I have been running crowdsec on my OpenWRT firewall for a bit now, I am just curious as to what others think about it?

Thank you @irmadlad the webui you suggested is showing the logs a lot better than my vibe coded HA plug ins (both my ssh honey pot and my plug in showed nothing) looking over the logs shows so much activity that is happening.

    • lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      58 minutes ago

      Yes, and also by trying common subdomains under the main domain (like jellyfin., home. etc.) (They also scan the entire IPv4 address space, all TCP ports, over and over, but that’s a different discussion.)

      If you’re using DDNS you have to also be careful where you put the A and AAAA records. Some people put them on the main domain and then do a wildcard CNAME pointing to it for all the subdomains, or individual subdomain CNAMEs. But since the main domain is known from TLS cert logs it’s trivial for bots to also check to see if there’s A/AAAA records on it.

      It’s better to put the A/AAAA on a dedicated subdomain, obfuscate the name beyond trivial guesses (eg. maybe don’t use ip.), and make an individual CNAME for each services that points to the IP subdomain, and obfuscate those service subdomains similarly.

      For those who aren’t familiar with DNS, the information in it is publicly available to anybody who can name a [sub]domain and record type explicitly, but they refuse to do “list all the records for all the subdomains of this domain”. So bots are limited to asking for the most commonly used record types on the main domain but can’t get to records on subdomain names unless they can name the subdomain. (For completion, asking for a list of all records is possible, but nowadays due to abuse that function is restricted on all the public servers to just the known IPs of their fellow redundant servers.)

      A similar limitation applies to reverse proxies, bots can’t get to a service behind it unless they can correctly name the FQDN that the proxy uses for that service. (But please note that a reverse proxy works independently of DNS. If the proxy has foo.example.com defined to reach a service, it will work even if that domain isn’t in DNS or doesn’t exist.)

      Even after taking these measures you have to keep in mind that this is not security, it’s obscurity. It cuts down on bot scans which is great but don’t assume it means nobody knows your service domains. Your ISP probably knows them, there are DNS servers out there that know them, your mobile carrier can see them, and if you ever connect to WiFi when away from home the owners of those WiFi can see them (think hotels, airports, coffee shops etc.) It’s not out of the question for a coffee shop WiFi to have been compromised and to collect URLs and attempt attacks against them. Use VPN or a SSH tunnel to connect to services whenever possible, rather than exposing them publicly, and if you must expose them publicly then use mTLS or at the very least a custom header key.

    • RxBrad@infosec.pub
      link
      fedilink
      English
      arrow-up
      11
      ·
      8 hours ago

      That was my experience also. Within minutes of spinning up any new subdomain with a dedicated A DNS record, I had bots that scraped it from https://crt.sh/ knocking on the door.

      With wildcard subdomains and relatively obscure URLs, it’s pretty quiet.