add network traffic monitoring and adversary detection

- CrowdSec: add syslog listener for pfSense firewall logs (NodePort 30514), add postfix/dovecot log acquisition, install pf/postfix/dovecot/sshd collections - Monitoring: add DNS anomaly CronJob (queries Technitium every 15m, DGA detection, pushes metrics to Pushgateway) - Grafana: add "Network Traffic & Adversary Detection" dashboard (GoFlow2 flows, CrowdSec decisions, DNS anomaly metrics) pfSense changes applied live: syslog forwarding to 10.0.20.202:30514, Snort suppress rules for http_inspect false positives, IPS connectivity policy enabled
2026-03-23 03:06:56 +02:00 · 2026-03-23 03:06:56 +02:00 · 55246c8b5d
commit 55246c8b5d
parent 877cd15b45
4 changed files with 450 additions and 1 deletions
--- a/stacks/crowdsec/modules/crowdsec/main.tf
+++ b/stacks/crowdsec/modules/crowdsec/main.tf
@ -112,6 +112,31 @@ resource "helm_release" "crowdsec" {
  wait_for_jobs = true
 }

+# NodePort service for pfSense syslog → CrowdSec agent
+# pfSense sends firewall logs to 10.0.20.202:30514 (any k8s node IP works)
+resource "kubernetes_service" "crowdsec_syslog" {
+  metadata {
+    name      = "crowdsec-syslog"
+    namespace = kubernetes_namespace.crowdsec.metadata[0].name
+    labels = {
+      app = "crowdsec-syslog"
+    }
+  }
+  spec {
+    type = "NodePort"
+    selector = {
+      "k8s-app" = "crowdsec"
+      type      = "agent"
+    }
+    port {
+      name        = "syslog-udp"
+      port        = 514
+      target_port = 514
+      node_port   = 30514
+      protocol    = "UDP"
+    }
+  }
+}

 # Deployment for my custom dashboard that helps me unblock myself when I blocklist myself
 resource "kubernetes_deployment" "crowdsec-web" {
--- a/stacks/crowdsec/modules/crowdsec/values.yaml
+++ b/stacks/crowdsec/modules/crowdsec/values.yaml
@ -17,6 +17,19 @@ agent:
      podName: traefik-*
      # as in crowdsec configuration, we need to specify the program name so the parser will match and parse logs
      program: traefik
+    # pfSense firewall logs via syslog
+    - source: syslog
+      listen_addr: "0.0.0.0"
+      listen_port: 514
+      labels:
+        type: pf
+    # Mailserver logs for SMTP/IMAP brute-force detection
+    - namespace: mailserver
+      podName: mailserver-*
+      program: postfix
+    - namespace: mailserver
+      podName: mailserver-*
+      program: dovecot
  # Those are ENV variables
  env:
    # As it's a test, we don't want to share signals with CrowdSec so disable the Online API.
@ -24,10 +37,18 @@ agent:
    #   value: "true"
    # As we are running Traefik, we want to install the Traefik collection
    - name: COLLECTIONS
-      value: "crowdsecurity/traefik crowdsecurity/base-http-scenarios crowdsecurity/http-cve"
+      value: "crowdsecurity/traefik crowdsecurity/base-http-scenarios crowdsecurity/http-cve crowdsecurity/pf crowdsecurity/postfix crowdsecurity/dovecot crowdsecurity/sshd"
    - name: SCENARIOS
      value: ""
      # value: "crowdsecurity/http-crawl-aggressive"
+  # Expose syslog port for pfSense log ingestion
+  additionalPorts:
+    - name: syslog-udp
+      containerPort: 514
+      protocol: UDP
+    - name: syslog-tcp
+      containerPort: 514
+      protocol: TCP
  # Mount custom scenarios into /etc/crowdsec/scenarios
  extraVolumeMounts:
    - name: custom-scenarios