diff --git a/README.md b/README.md index cca688a..153c112 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ Whitelist Tailscale IPs: cat << EOF > /etc/crowdsec/parsers/s02-enrich/01-base23-tailscale.yaml \ && systemctl restart crowdsec; journalctl -xef -u crowdsec.service name: base23/tailscale ## Must be unqiue -description: "Whitelist Tailscale" +description: "Whitelist events from Tailscale Subnet" whitelist: reason: "Tailscale clients" cidr: @@ -96,6 +96,21 @@ whitelist: EOF ``` +Whitelist our current Public IPs: + +```shell +mkdir -p /etc/crowdsec/postoverflows/s01-whitelist/ \ + && cat << EOF > /etc/crowdsec/postoverflows/s01-whitelist/01-base23-public-ips.yaml \ + && crowdsec -t && systemctl restart crowdsec; systemctl status crowdsec.service +name: base23/public-ips ## Must be unqiue +description: "Whitelist events from base23 public IPs" +whitelist: + reason: "Base23 Public IPs" + expression: + - evt.Overflow.Alert.Source.IP in LookupHost("asterix.ddns.base23.de") +EOF +``` + Add Authentik integration: ```shell @@ -141,16 +156,18 @@ cd /root/apps \ 4. Use the generated SSH key and copy it to the Hetzner Storage box for backups: ```shell -STORAGE_BOX_DOMAIN=cloud.backup.base23.de \ -STORAGE_BOX_IPV4=$(dig +short "${STORAGE_BOX_DOMAIN}" A | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$') \ -STORAGE_BOX_IPV6=$(dig +short "${STORAGE_BOX_DOMAIN}" AAAA | grep -E '^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$') \ - && cat ./data/restic/ssh/id_ed25519.pub | ssh -p23 u291924-sub4@${STORAGE_BOX_DOMAIN} install-ssh-key \ - && ssh-keyscan -p 23 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_DOMAIN} > ./data/restic/ssh/known_hosts \ - && ssh-keyscan -p 23 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_IPV4} >> ./data/restic/ssh/known_hosts \ - && ssh-keyscan -p 23 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_IPV6} >> ./data/restic/ssh/known_hosts \ - && ssh-keyscan -p 22 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_DOMAIN} >> ./data/restic/ssh/known_hosts \ - && ssh-keyscan -p 22 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_IPV4} >> ./data/restic/ssh/known_hosts \ - && ssh-keyscan -p 22 -t ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk ${STORAGE_BOX_IPV6} >> ./data/restic/ssh/known_hosts +TARGET_DOMAIN=cloud.backup.base23.de \ +TARGET_KEY_TYPES="ecdsa-sha2-nistp521,ed25519,ed25519-sk,rsa,dsa,ecdsa,ecdsa-sk" \ +TARGET_IPV4=$(dig +short "${TARGET_DOMAIN}" A | grep -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$') \ +TARGET_IPV6=$(dig +short "${TARGET_DOMAIN}" AAAA | grep -E '^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$') \ + && cat ./data/restic/ssh/id_ed25519.pub | ssh -p23 u291924-sub4@${TARGET_DOMAIN} install-ssh-key \ + && ssh-keyscan -p 23 -t ${TARGET_KEY_TYPES} ${TARGET_DOMAIN} > ./data/restic/ssh/known_hosts \ + && ssh-keyscan -p 23 -t ${TARGET_KEY_TYPES} ${TARGET_IPV4} >> ./data/restic/ssh/known_hosts \ + && ssh-keyscan -p 23 -t ${TARGET_KEY_TYPES} ${TARGET_IPV6} >> ./data/restic/ssh/known_hosts \ + && ssh-keyscan -p 22 -t ${TARGET_KEY_TYPES} ${TARGET_DOMAIN} >> ./data/restic/ssh/known_hosts \ + && ssh-keyscan -p 22 -t ${TARGET_KEY_TYPES} ${TARGET_IPV4} >> ./data/restic/ssh/known_hosts \ + && ssh-keyscan -p 22 -t ${TARGET_KEY_TYPES} ${TARGET_IPV6} >> ./data/restic/ssh/known_hosts + ``` ### Fist run