diff options
| author | Marco <marco@crowdsec.net> | 2022-12-15 07:26:23 +0000 |
|---|---|---|
| committer | Fernando ApesteguĂa <fernape@FreeBSD.org> | 2022-12-16 06:33:50 +0000 |
| commit | 4fde38145bf37ddba832f011a887c85faacead95 (patch) | |
| tree | c353c479ca17a5e24de9e193bf407d4773d04d46 | |
| parent | 0826ff5de498b3a38f47f69c571bdbdbdf0abd6a (diff) | |
| download | ports-4fde38145bf37ddba832f011a887c85faacead95.tar.gz ports-4fde38145bf37ddba832f011a887c85faacead95.zip | |
security/crowdsec-blocklist-mirror: New port: CrowdSec Blocklist Mirror
ChangeLog: https://github.com/crowdsecurity/cs-blocklist-mirror
This bouncer exposes CrowdSec's active decisions via provided HTTP endpoints in
pre-defined formats. It can be used by network appliances which support
consumption of blocklists via HTTP.
PR: 268105
Reported by: marco@crowdsec.net
| -rw-r--r-- | security/Makefile | 1 | ||||
| -rw-r--r-- | security/crowdsec-blocklist-mirror/Makefile | 48 | ||||
| -rw-r--r-- | security/crowdsec-blocklist-mirror/distinfo | 3 | ||||
| -rw-r--r-- | security/crowdsec-blocklist-mirror/files/crowdsec_mirror.in | 73 | ||||
| -rw-r--r-- | security/crowdsec-blocklist-mirror/files/pkg-deinstall.in | 9 | ||||
| -rw-r--r-- | security/crowdsec-blocklist-mirror/files/pkg-install.in | 10 | ||||
| -rw-r--r-- | security/crowdsec-blocklist-mirror/files/pkg-message.in | 31 | ||||
| -rw-r--r-- | security/crowdsec-blocklist-mirror/pkg-descr | 3 | ||||
| -rw-r--r-- | security/crowdsec-blocklist-mirror/pkg-plist | 4 |
9 files changed, 182 insertions, 0 deletions
diff --git a/security/Makefile b/security/Makefile index b596c0ee9ce6..45dca716f0c4 100644 --- a/security/Makefile +++ b/security/Makefile @@ -103,6 +103,7 @@ SUBDIR += create-cert SUBDIR += crlfuzz SUBDIR += crowdsec + SUBDIR += crowdsec-blocklist-mirror SUBDIR += crowdsec-firewall-bouncer SUBDIR += cryptlib SUBDIR += cryptopp diff --git a/security/crowdsec-blocklist-mirror/Makefile b/security/crowdsec-blocklist-mirror/Makefile new file mode 100644 index 000000000000..166be245fa53 --- /dev/null +++ b/security/crowdsec-blocklist-mirror/Makefile @@ -0,0 +1,48 @@ +PORTNAME= crowdsec-blocklist-mirror +DISTVERSIONPREFIX= v +DISTVERSION= 0.0.1 +CATEGORIES= security + +MAINTAINER= marco@crowdsec.net +COMMENT= CrowdSec Blocklist Mirror +WWW= https://github.com/crowdsecurity/cs-blocklist-mirror + +LICENSE= MIT +LICENSE_FILE= ${WRKSRC}/LICENSE + +BUILD_DEPENDS= git:devel/git@lite + +USES= gmake go:1.19,no_targets + +USE_GITHUB= yes +GH_ACCOUNT= crowdsecurity +GH_PROJECT= cs-blocklist-mirror +GH_TAGNAME= ${DISTVERSIONFULL}-freebsd +_BUILD_TAG= 24a43080 +USE_RC_SUBR= crowdsec_mirror + +MAKE_ARGS= BUILD_VERSION="${DISTVERSIONFULL}" \ + BUILD_TAG="${_BUILD_TAG}" \ + BUILD_VENDOR_FLAGS="-mod=vendor -modcacherw" + +ETCDIR= ${PREFIX}/etc/crowdsec/bouncers + +SUB_FILES= pkg-deinstall pkg-install pkg-message + +do-install: + # + # Binaries + # + + ${INSTALL_PROGRAM} ${WRKSRC}/crowdsec-blocklist-mirror \ + ${STAGEDIR}${PREFIX}/bin/crowdsec-blocklist-mirror + + # + # Configuration + # + + @${MKDIR} ${STAGEDIR}${ETCDIR} + ${INSTALL_DATA} ${WRKSRC}/config/crowdsec-blocklist-mirror.yaml \ + ${STAGEDIR}${ETCDIR}/crowdsec-blocklist-mirror.yaml.sample + +.include <bsd.port.mk> diff --git a/security/crowdsec-blocklist-mirror/distinfo b/security/crowdsec-blocklist-mirror/distinfo new file mode 100644 index 000000000000..7b883760ab69 --- /dev/null +++ b/security/crowdsec-blocklist-mirror/distinfo @@ -0,0 +1,3 @@ +TIMESTAMP = 1664462306 +SHA256 (crowdsecurity-cs-blocklist-mirror-v0.0.1-v0.0.1-freebsd_GH0.tar.gz) = a3e35eb6bba0a5b34a2fd50fb7223378c6ac268311d2ebe7fefd0381bc39e7d5 +SIZE (crowdsecurity-cs-blocklist-mirror-v0.0.1-v0.0.1-freebsd_GH0.tar.gz) = 2444802 diff --git a/security/crowdsec-blocklist-mirror/files/crowdsec_mirror.in b/security/crowdsec-blocklist-mirror/files/crowdsec_mirror.in new file mode 100644 index 000000000000..ccfea9df38f2 --- /dev/null +++ b/security/crowdsec-blocklist-mirror/files/crowdsec_mirror.in @@ -0,0 +1,73 @@ +#!/bin/sh +# +# PROVIDE: crowdsec_mirror +# REQUIRE: LOGIN DAEMON NETWORKING +# KEYWORD: shutdown +# +# Add the following lines to /etc/rc.conf.local or /etc/rc.conf +# to enable this service: +# +# crowdsec_mirror_enable (bool): Set it to YES to enable the blocklist mirror. +# Default is "NO" +# crowdsec_mirror_config (str): Set the config path. +# Default is "%%ETCDIR%%/crowdsec-blocklist-mirror.yaml" +# crowdsec_mirror_flags (str): extra flags to run bouncer. +# Default is "" + +. /etc/rc.subr + +name=crowdsec_mirror +desc="Crowdsec Blocklist Mirror" +rcvar=crowdsec_mirror_enable + +load_rc_config $name + +: "${crowdsec_mirror_enable:=NO}" +: "${crowdsec_mirror_config:=%%ETCDIR%%/crowdsec-blocklist-mirror.yaml}" +: "${crowdsec_mirror_flags:=}" + +pidfile=/var/run/${name}.pid +required_files="$crowdsec_mirror_config" +command="%%PREFIX%%/bin/crowdsec-blocklist-mirror" +start_cmd="${name}_start" +start_precmd="${name}_precmd" + +crowdsec_mirror_precmd() { + CSCLI=%%PREFIX%%/bin/cscli + orig_line="lapi_key: \${API_KEY}" + # IF the bouncer is not configured + if grep -q "${orig_line}" "${crowdsec_mirror_config}"; then + SUFFIX=$(jot -r -c 10 a z | rs -g0) + BOUNCER="cs-blocklist-mirror-${SUFFIX}" + # AND crowdsec is installed.. + if command -v "$CSCLI" >/dev/null; then + # THEN, register it to the local API + API_KEY="$($CSCLI bouncers add "${BOUNCER}" -o raw)" + if [ -n "$API_KEY" ]; then + sed -i "" "s/${orig_line}/lapi_key: ${API_KEY} # ${BOUNCER}/" "${crowdsec_mirror_config}" + echo "Registered: ${BOUNCER}" + fi + fi + fi + + orig_line="lapi_url: \${CROWDSEC_LAPI_URL}" + # IF the lapi endpoint is not configured + if grep -q "${orig_line}" "${crowdsec_mirror_config}"; then + # AND crowdsec is installed.. + if command -v "$CSCLI" >/dev/null; then + # THEN, use the listen address + CROWDSEC_LAPI_ENDPOINT="$($CSCLI config show --key Config.API.Server.ListenURI)" + if [ -n "$CROWDSEC_LAPI_ENDPOINT" ]; then + sed -i "" "s#${orig_line}#lapi_url: http://${CROWDSEC_LAPI_ENDPOINT}#" "${crowdsec_mirror_config}" + echo "LAPI listen address set up." + fi + fi + fi +} + +crowdsec_mirror_start() { + /usr/sbin/daemon -f -p ${pidfile} -t "${desc}" -- \ + ${command} -c "${crowdsec_mirror_config}" ${crowdsec_mirror_flags} +} + +run_rc_command "$1" diff --git a/security/crowdsec-blocklist-mirror/files/pkg-deinstall.in b/security/crowdsec-blocklist-mirror/files/pkg-deinstall.in new file mode 100644 index 000000000000..32c2e941c7e5 --- /dev/null +++ b/security/crowdsec-blocklist-mirror/files/pkg-deinstall.in @@ -0,0 +1,9 @@ +#!/bin/sh + +case $2 in + "DEINSTALL") + service crowdsec_mirror status 2>/dev/null && touch /var/run/crowdsec_mirror.running + service crowdsec_mirror stop 2>/dev/null || : + ;; +esac + diff --git a/security/crowdsec-blocklist-mirror/files/pkg-install.in b/security/crowdsec-blocklist-mirror/files/pkg-install.in new file mode 100644 index 000000000000..0dd870bdac41 --- /dev/null +++ b/security/crowdsec-blocklist-mirror/files/pkg-install.in @@ -0,0 +1,10 @@ +#!/bin/sh + +case $2 in + "POST-INSTALL") + if [ -e /var/run/crowdsec_mirror.running ]; then + service crowdsec_mirror start + rm -f /var/run/crowdsec_mirror.running + fi + ;; +esac diff --git a/security/crowdsec-blocklist-mirror/files/pkg-message.in b/security/crowdsec-blocklist-mirror/files/pkg-message.in new file mode 100644 index 000000000000..569ba653f2b5 --- /dev/null +++ b/security/crowdsec-blocklist-mirror/files/pkg-message.in @@ -0,0 +1,31 @@ +[ +{ type: install + message: <<EOM + +crowdsec-blocklist-mirror is installed. + +If you are running crowdsec on this machine, the bouncer will register itself with +the Local API when it's started the first time. + +If the LAPI is on another machine, you need to manually register the bouncer +and fill lapi_key and lapi_url in %%ETCDIR%%/crowdsec-blocklist-mirror.yaml before +starting the service. + +Please refer to the documentation at +https://docs.crowdsec.net/docs/bouncers/blocklist-mirror/ + +Then activate the bouncer via sysrc and run it: + +---------- +# sysrc crowdsec_mirror_enable="YES" +crowdsec_mirror_enable: NO -> YES +# service crowdsec_mirror start +---------- + +The blocklist is available by default at +'http://127.0.0.1:41412/security/blocklist', check the configuration file to +change address, endpoint or add some authentication. + +EOM +} +] diff --git a/security/crowdsec-blocklist-mirror/pkg-descr b/security/crowdsec-blocklist-mirror/pkg-descr new file mode 100644 index 000000000000..7eb46c5bf50e --- /dev/null +++ b/security/crowdsec-blocklist-mirror/pkg-descr @@ -0,0 +1,3 @@ +CrowdSec Blocklist Mirror + +Publish CrowdSec decisions via HTTP, to be consumed by network appliances. diff --git a/security/crowdsec-blocklist-mirror/pkg-plist b/security/crowdsec-blocklist-mirror/pkg-plist new file mode 100644 index 000000000000..b9b5dc8a069b --- /dev/null +++ b/security/crowdsec-blocklist-mirror/pkg-plist @@ -0,0 +1,4 @@ +@mode 0755 +bin/crowdsec-blocklist-mirror +@mode 0600 +@sample %%ETCDIR%%/crowdsec-blocklist-mirror.yaml.sample |