Stephane de Labrusse stephdl

## gist:1f8b6a48d5d3ba5db3b3582630153a2e

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                stephdl
                / gist:1f8b6a48d5d3ba5db3b3582630153a2e
            
            
              Last active
              September 14, 2022 13:22
            
              
                install crowdsec in ns8 as root
              
          
    Crowdsec protect your network with NethServer8 (NS8 == centos9 stream)

Crowdsec is a new project to protect against brute force Crowdsec's architecture allows distributed setups, as most components communicate via HTTP API.
When doing such, a few considerations must be kept in mind to understand the role of each component:
The agent is in charge of processing the logs, matching them against scenarios, and sending the resulting alerts to the local API (container)
The local API (LAPI from now on) receives the alerts and converts them into decisions based on your profile (container)
The bouncer(s) query the LAPI to receive the decisions to be applied (can be installed by .deb .rpm and openwrt package)

intro: https://docs.crowdsec.net/docs/intro

  
## gist:6bb48dd680622d27d3cadc108dd08341
cd /tmp
echo "[+] backing up db"
mariabackup --backup --target-dir=/tmp/backupSQL --user=backup --password=backup

ndays=7

MM=`date --date="$ndays days ago" +%b`
DD=`date --date="$ndays days ago" +%d`

echo "[+] listing files in ftp"

## gist:9bdb44a7d150b9658a262d69b2841003
Les tests sur le serveur soyoustart on été faits en mode rescue
mac du serveur : link/ether 02:00:00:4c:f1:72
addresse IP failover du serveur  inet 135.125.117.41/32
mac de mon laptop distant : link/ether c6:1b:b1:a0:42:b1
adresse LAN IP de mon laptop : inet 192.168.12.25/24
adresse IP publique de mon ldaptop : Pub 90.1.234.244

En mode rescue j'ai crée un bridge provisoire comme la documentation le demande a
https://docs.ovh.com/gb/en/dedicated/network-bridging/#troubleshooting_1

## gist:96f15ad7f50954dfc66b4dbc504ef820
J'ai suivi le debug de https://docs.ovh.com/fr/dedicated/network-bridging/#resolution-des-defauts

nous venons d'essayer pour la troisième fois de changer la mac address (une fois nous meme, une fois avec le support OVH)
voir https://gist.github.com/stephdl/41e2d2baa51425b604f33a8adeeabc03

╰─➤  ssh root@proxmox.kerdres.agency                                                                                                                                                                                                   255 ↵
root@proxmox.kerdres.agency's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the

## gist:41e2d2baa51425b604f33a8adeeabc03
J'ai suivi le debug de https://docs.ovh.com/fr/dedicated/network-bridging/#resolution-des-defauts


root@51.254.199.81's password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

## gist:984fdf81a9dd177bb7c7723833930d22
╰─➤  diff beforeTlsFix afterTlsFix
0a1,2
> [root@ns7loc14 ~]# tlspolicy 20200510
> -bash: tlspolicy: command not found
10a13,22
> |       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
> |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong

## gist:648de622e2b5d2c7aeb346f2bd56fc46
[root@ns7loc13 ~]# yum install netherver-squid http://packages.nethserver.org/nethserver/7.8.2003/autobuild/x86_64/Packages/nethserver-squidguard-2.0.0-1.2.pr34.g1d6b7e5.ns7.noarch.rpm -y
Loaded plugins: changelog, fastestmirror, nethserver_events
Determining fastest mirrors
epel/x86_64/metalink                                                                                          |  20 kB  00:00:00
 * ce-base: mirror.vorboss.net
 * ce-extras: mirror.vorboss.net
 * ce-sclo-rh: mirror.vorboss.net
 * ce-sclo-sclo: mirror.vorboss.net
 * ce-updates: mirror.vorboss.net
 * epel: mirrors.ircam.fr

## gist:6a560a0aada7c88b419c3311e57661b1
Aug 11 18:07:07 ns7dev12 esmith::event[9913]: Event: interface-update
Aug 11 18:07:07 ns7dev12 esmith::event[9913]: Action: /etc/e-smith/events/interface-update/S03nethserver-alerts-reset-wan SUCCESS [0.019361]
Aug 11 18:07:07 ns7dev12 systemd: Stopping LSB: Bring up/down networking...
Aug 11 18:07:07 ns7dev12 kernel: br0: port 1(eth0) entered disabled state
Aug 11 18:07:07 ns7dev12 kernel: br0: port 2(vb-nsdc) entered disabled state
Aug 11 18:07:08 ns7dev12 network: Shutting down interface br0:  [  OK  ]
Aug 11 18:07:08 ns7dev12 kernel: device eth0 left promiscuous mode
Aug 11 18:07:08 ns7dev12 kernel: br0: port 1(eth0) entered disabled state
Aug 11 18:07:08 ns7dev12 network: Shutting down interface eth0:  [  OK  ]
Aug 11 18:07:08 ns7dev12 network: Shutting down loopback interface:  [  OK  ]

## gist:a6ad9796f67ea76edc7aa82e8f50d2be
Aug 11 17:30:35 ns7dev5 esmith::event[1234]: Event: interface-update
Aug 11 17:30:35 ns7dev5 esmith::event[1234]: Action: /etc/e-smith/events/interface-update/S03nethserver-alerts-reset-wan SUCCESS [0.02319]
Aug 11 17:30:36 ns7dev5 systemd: Stopping LSB: Bring up/down networking...
Aug 11 17:30:36 ns7dev5 network: Shutting down interface eth0:  [  OK  ]
Aug 11 17:30:36 ns7dev5 network: Shutting down loopback interface:  [  OK  ]
Aug 11 17:30:36 ns7dev5 systemd: Stopped LSB: Bring up/down networking.
Aug 11 17:30:36 ns7dev5 esmith::event[1234]: Action: /etc/e-smith/events/interface-update/S04network-stop SUCCESS [0.372323]
Aug 11 17:30:36 ns7dev5 esmith::event[1234]: expanding /etc/hosts
Aug 11 17:30:36 ns7dev5 esmith::event[1234]: expanding /etc/resolv.conf
Aug 11 17:30:36 ns7dev5 esmith::event[1234]: expanding /etc/modprobe.d/bonding.conf

## gist:11a7c903acef0ce25bd0498349fb3bad
Jun  8 22:37:40 ns7dev9 yum[3715]: Updated: containerd.io-1.2.13-3.2.el7.x86_64
Jun  8 22:37:52 ns7dev9 yum[3715]: Updated: 1:docker-ce-cli-19.03.11-3.el7.x86_64
Jun  8 22:38:19 ns7dev9 yum[3715]: Updated: 3:docker-ce-19.03.11-3.el7.x86_64
Jun  8 22:38:20 ns7dev9 systemd: Reloading.
Jun  8 22:38:20 ns7dev9 systemd: Stopping Docker Application Container Engine...
Jun  8 22:38:20 ns7dev9 dockerd: time="2020-06-08T22:38:20.407735031+02:00" level=info msg="Processing signal 'terminated'"
Jun  8 22:38:24 ns7dev9 dockerd: time="2020-06-08T22:38:24.051258946+02:00" level=info msg="ignoring event" module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
Jun  8 22:38:24 ns7dev9 dockerd: time="2020-06-08T22:38:24+02:00" level=error msg="<local> - - [08/Jun/2020 20:38:24] \"POST /NetworkDriver.RevokeExternalConnectivity HTTP/1.1\" 404 -" plugin=ebd8de2ee4638703297935115e98e31fe971b35c0094f75dd4caf097ed4e0cc6
Jun  8 22:38:24 ns7dev9 dockerd: time="2020-06-08T22:38:24+02:00" level=error msg="<loca
	cd /tmp
	echo "[+] backing up db"
	mariabackup --backup --target-dir=/tmp/backupSQL --user=backup --password=backup

	ndays=7

	MM=`date --date="$ndays days ago" +%b`
	DD=`date --date="$ndays days ago" +%d`

	echo "[+] listing files in ftp"
	Les tests sur le serveur soyoustart on été faits en mode rescue
	mac du serveur : link/ether 02:00:00:4c:f1:72
	addresse IP failover du serveur inet 135.125.117.41/32
	mac de mon laptop distant : link/ether c6:1b:b1:a0:42:b1
	adresse LAN IP de mon laptop : inet 192.168.12.25/24
	adresse IP publique de mon ldaptop : Pub 90.1.234.244

	En mode rescue j'ai crée un bridge provisoire comme la documentation le demande a
	https://docs.ovh.com/gb/en/dedicated/network-bridging/#troubleshooting_1
	J'ai suivi le debug de https://docs.ovh.com/fr/dedicated/network-bridging/#resolution-des-defauts

	nous venons d'essayer pour la troisième fois de changer la mac address (une fois nous meme, une fois avec le support OVH)
	voir https://gist.github.com/stephdl/41e2d2baa51425b604f33a8adeeabc03

	╰─➤ ssh root@proxmox.kerdres.agency 255 ↵
	root@proxmox.kerdres.agency's password:

	The programs included with the Debian GNU/Linux system are free software;
	the exact distribution terms for each program are described in the
	J'ai suivi le debug de https://docs.ovh.com/fr/dedicated/network-bridging/#resolution-des-defauts



	root@51.254.199.81's password:

	The programs included with the Debian GNU/Linux system are free software;
	the exact distribution terms for each program are described in the
	individual files in /usr/share/doc/*/copyright.
	╰─➤ diff beforeTlsFix afterTlsFix
	0a1,2
	> [root@ns7loc14 ~]# tlspolicy 20200510
	> -bash: tlspolicy: command not found
	10a13,22
	> \| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
	> \| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
	> \| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
	> \| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
	> \| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
	[root@ns7loc13 ~]# yum install netherver-squid http://packages.nethserver.org/nethserver/7.8.2003/autobuild/x86_64/Packages/nethserver-squidguard-2.0.0-1.2.pr34.g1d6b7e5.ns7.noarch.rpm -y
	Loaded plugins: changelog, fastestmirror, nethserver_events
	Determining fastest mirrors
	epel/x86_64/metalink \| 20 kB 00:00:00
	* ce-base: mirror.vorboss.net
	* ce-extras: mirror.vorboss.net
	* ce-sclo-rh: mirror.vorboss.net
	* ce-sclo-sclo: mirror.vorboss.net
	* ce-updates: mirror.vorboss.net
	* epel: mirrors.ircam.fr
	Aug 11 18:07:07 ns7dev12 esmith::event[9913]: Event: interface-update
	Aug 11 18:07:07 ns7dev12 esmith::event[9913]: Action: /etc/e-smith/events/interface-update/S03nethserver-alerts-reset-wan SUCCESS [0.019361]
	Aug 11 18:07:07 ns7dev12 systemd: Stopping LSB: Bring up/down networking...
	Aug 11 18:07:07 ns7dev12 kernel: br0: port 1(eth0) entered disabled state
	Aug 11 18:07:07 ns7dev12 kernel: br0: port 2(vb-nsdc) entered disabled state
	Aug 11 18:07:08 ns7dev12 network: Shutting down interface br0: [ OK ]
	Aug 11 18:07:08 ns7dev12 kernel: device eth0 left promiscuous mode
	Aug 11 18:07:08 ns7dev12 kernel: br0: port 1(eth0) entered disabled state
	Aug 11 18:07:08 ns7dev12 network: Shutting down interface eth0: [ OK ]
	Aug 11 18:07:08 ns7dev12 network: Shutting down loopback interface: [ OK ]
	Aug 11 17:30:35 ns7dev5 esmith::event[1234]: Event: interface-update
	Aug 11 17:30:35 ns7dev5 esmith::event[1234]: Action: /etc/e-smith/events/interface-update/S03nethserver-alerts-reset-wan SUCCESS [0.02319]
	Aug 11 17:30:36 ns7dev5 systemd: Stopping LSB: Bring up/down networking...
	Aug 11 17:30:36 ns7dev5 network: Shutting down interface eth0: [ OK ]
	Aug 11 17:30:36 ns7dev5 network: Shutting down loopback interface: [ OK ]
	Aug 11 17:30:36 ns7dev5 systemd: Stopped LSB: Bring up/down networking.
	Aug 11 17:30:36 ns7dev5 esmith::event[1234]: Action: /etc/e-smith/events/interface-update/S04network-stop SUCCESS [0.372323]
	Aug 11 17:30:36 ns7dev5 esmith::event[1234]: expanding /etc/hosts
	Aug 11 17:30:36 ns7dev5 esmith::event[1234]: expanding /etc/resolv.conf
	Aug 11 17:30:36 ns7dev5 esmith::event[1234]: expanding /etc/modprobe.d/bonding.conf
	Jun 8 22:37:40 ns7dev9 yum[3715]: Updated: containerd.io-1.2.13-3.2.el7.x86_64
	Jun 8 22:37:52 ns7dev9 yum[3715]: Updated: 1:docker-ce-cli-19.03.11-3.el7.x86_64
	Jun 8 22:38:19 ns7dev9 yum[3715]: Updated: 3:docker-ce-19.03.11-3.el7.x86_64
	Jun 8 22:38:20 ns7dev9 systemd: Reloading.
	Jun 8 22:38:20 ns7dev9 systemd: Stopping Docker Application Container Engine...
	Jun 8 22:38:20 ns7dev9 dockerd: time="2020-06-08T22:38:20.407735031+02:00" level=info msg="Processing signal 'terminated'"
	Jun 8 22:38:24 ns7dev9 dockerd: time="2020-06-08T22:38:24.051258946+02:00" level=info msg="ignoring event" module=libcontainerd namespace=moby topic=/tasks/delete type="*events.TaskDelete"
	Jun 8 22:38:24 ns7dev9 dockerd: time="2020-06-08T22:38:24+02:00" level=error msg="<local> - - [08/Jun/2020 20:38:24] \"POST /NetworkDriver.RevokeExternalConnectivity HTTP/1.1\" 404 -" plugin=ebd8de2ee4638703297935115e98e31fe971b35c0094f75dd4caf097ed4e0cc6
	Jun 8 22:38:24 ns7dev9 dockerd: time="2020-06-08T22:38:24+02:00" level=error msg="<loca