "deb" | |
elif [ -f /etc/redhat-release ]; then | |
echo "rpm" | |
else | |
echo "Unsupported distribution." | |
exit 1 | |
fi | |
} | |
echo_separator() { | |
echo "----------------------" | |
} | |
# ------------------------------------------------------------------------------ | |
# Install | |
# ------------------------------------------------------------------------------ | |
# uses curl or wget depending on what is available | |
download() { | |
if [ -z "$1" ]; then | |
echo "download() requires a URL as first argument" | |
exit 1 | |
fi | |
if [ -z "$2" ]; then | |
echo "download() requires a destination directory as second argument" | |
exit 1 | |
fi | |
if [ ! -d "$2" ]; then | |
echo "$2 is not a directory" | |
exit 1 | |
fi | |
if command -v curl >/dev/null; then | |
cd "$2" || (echo "Could not cd to $2" && exit 1) | |
# older versions of curl don't support --output-dir | |
curl -sSLO --fail --remote-name "$1" | |
cd - >/dev/null | |
elif command -v wget >/dev/null; then | |
wget -nv -P "$2" "$1" | |
else | |
echo "Neither curl nor wget is available, cannot download files." | |
exit 1 | |
fi | |
} | |
install_crowdsec_from_repo() { | |
distro=$(detect_distro) | |
echo "Installing CrowdSec $CROWDSEC_VERSION for a ${distro}-based distribution." | |
script_name="script.${distro}.sh" | |
script_url="https://packagecloud.io/install/repositories/crowdsec/crowdsec/${script_name}" | |
# remove a previous download | |
rm -f "/tmp/$script_name" | |
download "$script_url" "/tmp/" | |
echo "Installing the repository.." | |
bash "/tmp/$script_name" | |
if [ "$distro" = "deb" ]; then | |
apt-get update | |
apt-get install -y "crowdsec=$CROWDSEC_VERSION" | |
elif [ "$distro" = "rpm" ]; then | |
dnf install -y "crowdsec-$CROWDSEC_VERSION" | |
fi | |
rm -f "/tmp/$script_name" | |
} | |
detect_and_install_base_firewall () { | |
if [ "$FIREWALL" = "nftables" ]; then | |
if ! command -v nft >/dev/null; then | |
echo "nftables not found, installing it" | |
if [ "$distro" = "deb" ]; then | |
apt-get remove -y iptables | |
apt-get install -y nftables | |
elif [ "$distro" = "rpm" ]; then | |
dnf remove -y iptables | |
dnf install -y nftables | |
fi | |
systemctl enable --now nftables.service | |
fi | |
elif [ "$FIREWALL" = "iptables" ]; then | |
if ! command -v iptables >/dev/null; then | |
echo "iptables not found, installing it" | |
if [ "$distro" = "deb" ]; then | |
apt-get remove -y nftables | |
apt-get install -y iptables | |
elif [ "$distro" = "rpm" ]; then | |
dnf remove -y nftables | |
dnf install -y iptables | |
fi | |
systemctl enable --now iptables.service | |
fi | |
fi | |
} | |
install_firewall_remediation() { | |
distro=$(detect_distro) | |
if [ "$FIREWALL" = "nftables" ]; then | |
echo "Installing nftables remediation" | |
detect_and_install_base_firewall | |
if [ "$distro" = "deb" ]; then | |
apt-get install -y crowdsec-firewall-bouncer-nftables | |
elif [ "$distro" = "rpm" ]; then | |
dnf install -y crowdsec-firewall-bouncer-nftables | |
fi | |
elif [ "$FIREWALL" = "iptables" ]; then | |
echo "Installing iptables remediation" | |
detect_and_install_base_firewall | |
if [ "$distro" = "deb" ]; then | |
apt-get install -y crowdsec-firewall-bouncer-iptables | |
elif [ "$distro" = "rpm" ]; then | |
dnf install -y crowdsec-firewall-bouncer-iptables | |
fi | |
else | |
echo "No firewall remediation to install" | |
fi | |
} | |
install_crowdsec() { | |
echo_separator | |
install_crowdsec_from_repo | |
} | |
# ------------------------------------------------------------------------------ | |
# Configure | |
# ------------------------------------------------------------------------------ | |
configure_database() { | |
echo "updating config.yaml.local..." | |
cat <<-EOT > "/etc/crowdsec/config.yaml.local" | |
db_config: | |
use_wal: true | |
flush: | |
max_items: $MAX_ITEMS | |
max_age: $MAX_AGE | |
EOT | |
} | |
enroll_instance_to_app() { | |
if [ ! -z "$CONSOLE_ENROLL" ]; then | |
cscli console enroll "$CONSOLE_ENROLL" | |
fi | |
} | |
install_collections () { | |
if [ ! -z "$COLLECTIONS" ]; then | |
cscli collections install --ignore "$COLLECTIONS" | |
fi | |
} | |
# ------------------------------------------------------------------------------ | |
# Run | |
# ------------------------------------------------------------------------------ | |
start_crowdsec_service() { | |
if systemctl is-active --quiet crowdsec; then | |
systemctl start crowdsec | |
fi | |
} | |
restart_crowdsec_service() { | |
if systemctl is-active --quiet crowdsec; then | |
systemctl restart crowdsec | |
fi | |
} | |
# ------------------------------------------------------------------------------ | |
install_crowdsec | |
configure_database | |
enroll_instance_to_app | |
install_collections | |
restart_crowdsec_service | |
install_firewall_remediation | |
########## | |
# Linode UDF | |
# <UDF name="firewall" label="Firewall Remediation" oneOf="nftables,iptables" /> | |
# <UDF name="version" label="Crowdsec Version" default="1.6.0" example="Please see latest version https://github.com/crowdsecurity/crowdsec/releases/latest"/> | |
# <UDF name="collections" label="Additional Collections" default="" example="Additional collections you wish to install"/> | |
# <UDF name="consolekey" label="Console Enrolment Key" default="" example="Enrolment key of the CrowdSec console"/> | |
########## |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment