Happy to see this. In the interest of making the install as clean and simple as possible, I will watch for the package to arrive in the "Available" list, then take a look. I'm sure Tom will be covering this as well.
Thanks but I would have like to have seen where do the CropwdSec rules end up? Are they like PFblocker and it a Wan rule with a large list of aliases? Also would have like to seen from the UI the options in the settings for it.
Since Netgate recommends uninstalling 3rd party plugins prior to updating Pfsense and the most recent Pfsense update borked the crowdsec plugin for early users I’m wondering if anyone has a link to the uninstall how-to? It also seems that the plugin must be uninstalled prior to updating it as well to prevent crashing Pfsense.
Can explain how it exactly detects penetration or attacks on the network? On a Linux server it scans SSH or http logs, but what does it scan on a firewall, firewalls don't usually have open ports to the internet.
Anyone have issues with crowdsec detecting the remediation component (9:44)? I have confirmed the firewall bouncer is running with system ctl, but the remediation component is showing a 0. Love the content btw!!!
I followed all the commands to the letter, when I try to run the cscli caps register command I get the error cscli: Command not found. Anyone know where I may have gone wrong?
For the Security Engine not so much since that component parse logs and takes actions, even if you dont expose stuff we can still detect port scanning but since there nothing open they wont be able to find anything anyways.
Yes currently you would need to run the `pkg add -f` command again but only for the pfSense-pkg-crowdsec-.pkg. Until we get added to the main packages on pfSense which we hope is soon!
WARN can't load CAPI credentials from '/usr/local/etc/crowdsec/online_api_credentials.yaml' (missing login field) FATA the Central API (CAPI) must be configured with 'cscli capi register' # cscli capi register this solved the issue, and then i was able to # cscli console enroll -e context
we need to stop making our devices talking to i don't know which people server over the internet ! crowdsec services look great and useful but why can we not host the console ourself on our own server and just being able to retrieve the databases for know vulnerability from their servers ? is there any live scan going on ?
I agree with you completely, it should be local-first. This is the biggest take-away from crowstrike outtage, everyone is praising intune for storing the bitlocker keys etc.. but they forget that, the giant baskets of user/company information is what bad actors relentlessly attack... for that very reason. So Crowdsec should allow us local-first, even if they make telemetrics mandatory or whatever. All bad actors target centralized systems, and this strong-arm push to cloud makes no sense.
While personally I would prefer something local in practice I can understand why they wen't with the centralized console after using Crowdsec for however long I've been using it on opnsense. There are some dynamic aspects of how it work that maybe could be implemented in a local only install but in the end you would still need to be constantly connecting to their servers for updates anyway. If you want something local only there are other options like Suricata but you will need to have a much greater understanding of what you are doing to get that configured beyond the default rules.
The console is purely optional, if you dont want to use it and only want to use the "Plugins" page on pfsense go ahead! The only downside is you cant get access to the additional blocklists (For being apart of the network you get the CrowdSec community blocklist which doesnt need a console account)
Mainly watch you on The Homelab Show; not sure if it's the different background, or the hair, but you look a solid five years younger! Give either stylist a raise!
I know, it's super frustrating. Behind the camera me and several other people are very frustrated with this. If it gets worse, there might be another video coming.
Thought this was CrowdStrike for a good minute.
Happy to see this. In the interest of making the install as clean and simple as possible, I will watch for the package to arrive in the "Available" list, then take a look. I'm sure Tom will be covering this as well.
Thanks but I would have like to have seen where do the CropwdSec rules end up? Are they like PFblocker and it a Wan rule with a large list of aliases? Also would have like to seen from the UI the options in the settings for it.
Great video Jay, one quick question, does CrowdSec work well with other apps on Pfsense i.e. pfBlockerNG?
Since Netgate recommends uninstalling 3rd party plugins prior to updating Pfsense and the most recent Pfsense update borked the crowdsec plugin for early users I’m wondering if anyone has a link to the uninstall how-to? It also seems that the plugin must be uninstalled prior to updating it as well to prevent crashing Pfsense.
CrowdS... (Vietnam flashbacks)
my first thought when I read that
Crowd anything is ughhh...
Honestly yeah, my heart stopped a little
I knew this video easy coming yet my brain still read "crowdS-" and I laughed nervously until reading ir right on the third try
Thank you
Jay you might want to blur your Netgate ID on your PfSense Plus install.
Can explain how it exactly detects penetration or attacks on the network? On a Linux server it scans SSH or http logs, but what does it scan on a firewall, firewalls don't usually have open ports to the internet.
Anyone have issues with crowdsec detecting the remediation component (9:44)? I have confirmed the firewall bouncer is running with system ctl, but the remediation component is showing a 0. Love the content btw!!!
Jumped the gun, took about 20 minutes to update
I followed all the commands to the letter, when I try to run the cscli caps register command I get the error cscli: Command not found. Anyone know where I may have gone wrong?
me to. did you find the solution?
@@SlimTom use sudo ?
I'm running pfSense Plus 24.03 as the admin and have the same error. How did you resolve? Thanks
The solution was to run the commands from within the web console. Anything with cscli run from there and it will work.
@@samgaw1 I'm good now. It may have been a timing issue. 🙂
The crowdstrike plugin comes with a all zeroes payload
Is there any advantage to installing this if you're not hosting or making your network available to non-local devices?
For the Security Engine not so much since that component parse logs and takes actions, even if you dont expose stuff we can still detect port scanning but since there nothing open they wont be able to find anything anyways.
Suspected as much, will give it a try if I open things up. Thanks for the reply!
Question, basically we need to reinstall the binaries on pfsense to update the version correct?
Yes currently you would need to run the `pkg add -f` command again but only for the pfSense-pkg-crowdsec-.pkg. Until we get added to the main packages on pfSense which we hope is soon!
Thanks. But in my case, cscli command not found error when register the capi.
Same, cscli: Command not found. Running 2.7.2, not 24.03 as Jay.
WARN can't load CAPI credentials from '/usr/local/etc/crowdsec/online_api_credentials.yaml' (missing login field)
FATA the Central API (CAPI) must be configured with 'cscli capi register'
# cscli capi register
this solved the issue, and then i was able to # cscli console enroll -e context
I suspect this wont work very well if your behind a NATed ISP modem. all the traffic would look like it's coming from the gateway.
Crowd...oh Sec. Close one.
Your "pfSense Plugin Documentation" link doesn't take me to the documentation.
can you shed some light on how to update it?
we need to stop making our devices talking to i don't know which people server over the internet ! crowdsec services look great and useful but why can we not host the console ourself on our own server and just being able to retrieve the databases for know vulnerability from their servers ? is there any live scan going on ?
I agree with you completely, it should be local-first. This is the biggest take-away from crowstrike outtage, everyone is praising intune for storing the bitlocker keys etc.. but they forget that, the giant baskets of user/company information is what bad actors relentlessly attack... for that very reason. So Crowdsec should allow us local-first, even if they make telemetrics mandatory or whatever. All bad actors target centralized systems, and this strong-arm push to cloud makes no sense.
While personally I would prefer something local in practice I can understand why they wen't with the centralized console after using Crowdsec for however long I've been using it on opnsense. There are some dynamic aspects of how it work that maybe could be implemented in a local only install but in the end you would still need to be constantly connecting to their servers for updates anyway. If you want something local only there are other options like Suricata but you will need to have a much greater understanding of what you are doing to get that configured beyond the default rules.
The recent CrowdStrike thing taught me to throw all of my justifications for cloud and remote anything straight into the bin
The console is purely optional, if you dont want to use it and only want to use the "Plugins" page on pfsense go ahead! The only downside is you cant get access to the additional blocklists (For being apart of the network you get the CrowdSec community blocklist which doesnt need a console account)
Mainly watch you on The Homelab Show; not sure if it's the different background, or the hair, but you look a solid five years younger! Give either stylist a raise!
hellow anyone can help me about pfsense. my web server accessing from out side after port forwarding.but not accessible from local network.plz help
How many thought he was talking about CrowdStrike LOL ...
good timing lol
I pass on anything with "crowd" in its name.
FINALLY.. it's here.. I was thissss close to switching to opnsense.. just for this plugin. Was beginning to feel like a stepchild on pfsense.
It's funny because it is still unavailable.
I know, it's super frustrating. Behind the camera me and several other people are very frustrated with this. If it gets worse, there might be another video coming.
Why the F are there so many scam bots in early video comments ? It's really anoying
It's a cat and mouse game between script kiddies and RUclips. Sorry about all of that
I don't know if I trust this.
Crowdsec >>> CrowdStrike ...
You have some strange bots in the comment section.
Given the capabilities of my audience, I'm surprised it doesn't happen more often. Annoying, I agree.
Johnson Steven Hernandez Joseph Miller Sandra
I am sorry. I don't believe you're excited like you said in 00:35 by the look on your facial expression.
Thomas Helen Miller Anthony Lopez Sharon
Lopez David Taylor Anna Miller Christopher
Isn't CrowdSec expensive?
It's free
@@LearnLinuxTV Interesting, I have to tell my I.T. dept about this. We are already using pfSense as one of the firewall layers.
@@esra_erimez I think your confusing CrowdStrike with CrowdSec.
I guess it is only relevant for business owners. I'm just a private user without servers or anything, just a regular linux user, private.