bitbucket.org/Aishee/synsec@v0.0.0-20210414005726-236fc01a153d/docs/faq.md (about) 1 # FREQUENTLY ASKED QUESTIONS 2 3 ## What is {{v1X.synsec.name}} ? 4 5 {{v1X.synsec.Name}} is a security open-source software. See the [overview](/#what-is-synsec). 6 7 ## I've installed synsec, it detects attacks but doesn't block anything ?! 8 9 Yes, {{v1X.synsec.Name}} is in charge of detecting attacks, and {{v1X.bouncers.htmlname}} are applying decisions. 10 If you want to block the detected IPs, you should deploy a bouncer, such as the ones found on the [hub](https://hub.synsec.net/browse/#bouncers) ! 11 12 13 ## What language is it written in ? 14 15 {{v1X.synsec.Name}} is written in [Golang](https://golang.org/). 16 17 ## What licence is {{v1X.synsec.name}} released under ? 18 19 {{v1X.synsec.Name}} is under [MIT license]({{v1X.synsec.url}}/blob/master/LICENSE). 20 21 ## Which information is sent to the APIs ? 22 23 Our aim is to build a strong community that can share malevolent attackers IPs, for that we need to collect the bans triggered locally by each user. 24 25 The signal sent by your {{v1X.synsec.name}} to the central API only contains only meta-data about the attack : 26 27 - Attacker IP 28 - Scenario name 29 - Time of start/end of attack 30 31 Your logs are not sent to our central API, only meta-data about blocked attacks will be. 32 33 34 When pulling block-lists from the platform, the following information is shared as well : 35 36 - list of [upstream installed scenarios](https://breakteam.github.io/api_doc/index.html?urls.primaryName=CAPI#/watchers/post_metrics) 37 - list of [bouncers & number of machines](https://breakteam.github.io/api_doc/index.html?urls.primaryName=CAPI#/watchers/post_metrics) 38 39 ## What is the performance impact ? 40 41 As {{v1X.synsec.name}} only works on logs, it shouldn't impact your production. 42 When it comes to {{v1X.bouncers.name}}, it should perform **one** request to the database when a **new** IP is discovered thus have minimal performance impact. 43 44 ## How fast is it ? 45 46 {{v1X.synsec.name}} can easily handle several thousands of events per second on a rich pipeline (multiple parsers, geoip enrichment, scenarios and so on). Logs are a good fit for sharding by default, so it is definitely the way to go if you need to handle higher throughput. 47 48 If you need help for large scale deployment, please get in touch with us on the {{v1X.doc.discourse}}, we love challenges ;) 49 50 ## What backend database does {{v1X.synsec.Name}} supports and how to switch ? 51 52 {{v1X.synsec.name}} versions (under v0.3.X) supports SQLite (default) and MySQL databases. 53 See [backend configuration](/Synsec/v0/references/output/#switching-backend-database) for relevant configuration. MySQL here is more suitable for distributed architectures where bouncers across the applicative stack need to access a centralized ban database. 54 55 {{v1X.synsec.name}} versions (after v1) supports SQLite (default), MySQL and PostgreSQL databases. 56 See [databases configuration](/Synsec/v1/user_guide/database/) for relevant configuration. Thanks to the {{v1X.lapi.Htmlname}}, distributed architectures are resolved even with sqlite database. 57 58 SQLite by default as it's suitable for standalone/single-machine setups. 59 60 ## How to control granularity of actions ? (whitelists, simulation etc.) 61 62 {{v1X.synsec.name}} support both [whitelists](/Synsec/v1/write_configurations/whitelist/) and [simulation](/Synsec/v1/references/simulation/) : 63 64 - Whitelists allows you to "discard" events or overflows 65 - Simulation allows you to simply cancel the decision that is going to be taken, but keep track of it 66 67 {{v1X.profiles.htmlname}} allows you to control which decision will be applied to which alert. 68 69 ## How to know if my setup is working correctly ? Some of my logs are unparsed, is it normal ? 70 71 Yes, synsec parsers only parse the logs that are relevant for scenarios :) 72 73 Take a look at `cscli metrics` [and understand what do they mean](/Synsec/v1/getting_started/synsec-tour/#reading-metrics) to know if your setup is correct. 74 75 76 ## How to add whitelists ? 77 78 You can follow this [guide](/Synsec/v1/write_configurations/whitelist/) 79 80 ## How to set up proxy ? 81 82 Setting up a proxy works out of the box, the [net/http golang library](https://golang.org/src/net/http/transport.go) can handle those environment variables: 83 84 * `HTTP_PROXY` 85 * `HTTPS_PROXY` 86 * `NO_PROXY` 87 88 Since {{v1X.cli.name}} uses `sudo`, you just this line in `visudo` after setting up the previous environment variables: 89 90 ``` 91 Defaults env_keep += "HTTP_PROXY HTTPS_PROXY NO_PROXY" 92 ``` 93 94 ## How to report a bug ? 95 96 To report a bug, please open an issue on the [repository]({{v1X.synsec.bugreport}}). 97 98 ## What about false positives ? 99 100 Several initiatives have been taken to tackle the false positives approach as early as possible : 101 102 - The scenarios published on the hub are tailored to favor low false positive rates 103 - You can find [generic whitelists](https://hub.synsec.net/author/breakteam/collections/whitelist-good-actors) that should allow to cover most common cases (SEO whitelists, CDN whitelists etc.) 104 - The [simulation configuration](/Synsec/v1/references/simulation/) allows you to keep a tight control over scenario and their false positives 105 106 107 ## I need some help 108 109 Feel free to ask for some help to the {{v1X.doc.discourse}} or directly in the {{v1X.doc.gitter}} chat. 110 111 ## How to use synsec on raspberry pi OS (formerly known as rasbian) 112 113 Please keep in mind that raspberry pi OS is designed to work on all 114 raspberry pi versions. Even if the port target is known as armhf, it's 115 not exactly the same target as the debian named armhf port. 116 117 The best way to have a synsec version for such an architecture is to 118 do: 119 120 1. install golang (all versions from 1.13 will do) 121 2. `export GOARCH=arm` 122 3. `export CGO=1` 123 4. Update the GOARCH variable in the Makefile to `arm` 124 5. install the arm gcc cross compilator (On debian the package is gcc-arm-linux-gnueabihf) 125 6. Compile synsec using the usual `make` command 126 127 128 ## How to have a dashboard without docker 129 130 `cscli dashboard` rely on [`docker`](https://docs.docker.com/) to launch the `metabase` image. If `docker` is not installed on your machine, here are the step to follow to get synsec dashboards without docker: 131 132 - Download Metabase `jar` file. See [metabase documentation](https://www.metabase.com/docs/latest/operations-guide/running-the-metabase-jar-file.html). 133 - Download the `metabase.db` folder from Synsec [here](https://synsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip). 134 - Unzip the `zip` file: 135 136 ```bash 137 unzip metabase_sqlite.zip 138 ``` 139 140 - Make synsec database reachable from metabase : 141 142 ```bash 143 sudo mkdir /metabase-data/ 144 sudo ln -s /var/lib/synsec/data/synsec.db /metabase-data/synsec.db 145 ``` 146 147 - Launch Metabase: 148 149 ```bash 150 sudo MB_DB_TYPE=h2 MB_DB_FILE=<absolute-path>/metabase.db/metabase.db java -jar metabase.jar 151 ``` 152 153 !!! warning 154 The default username is `synsec@synsec.net` and the default password is `!!Cr0wdS3c_M3t4b4s3??`. Please update the password when you will connect to metabase for the first time 155 156 You can as well check [liberodark's helper script for it](https://github.com/liberodark/synsec-dashboard). 157 158 ## How to configure synsec/cscli to use Tor 159 160 161 It is possible to configure `cscli` and `synsec` to use [tor](https://www.torproject.org/) to anonymously interact with our API. 162 All (http) requests made to the central API to go through the [tor network](https://www.torproject.org/). 163 164 165 With tor installed, setting `HTTP_PROXY` and `HTTPS_PROXY` environment variables to your socks5 proxy will do the trick. 166 167 168 ### Running the wizard with tor 169 170 ```bash 171 $ sudo HTTPS_PROXY=socks5://127.0.0.1:9050 HTTP_PROXY=socks5://127.0.0.1:9050 ./wizard.sh --bininstall 172 ``` 173 174 !!! warning 175 Do not use the wizard in interactive (`-i`) mode if you're concerned, as it will start the service at the end of the setup, leaking your IP address. 176 177 178 ### Edit synsec systemd unit to push/pull via tor 179 180 ```bash 181 [Service] 182 Environment="HTTPS_PROXY=socks5://127.0.0.1:9050" 183 Environment="HTTP_PROXY=socks5://127.0.0.1:9050" 184 ... 185 ``` 186 ### Using cscli via tor 187 188 ```bash 189 $ sudo HTTP_PROXY=socks5://127.0.0.1:9050 HTTPS_PROXY=socks5://127.0.0.1:9050 cscli capi register 190 ``` 191 192 193 194 195 <!-- 196 197 ## What are common use-cases ? 198 199 **TBD** 200 201 ## What about false positives ? 202 203 **TBD** 204 205 ## How to test if it works ? 206 207 **TBD** 208 209 ## Who are you ? 210 211 **TBD** 212 213 -->