@openwrt routers often run on tiny hardware with limited storage, which makes adding intrusion prevention such as @CrowdSec tricky.
I managed to set up only the lightweight firewall bouncer on #OpenWrt, and forward its logs via Syslog to the Security Engine in #Docker (server).
Result: community-powered IPS on tiny hardware. 🚀
Here’s how to set this up yourself: https://kroon.email/site/en/posts/openwrt-crowdsec/
Sounds like you’ve got the right idea.
It’s the bouncer that actually blocks the connections, so your edge router is a great place for it. If you’re sending the openwrt syslog to your security engine, too, you can also catch things like port scanning, which you wouldn’t be able to detect by only monitoring your server or application logs. Don’t forget to actually load your scenarios, though!
