feat(BOUN-1003): Adds Crowdsec bouncer to BN

dfinity · Jan 15, 2024 · 0f707cd · 0f707cd
1 parent 6e3edfb
commit 0f707cd
Show file tree

Hide file tree

Showing 6 changed files with 147 additions and 9 deletions.
diff --git a/ic-os/boundary-guestos/rootfs/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml b/ic-os/boundary-guestos/rootfs/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
@@ -0,0 +1,26 @@
+mode: nftables
+
+update_frequency: 1s
+
+log_mode: stdout
+log_level: info
+
+api_url: {API_URL}
+api_key: {API_KEY}
+
+supported_decisions_types:
+- ban
+
+blacklists_ipv4: crowdsec
+blacklists_ipv6: crowdsec6
+
+nftables:
+  ipv4:
+    enabled: true
+    set-only: true
+    table: filter
+
+  ipv6:
+    enabled: true
+    set-only: true
+    table: filter
diff --git a/ic-os/boundary-guestos/rootfs/etc/nftables.conf b/ic-os/boundary-guestos/rootfs/etc/nftables.conf
@@ -64,7 +64,6 @@ define ipv6_socks_saddr_ips = {
 }
 
 table ip filter {
-
   set connection_limit_200 {
     type ipv4_addr
     size 256000
@@ -95,9 +94,16 @@ table ip filter {
     flags dynamic
   }
 
+  set crowdsec {
+    type ipv4_addr
+    size 262144
+    flags timeout
+  }
+
   chain input {
     type filter hook input priority filter; policy drop;
     iif "lo" accept
+    ip saddr @crowdsec tcp dport { http, https, $canary_proxy_port } drop
     icmp type $icmp_v4_types_accept accept
     ct state invalid drop
     ct state { established, related } accept
@@ -126,7 +132,6 @@ table ip filter {
 }
 
 table ip6 filter {
-
   set connection_limit_200 {
     type ipv6_addr
     size 256000
@@ -157,9 +162,16 @@ table ip6 filter {
     flags dynamic
   }
 
+  set crowdsec6 {
+    type ipv6_addr
+    size 262144
+    flags timeout
+  }
+
   chain input {
     type filter hook input priority filter; policy drop;
     iif "lo" accept
+    ip6 saddr @crowdsec6 tcp dport { http, https, $canary_proxy_port } drop
     icmpv6 type $icmp_v6_in_types_accept accept
     ct state invalid drop
     ct state { established, related } accept

diff --git a/ic-os/boundary-guestos/rootfs/etc/systemd/system/crowdsec-firewall-bouncer.service b/ic-os/boundary-guestos/rootfs/etc/systemd/system/crowdsec-firewall-bouncer.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Crowdsec nftables bouncer
+After=network-online.target
+Wants=network-online.target
+After=setup-crowdsec.service
+BindsTo=setup-crowdsec.service
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml
+ExecStartPre=/usr/bin/crowdsec-firewall-bouncer -c /etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml -t
+ExecStartPost=/bin/sleep 0.1
+Restart=always
+RestartSec=10
+LimitNOFILE=65536
+KillMode=mixed
+
+[Install]
+WantedBy=multi-user.target
diff --git a/ic-os/boundary-guestos/rootfs/etc/systemd/system/setup-crowdsec.service b/ic-os/boundary-guestos/rootfs/etc/systemd/system/setup-crowdsec.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Create configuration for Crowdsec
+DefaultDependencies=no
+After=bootstrap-ic-node.service
+Requires=bootstrap-ic-node.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+ExecStart=/opt/ic/bin/setup-crowdsec.sh
diff --git a/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-crowdsec.sh b/ic-os/boundary-guestos/rootfs/opt/ic/bin/setup-crowdsec.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set -euox pipefail
+source '/opt/ic/bin/helpers.shlib'
+
+readonly BN_CONFIG="${BOOT_DIR}/bn_vars.conf"
+
+readonly RUN_DIR='/run/ic-node/etc/crowdsec'
+readonly CFG_RO="/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml"
+readonly CFG_RW="${RUN_DIR}/crowdsec-firewall-bouncer.yaml"
+
+# Read the config variables. The files must be of the form
+# "key=value" for each line with a specific set of keys permissible (see
+# code below).
+function read_variables() {
+    if [[ ! -d "${BOOT_DIR}" ]]; then
+        err "missing node configuration directory: ${BOOT_DIR}"
+        exit 1
+    fi
+
+    if [ ! -f "${BN_CONFIG}" ]; then
+        err "missing domain configuration: ${BN_CONFIG}"
+        exit 1
+    fi
+
+    # Read limited set of keys. Be extra-careful quoting values as it could
+    # otherwise lead to executing arbitrary shell code!
+    while IFS="=" read -r key value; do
+        case "${key}" in
+            "crowdsec_api_url") API_URL="${value}" ;;
+            "crowdsec_api_key") API_KEY="${value}" ;;
+        esac
+    done <"${BN_CONFIG}"
+}
+
+function generate_config() {
+    mkdir -p "${RUN_DIR}"
+    cp $CFG_RO $CFG_RW
+    sed -i "s|{API_URL}|${API_URL}|g" $CFG_RW
+    sed -i "s|{API_KEY}|${API_KEY}|g" $CFG_RW
+    mount --bind $CFG_RW $CFG_RO
+}
+
+function main() {
+    read_variables
+    generate_config
+}
+
+main "$@"
diff --git a/ic-os/boundary-guestos/scripts/build-deployment.sh b/ic-os/boundary-guestos/scripts/build-deployment.sh
@@ -55,7 +55,8 @@ Arguments:
        --logging-url                    specify an endpoint for our logging backend
        --logging-user                   specify a user for our logging backend
        --logging-password               specify a password for our logging backend
-       --logging-2xx-sample-rate        specify a sampling rate for logging 2XX requests (1 / N)
+       --crowdsec-api-url               speficy a Crowdsec API URL
+       --crowdsec-api-key               speficy a Crowdsec API key
   -x,  --debug                          enable verbose console output
 '
     exit 1
@@ -138,8 +139,11 @@ for argument in "${@}"; do
         --logging-password=*)
             LOGGING_PASSWORD="${argument#*=}"
             ;;
-        --logging-2xx-sample-rate=*)
-            LOGGING_2XX_SAMPLE_RATE="${argument#*=}"
+        --crowdsec-api-url=*)
+            CROWDSEC_API_URL="${argument#*=}"
+            ;;
+        --crowdsec-api-key=*)
+            CROWDSEC_API_KEY="${argument#*=}"
             ;;
         *)
             echo "Error: Argument \"${argument#}\" is not supported for $0"
@@ -603,13 +607,30 @@ function copy_logging_credentials() {
         local NODE_IDX="${NODE["node_idx"]}"
         local NODE_PREFIX="${DEPLOYMENT}.${SUBNET_IDX}.${NODE_IDX}"
 
-        # Default values
-        LOGGING_2XX_SAMPLE_RATE=${LOGGING_2XX_SAMPLE_RATE:-1}
-
         echo "logging_url=${LOGGING_URL}" >>"${CONFIG_DIR}/${NODE_PREFIX}/bn_vars.conf"
         echo "logging_user=${LOGGING_USER}" >>"${CONFIG_DIR}/${NODE_PREFIX}/bn_vars.conf"
         echo "logging_password=${LOGGING_PASSWORD}" >>"${CONFIG_DIR}/${NODE_PREFIX}/bn_vars.conf"
-        echo "logging_2xx_sample_rate=${LOGGING_2XX_SAMPLE_RATE}" >>"${CONFIG_DIR}/${NODE_PREFIX}/bn_vars.conf"
+    done
+}
+
+function copy_crowdsec_credentials() {
+    if [[ -z "${CROWDSEC_API_URL:-}" || -z "${CROWDSEC_API_KEY:-}" ]]; then
+        err "Crowdsec credentials have not been provided, continuing without configuring crowdsec"
+        return
+    fi
+
+    for n in $NODES; do
+        declare -n NODE=$n
+        if [[ "${NODE["type"]}" != "boundary" ]]; then
+            continue
+        fi
+
+        local SUBNET_IDX="${NODE["subnet_idx"]}"
+        local NODE_IDX="${NODE["node_idx"]}"
+        local NODE_PREFIX="${DEPLOYMENT}.${SUBNET_IDX}.${NODE_IDX}"
+
+        echo "crowdsec_api_url=${CROWDSEC_API_URL}" >>"${CONFIG_DIR}/${NODE_PREFIX}/bn_vars.conf"
+        echo "crowdsec_api_key=${CROWDSEC_API_KEY}" >>"${CONFIG_DIR}/${NODE_PREFIX}/bn_vars.conf"
     done
 }
 
@@ -668,6 +689,7 @@ function main() {
     copy_pre_isolation_canisters
     copy_ip_hash_salt
     copy_logging_credentials
+    copy_crowdsec_credentials
     build_tarball
     build_removable_media
     remove_temporary_directories