Skip to main content
Version: v1.3.0

Install CrowdSec (FreeBSD)

Configuring the repositories#

FreeBSD packages are available in the official repositories.

By default, the command pkg install should use the quarterly releases (January, April, July and October, updated with security fixes).

You can check /etc/pkg/FreeBSD.conf and change quarterly to latest if you feel comfortable upgrading your system.

Installing crowdsec#

The CrowdSec package itself can be installed with:

$ sudo pkg install crowdsec

If the command installs the legacy v1.1.1, you will have a couple more steps to do, please have a look at the related blog post.

You'll see a message that tells you how to activate the agent:

$ sudo sysrc crowdsec_enable="YES"crowdsec_enable:  -> YES$ sudo service crowdsec startFetching hub inventoryINFO[21-12-2021 03:13:35 PM] Wrote new 197364 bytes index to /usr/local/etc/crowdsec/hub/.index.json [...]

The service registers itself with the Central API on crowdsec.net, updates the plugin registry and downloads the "crowdsecurity/freebsd" collection of plugins. This includes, for instance, a parsers for sshd logs and a database to correlate IP addresses with geographical information.

As opposed to its Linux counterparts, the FreeBSD package does not automatically detect the software that is running on the machine; please refer to our documentation to add parsers, scenarios and more.

caution

Keep in mind that the crowdsec package is only in charge of the "detection", and won't block anything on its own. You need to deploy a bouncer to "apply" decisions.

If all this sounds confusing, it might be a good moment to take a tour of the software before continuing.

Installing the firewall bouncer#

This is a package that receives decisions to ban IP addresses and whole address ranges, if they are the source of verified attacks.

To install and enable it:

$ sudo pkg install crowdsec-firewall-bouncer[...]$ sudo sysrc crowdsec_firewall_enable=YEScrowdsec_firewall_enable:  -> YES$ sudo service crowdsec_firewall startRegistered: cs-firewall-bouncer-ZjpcXlUx

The firewall bouncer is now running. It applies rules via the Packet Filter.

Create the required tables by creating or appending this to /etc/pf.conf:

table <crowdsec-blacklists> persisttable <crowdsec6-blacklists> persistblock drop in quick from <crowdsec-blacklists> to anyblock drop in quick from <crowdsec6-blacklists> to any

If Packet Filter is not enabled, you can do it now:

$ sudo sysrc pf_enable=YESpf_enable: NO -> YES$ sudo service pf startEnabling pf.

Reload the rules with:

$ sudo pfctl -f /etc/pf.conf

You can check the configuration with:

$ sudo pfctl -srblock drop in quick from <crowdsec-blacklists> to anyblock drop in quick from <crowdsec6-blacklists> to any$ sudo service pf checkChecking pf rules.$ sudo service pf statusStatus: Enabled for 0 days 00:00:02           Debug: Urgent[...]
info

While we are suggesting the most common firewall bouncer, check our hub for more of them. Find a bouncer directly for your application (nginx, php, wordpress) or your providers (cloudflare, AWS/GCP/...)

Building from sources#

Another option - and the only one if you have a Tier-2 or unsupported platform whose binaries are harder to find or seldom updated - is to build the packages yourself by using our FreeBSD ports.

If you are not familiar with how ports work, be aware that mixing ports and binary packages might break your system. Please read the FreeBSD documentation and decide for yourself if it's the best method for your case.

If you are already familiar with ports, running make install in /usr/ports/security/crowdsec and /usr/ports/security/crowdsec-firewall-bouncer will compile and install the packages and all their dependencies. Then configure them as you would normally do with pkg install.