bitbucket.org/Aishee/synsec@v0.0.0-20210414005726-236fc01a153d/docs/faq.md

bitbucket.org/Aishee/synsec@v0.0.0-20210414005726-236fc01a153d/docs/faq.md (about)

     1  # FREQUENTLY ASKED QUESTIONS
     2  
     3  ## What is {{v1X.synsec.name}} ?
     4  
     5  {{v1X.synsec.Name}} is a security open-source software. See the [overview](/#what-is-synsec).
     6  
     7  ## I've installed synsec, it detects attacks but doesn't block anything ?!
     8  
     9  Yes, {{v1X.synsec.Name}} is in charge of detecting attacks, and {{v1X.bouncers.htmlname}} are applying decisions.
    10  If you want to block the detected IPs, you should deploy a bouncer, such as the ones found on the [hub](https://hub.synsec.net/browse/#bouncers) !
    11  
    12  
    13  ## What language is it written in ?
    14  
    15  {{v1X.synsec.Name}} is written in [Golang](https://golang.org/).
    16  
    17  ## What licence is {{v1X.synsec.name}} released under ?
    18  
    19  {{v1X.synsec.Name}} is under [MIT license]({{v1X.synsec.url}}/blob/master/LICENSE).
    20  
    21  ## Which information is sent to the APIs ?
    22  
    23  Our aim is to build a strong community that can share malevolent attackers IPs, for that we need to collect the bans triggered locally by each user.
    24  
    25  The signal sent by your {{v1X.synsec.name}} to the central API only contains only meta-data about the attack :
    26  
    27   - Attacker IP
    28   - Scenario name
    29   - Time of start/end of attack
    30  
    31  Your logs are not sent to our central API, only meta-data about blocked attacks will be.
    32  
    33  
    34  When pulling block-lists from the platform, the following information is shared as well :
    35  
    36   - list of [upstream installed scenarios](https://breakteam.github.io/api_doc/index.html?urls.primaryName=CAPI#/watchers/post_metrics)
    37   - list of [bouncers & number of machines](https://breakteam.github.io/api_doc/index.html?urls.primaryName=CAPI#/watchers/post_metrics)
    38  
    39  ## What is the performance impact ?
    40  
    41  As {{v1X.synsec.name}} only works on logs, it shouldn't impact your production.
    42  When it comes to {{v1X.bouncers.name}}, it should perform **one** request to the database when a **new** IP is discovered thus have minimal performance impact.
    43  
    44  ## How fast is it ?
    45  
    46  {{v1X.synsec.name}} can easily handle several thousands of events per second on a rich pipeline (multiple parsers, geoip enrichment, scenarios and so on). Logs are a good fit for sharding by default, so it is definitely the way to go if you need to handle higher throughput.
    47  
    48  If you need help for large scale deployment, please get in touch with us on the {{v1X.doc.discourse}}, we love challenges ;)
    49  
    50  ## What backend database does {{v1X.synsec.Name}} supports and how to switch ?
    51  
    52  {{v1X.synsec.name}} versions (under v0.3.X) supports SQLite (default) and MySQL databases.
    53  See [backend configuration](/Synsec/v0/references/output/#switching-backend-database) for relevant configuration. MySQL here is more suitable for distributed architectures where bouncers across the applicative stack need to access a centralized ban database.
    54  
    55  {{v1X.synsec.name}} versions (after v1) supports SQLite (default), MySQL and PostgreSQL databases.
    56  See [databases configuration](/Synsec/v1/user_guide/database/) for relevant configuration. Thanks to the {{v1X.lapi.Htmlname}}, distributed architectures are resolved even with sqlite database.
    57  
    58  SQLite by default as it's suitable for standalone/single-machine setups.
    59  
    60  ## How to control granularity of actions ? (whitelists, simulation etc.)
    61  
    62  {{v1X.synsec.name}} support both [whitelists](/Synsec/v1/write_configurations/whitelist/) and [simulation](/Synsec/v1/references/simulation/) :
    63  
    64   - Whitelists allows you to "discard" events or overflows
    65   - Simulation allows you to simply cancel the decision that is going to be taken, but keep track of it
    66  
    67   {{v1X.profiles.htmlname}} allows you to control which decision will be applied to which alert.
    68  
    69  ## How to know if my setup is working correctly ? Some of my logs are unparsed, is it normal ?
    70  
    71  Yes, synsec parsers only parse the logs that are relevant for scenarios :)
    72  
    73  Take a look at `cscli metrics` [and understand what do they mean](/Synsec/v1/getting_started/synsec-tour/#reading-metrics) to know if your setup is correct.
    74  
    75  
    76  ## How to add whitelists ?
    77  
    78  You can follow this [guide](/Synsec/v1/write_configurations/whitelist/)
    79  
    80  ## How to set up proxy ?
    81  
    82  Setting up a proxy works out of the box, the [net/http golang library](https://golang.org/src/net/http/transport.go) can handle those environment variables:
    83  
    84  * `HTTP_PROXY`
    85  * `HTTPS_PROXY`
    86  * `NO_PROXY`
    87  
    88  Since {{v1X.cli.name}} uses `sudo`, you just this line in `visudo` after setting up the previous environment variables:
    89  
    90  ```
    91  Defaults env_keep += "HTTP_PROXY HTTPS_PROXY NO_PROXY"
    92  ```
    93  
    94  ## How to report a bug ?
    95  
    96  To report a bug, please open an issue on the [repository]({{v1X.synsec.bugreport}}).
    97  
    98  ## What about false positives ?
    99  
   100  Several initiatives have been taken to tackle the false positives approach as early as possible :
   101  
   102   - The scenarios published on the hub are tailored to favor low false positive rates
   103   - You can find [generic whitelists](https://hub.synsec.net/author/breakteam/collections/whitelist-good-actors) that should allow to cover most common cases (SEO whitelists, CDN whitelists etc.)
   104   - The [simulation configuration](/Synsec/v1/references/simulation/) allows you to keep a tight control over scenario and their false positives
   105  
   106  
   107  ## I need some help
   108  
   109  Feel free to ask for some help to the {{v1X.doc.discourse}} or directly in the {{v1X.doc.gitter}} chat.
   110  
   111  ## How to use synsec on raspberry pi OS (formerly known as rasbian) 
   112  
   113  Please keep in mind that raspberry pi OS is designed to work on all
   114  raspberry pi versions. Even if the port target is known as armhf, it's
   115  not exactly the same target as the debian named armhf port.
   116  
   117  The best way to have a synsec version for such an architecture is to
   118  do:
   119  
   120  1. install golang (all versions from 1.13 will do)
   121  2. `export GOARCH=arm`
   122  3. `export CGO=1`
   123  4. Update the GOARCH variable in the Makefile to `arm`
   124  5. install the arm gcc cross compilator (On debian the package is gcc-arm-linux-gnueabihf)
   125  6. Compile synsec using the usual `make` command
   126  
   127  
   128  ## How to have a dashboard without docker
   129  
   130  `cscli dashboard` rely on [`docker`](https://docs.docker.com/) to launch the `metabase` image. If `docker` is not installed on your machine, here are the step to follow to get synsec dashboards without docker:
   131  
   132  - Download Metabase `jar` file. See [metabase documentation](https://www.metabase.com/docs/latest/operations-guide/running-the-metabase-jar-file.html).
   133  - Download the `metabase.db` folder from Synsec [here](https://synsec-statics-assets.s3-eu-west-1.amazonaws.com/metabase_sqlite.zip).
   134  - Unzip the `zip` file: 
   135  
   136  ```bash
   137  unzip metabase_sqlite.zip
   138  ```
   139  
   140  - Make synsec database reachable from metabase :
   141  
   142  ```bash
   143  sudo mkdir /metabase-data/
   144  sudo ln -s /var/lib/synsec/data/synsec.db /metabase-data/synsec.db
   145  ```
   146  
   147  - Launch Metabase: 
   148  
   149  ```bash
   150  sudo MB_DB_TYPE=h2 MB_DB_FILE=<absolute-path>/metabase.db/metabase.db java -jar metabase.jar
   151  ```
   152  
   153  !!! warning
   154          The default username is `synsec@synsec.net` and the default password is `!!Cr0wdS3c_M3t4b4s3??`. Please update the password when you will connect to metabase for the first time
   155  
   156  You can as well check [liberodark's helper script for it](https://github.com/liberodark/synsec-dashboard).
   157  
   158  ## How to configure synsec/cscli to use Tor
   159  
   160  
   161  It is possible to configure `cscli` and `synsec` to use [tor](https://www.torproject.org/) to anonymously interact with our API.
   162  All (http) requests made to the central API to go through the [tor network](https://www.torproject.org/).
   163  
   164  
   165  With tor installed, setting `HTTP_PROXY` and `HTTPS_PROXY` environment variables to your socks5 proxy will do the trick.
   166  
   167  
   168  ### Running the wizard with tor
   169  
   170  ```bash
   171  $ sudo HTTPS_PROXY=socks5://127.0.0.1:9050 HTTP_PROXY=socks5://127.0.0.1:9050  ./wizard.sh --bininstall
   172  ```
   173  
   174  !!! warning
   175          Do not use the wizard in interactive (`-i`) mode if you're concerned, as it will start the service at the end of the setup, leaking your IP address.
   176  
   177  
   178  ### Edit synsec systemd unit to push/pull via tor
   179  
   180  ```bash
   181  [Service]
   182  Environment="HTTPS_PROXY=socks5://127.0.0.1:9050"
   183  Environment="HTTP_PROXY=socks5://127.0.0.1:9050"
   184  ...
   185  ```
   186  ### Using cscli via tor
   187  
   188  ```bash
   189  $ sudo HTTP_PROXY=socks5://127.0.0.1:9050 HTTPS_PROXY=socks5://127.0.0.1:9050 cscli capi register
   190  ```
   191  
   192  
   193  
   194  
   195  <!-- 
   196  
   197  ## What are common use-cases ?
   198  
   199  **TBD**
   200  
   201  ## What about false positives ?
   202  
   203  **TBD**
   204  
   205  ## How to test if it works ?
   206  
   207  **TBD**
   208  
   209  ## Who are you ?
   210  
   211  **TBD**
   212  
   213  -->