gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ae26317815
secubox-openwrt/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-dropbear.yaml
CyberMind-FR 675b2d164e feat: Portal service detection, nDPId compat layer, CrowdSec/Netifyd packages 
Portal (luci-app-secubox-portal):
- Fix service status showing 0/9 by checking if init scripts exist
- Only count installed services in status display
- Use pgrep fallback when init script status fails

nDPId Dashboard (luci-app-ndpid):
- Add default /etc/config/ndpid configuration
- Add /etc/init.d/ndpid-compat init script
- Enable compat service in postinst for app detection
- Fix Makefile to install init script and config

CrowdSec Dashboard:
- Add CLAUDE.md with OpenWrt-specific guidelines (pgrep without -x)
- CSS fixes for hiding LuCI left menu in all views
- LAPI repair improvements with retry logic

New Packages:
- secubox-app-crowdsec: OpenWrt-native CrowdSec package
- secubox-app-netifyd: Netifyd DPI integration
- luci-app-secubox: Core SecuBox hub
- luci-theme-secubox: Custom theme

Removed:
- luci-app-secubox-crowdsec (replaced by crowdsec-dashboard)
- secubox-crowdsec-setup (functionality moved to dashboard)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-10 13:51:40 +01:00

30 lines
1.2 KiB
YAML
Raw Blame History

# OpenWrt Dropbear SSH Acquisition
# This configuration monitors SSH authentication logs from Dropbear
#
# Dropbear logs are typically sent to syslog and can be found in:
# - /var/log/messages (if syslog is configured to write to file)
# - Via logread command (OpenWrt default)
#
# Required collections:
# cscli collections install crowdsecurity/linux
# cscli parsers install crowdsecurity/syslog-logs
#
# The crowdsecurity/linux collection includes SSH brute-force detection
# scenarios that work with Dropbear authentication logs.
#
# Example Dropbear log entries that will be parsed:
# dropbear[1234]: Bad password attempt for 'root' from 192.168.1.100:54321
# dropbear[1234]: Login attempt for nonexistent user 'admin' from 192.168.1.100:54321
# dropbear[1234]: Pubkey auth succeeded for 'root' with ssh-ed25519 key
# dropbear[1234]: Exit (root) from <192.168.1.100:54321>: Disconnect received
#
# Note: Since Dropbear logs go to syslog, the openwrt-syslog.yaml
# acquisition config will capture these logs. This file serves as
# documentation for Dropbear-specific detection.
# If using a dedicated auth log file:
# filenames:
# - /var/log/auth.log
# labels:
# type: syslog
Reference in New Issue View Git Blame Copy Permalink