From b542ac7d3c97bf4eb2a2e0e5d44cd174210e8945 Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Sat, 28 Feb 2026 18:06:12 +0100 Subject: [PATCH] feat: WAF auto-ban, cache busting, deployment docs, CVE Layer 7 docs Changes: - Enable WAF auto-ban by default (sensitivity: moderate, min_severity: high) - Add whitelist for common safe IPs (localhost, router) - Add browser cache busting via version parameter in CSS loads - Document deployment scripts in secubox-tools/README.md - Create CVE Layer 7 architecture documentation WAF auto-ban now active with: - 3 threats within 5 minutes triggers ban - 4-hour ban duration - Critical CVEs (Log4Shell, SQLi, CMDi) ban immediately Co-Authored-By: Claude Opus 4.5 --- DOCS/CVE-LAYER7.md | 305 ++++++++++++++++++ .../luci-static/resources/secubox/nav.js | 7 +- .../files/etc/config/mitmproxy | 7 +- secubox-tools/README.md | 133 ++++++++ 4 files changed, 448 insertions(+), 4 deletions(-) create mode 100644 DOCS/CVE-LAYER7.md diff --git a/DOCS/CVE-LAYER7.md b/DOCS/CVE-LAYER7.md new file mode 100644 index 00000000..3b3e091b --- /dev/null +++ b/DOCS/CVE-LAYER7.md @@ -0,0 +1,305 @@ +# SecuBox CVE Layer 7 Defense System + +**Version:** 1.0.0 +**Last Updated:** 2026-02-28 + +## Overview + +The CVE Layer 7 innovation combines three defense pillars for comprehensive web application security: + +1. **mitmproxy WAF** - Real-time threat pattern detection (70+ CVE patterns) +2. **CrowdSec Scenarios** - Intelligent ban decisions with adaptive thresholds +3. **CVE Triage Agent** - AI-powered vulnerability assessment and remediation + +## Architecture + +``` +┌─────────────────────────────────────────────────────────────────┐ +│ LAYER 7: Request Processing │ +│ ┌──────────────────────────────────────────────────────────┐ │ +│ │ HAProxy (port 8080) → mitmproxy (MITM inspection) │ │ +│ │ ↓ │ │ +│ │ secubox_analytics.py │ │ +│ │ (70+ CVE patterns, sub-100ms detection) │ │ +│ └──────────────────────────────────────────────────────────┘ │ +│ ↓ │ +│ [Decision Tree] │ +│ ┌────────────────┬─────────────┬──────────────┐ │ +│ ↓ ↓ ↓ ↓ │ +│ [Allow] [Log Threat] [Auto-Ban] [Alert] │ +└─────────────────────────────────────────────────────────────────┘ + ↓ +┌─────────────────────────────────────────────────────────────────┐ +│ THREAT LOG PIPELINE │ +│ ┌──────────────────────────────────────────────────────────┐ │ +│ │ Log Files: │ │ +│ │ • /var/log/secubox-access.log (all requests) │ │ +│ │ • /data/threats.log (CrowdSec parser input) │ │ +│ │ • /data/autoban-requests.log (ban decisions) │ │ +│ │ • /tmp/secubox-subdomain-metrics.json (analytics) │ │ +│ └──────────────────────────────────────────────────────────┘ │ +│ ↓ │ +│ [CrowdSec Engine] │ +│ 8 mitmproxy-specific scenarios │ +│ ┌─────────────────┬──────────────┬──────────┐ │ +│ ↓ ↓ ↓ ↓ │ +│ [CVE] [Scanner] [SSRF] [Shell] │ +│ 30m ban 10-30m ban 10m ban 60m ban │ +└─────────────────────────────────────────────────────────────────┘ + ↓ +┌─────────────────────────────────────────────────────────────────┐ +│ RESPONSE & REMEDIATION │ +│ ┌──────────────────────────────────────────────────────────┐ │ +│ │ CrowdSec Firewall Bouncer: │ │ +│ │ • IP-based blocks (iptables/nftables rules) │ │ +│ │ • Whitelist/blacklist integration │ │ +│ └──────────────────────────────────────────────────────────┘ │ +│ ↓ │ +│ ┌──────────────────────────────────────────────────────────┐ │ +│ │ CVE Triage Agent (optional): │ │ +│ │ • Correlates CVE patterns with NVD data │ │ +│ │ • LocalAI impact assessment │ │ +│ │ • Patch recommendations │ │ +│ └──────────────────────────────────────────────────────────┘ │ +└─────────────────────────────────────────────────────────────────┘ +``` + +## Component 1: mitmproxy WAF Analytics + +### Location +- **Config:** `/etc/config/mitmproxy` +- **Analytics Addon:** `/srv/mitmproxy/addons/secubox_analytics.py` +- **WAF Rules:** `/srv/mitmproxy/waf-rules.json` + +### CVE Pattern Categories + +| Category | Patterns | Severity | Auto-Ban | +|----------|----------|----------|----------| +| **SQL Injection** | 18 | Critical | Yes | +| **Command Injection** | 16 | Critical | Yes | +| **XSS** | 17 | High | Threshold | +| **Path Traversal** | 14 | High | Threshold | +| **XXE** | 8 | Critical | Yes | +| **SSRF** | 14 | High | Threshold | +| **Log4Shell/JNDI** | 8 | Critical | Yes | +| **CVE 2021-2025** | 70+ | Critical | Immediate | +| **Router Botnet** | 20+ | Critical | Immediate | + +### Supported CVEs (2021-2025) + +**2024-2025:** +- CVE-2025-15467 (OpenSSL CMS stack overflow) +- CVE-2025-0282 (Ivanti Connect Secure) +- CVE-2024-3400 (PAN-OS GlobalProtect) +- CVE-2024-21887 (Ivanti Connect Secure) +- CVE-2024-1708/1709 (ScreenConnect) +- CVE-2024-27198 (TeamCity) +- CVE-2024-21762 (Fortinet FortiOS) + +**2023:** +- CVE-2023-34362 (MOVEit SQL injection) +- CVE-2023-22515 (Confluence privilege escalation) +- CVE-2023-46747 (F5 BIG-IP) +- CVE-2023-4966 (Citrix Bleed) + +**2021-2022:** +- CVE-2021-44228 (Log4Shell) +- CVE-2021-41773 (Apache path traversal) +- CVE-2022-22965 (Spring4Shell) +- CVE-2022-1388 (F5 BIG-IP) + +### Auto-Ban Configuration + +```uci +config autoban 'autoban' + option enabled '1' + option ban_duration '4h' + option min_severity 'high' + option sensitivity 'moderate' + option moderate_threshold '3' + option moderate_window '300' + option whitelist '127.0.0.1,192.168.255.1' +``` + +**Sensitivity Levels:** +- **Aggressive:** Immediate ban on first critical threat +- **Moderate:** Ban after 3 threats within 5 minutes (default) +- **Permissive:** Ban after 5 threats within 1 hour + +## Component 2: CrowdSec Scenarios + +### Location +- **Scenarios:** `/etc/crowdsec/scenarios/` +- **Parser:** `/etc/crowdsec/parsers/s01-parse/secubox-mitmproxy.yaml` +- **Acquisition:** `/etc/crowdsec/acquis.d/secubox-mitmproxy.yaml` + +### mitmproxy Threat Scenarios + +| Scenario | Type | Trigger | Ban Duration | +|----------|------|---------|--------------| +| `secubox/mitmproxy-attack` | Leaky | SQLi, XSS, CMDi, LFI, XXE | 15m | +| `secubox/mitmproxy-cve` | Trigger | CVE + critical severity | 30m | +| `secubox/mitmproxy-botscan` | Leaky | Vulnerability scanners | 30m | +| `secubox/mitmproxy-shell-hunter` | Trigger | Shell/backdoor hunting | 60m | +| `secubox/mitmproxy-config-hunter` | Leaky | Config file hunting | 30m | +| `secubox/mitmproxy-scanner` | Leaky | Admin/env scanning | 10m | +| `secubox/mitmproxy-ssrf` | Leaky | SSRF attempts | 10m | +| `secubox/mitmproxy-suspicious-ua` | Leaky | Suspicious User-Agent | 15m | + +### Log Format (JSON) + +```json +{ + "timestamp": "2026-02-28T12:00:00Z", + "source_ip": "1.2.3.4", + "host": "example.com", + "request": "GET /../../../etc/passwd HTTP/1.1", + "threat_type": "path_traversal", + "pattern": "../../../etc/passwd", + "severity": "critical", + "cve": "", + "category": "lfi", + "is_bot": true, + "bot_type": "vulnerability_scanner", + "bot_behavior": "config_hunting" +} +``` + +## Component 3: CVE Triage Agent + +### Location +- **Config:** `/etc/config/cve-triage` +- **CLI:** `/usr/bin/cve-triage` +- **Library:** `/usr/lib/cve-triage/` + +### Workflow + +1. **Collector** (`collector.sh`): + - Gathers installed packages (opkg, dpkg, apk) + - Scans LXC containers and Docker images + - Cross-references with NVD API + +2. **Analyzer** (`analyzer.sh`): + - CVSS-based severity scoring + - LocalAI impact assessment (optional) + - Attack vector analysis + +3. **Recommender** (`recommender.sh`): + - Patch recommendations + - Mitigation strategies + - Monitoring guidance + +4. **Applier** (`applier.sh`): + - Queue-based approval workflow + - Auto-apply option (configurable) + - Rollback capability + +### Configuration + +```uci +config cve-triage 'main' + option enabled '1' + option scan_interval '3600' + option min_severity 'medium' + option auto_apply_patches '0' + option localai_analysis '1' +``` + +## Integration Points + +### mitmproxy → CrowdSec + +1. mitmproxy writes JSON threat logs to `/data/threats.log` +2. CrowdSec `secubox-mitmproxy` parser extracts fields +3. 8 scenarios evaluate severity and decide ban duration +4. Firewall bouncer applies IP blocks + +### mitmproxy → CVE Triage + +1. CVE field from detection passed to triage agent +2. Triage correlates with NVD API +3. Generates remediation recommendations +4. Updates auto-ban sensitivity if needed + +### Auto-Ban Feedback Loop + +1. High-severity CVE attempts trigger immediate bans +2. Repeated attempts from same IP escalate ban duration +3. Whitelist/WireGuard endpoint protection prevents false positives +4. CrowdSec community blocklist integration + +## File Locations + +| Component | Path | Purpose | +|-----------|------|---------| +| WAF Config | `/etc/config/mitmproxy` | Auto-ban settings | +| WAF Rules | `/srv/mitmproxy/waf-rules.json` | Pattern definitions | +| Analytics | `/srv/mitmproxy/addons/secubox_analytics.py` | Detection engine | +| Threats Log | `/data/threats.log` | CrowdSec input | +| Access Log | `/var/log/secubox-access.log` | All requests | +| Auto-ban Log | `/data/autoban-requests.log` | Ban decisions | +| Scenarios | `/etc/crowdsec/scenarios/` | CrowdSec rules | +| CVE Triage | `/usr/lib/cve-triage/` | Agent library | + +## Metrics & Monitoring + +### Subdomain Metrics + +Real-time JSON export: `/tmp/secubox-subdomain-metrics.json` + +- Request counts per domain +- Threat type distribution +- Top 20 URIs per subdomain +- Country-based statistics + +### Rate Limiting + +```python +RATE_LIMITS = { + 'path_scan': {'window': 60, 'max': 20}, + 'auth_attempt': {'window': 60, 'max': 10}, + 'bot_request': {'window': 60, 'max': 30}, + 'normal': {'window': 60, 'max': 100}, +} +``` + +## Commands + +### View active threats +```bash +# Recent threats +tail -f /data/threats.log | jq + +# Auto-ban log +cat /data/autoban-requests.log + +# CrowdSec decisions +cscli decisions list +``` + +### Manual ban/unban +```bash +# Ban IP for 4 hours +cscli decisions add --ip 1.2.3.4 --duration 4h --reason "Manual ban" + +# Remove ban +cscli decisions delete --ip 1.2.3.4 +``` + +### Check status +```bash +# mitmproxy WAF status +mitmproxyctl status + +# CrowdSec status +cscli metrics + +# CVE Triage status +cve-triage status +``` + +## See Also + +- [mitmproxy UCI Configuration](../package/secubox/secubox-app-mitmproxy/README.md) +- [CrowdSec Custom Scenarios](../package/secubox/secubox-app-crowdsec-custom/README.md) +- [CVE Triage Agent](../package/secubox/secubox-cve-triage/README.md) diff --git a/package/secubox/luci-app-secubox/htdocs/luci-static/resources/secubox/nav.js b/package/secubox/luci-app-secubox/htdocs/luci-static/resources/secubox/nav.js index b63794d5..071564b2 100644 --- a/package/secubox/luci-app-secubox/htdocs/luci-static/resources/secubox/nav.js +++ b/package/secubox/luci-app-secubox/htdocs/luci-static/resources/secubox/nav.js @@ -47,6 +47,10 @@ var mainTabs = [ var _themeInitialized = false; var _cssLoaded = false; +// Cache busting version - updated during build or can use timestamp +// Format: YYMMDD.HHMM or git short SHA +var _cacheBustVersion = '260228.1200'; + return baseclass.extend({ /** * Get main SecuBox tabs @@ -95,7 +99,8 @@ return baseclass.extend({ link.id = id; link.rel = 'stylesheet'; link.type = 'text/css'; - link.href = L.resource(file); + // Add cache busting version parameter + link.href = L.resource(file) + '?v=' + _cacheBustVersion; document.head.appendChild(link); }); diff --git a/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy b/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy index 94478ce6..36500a88 100644 --- a/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy +++ b/package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy @@ -66,11 +66,11 @@ config wan_protection 'wan_protection' # Auto-ban configuration - automatically ban IPs via CrowdSec config autoban 'autoban' # Enable automatic banning of detected threats - option enabled '0' + option enabled '1' # Ban duration (e.g., 1h, 4h, 24h, 7d) option ban_duration '4h' # Minimum severity to trigger auto-ban: critical, high, medium - option min_severity 'critical' + option min_severity 'high' # Auto-ban on CVE exploit attempts option ban_cve_exploits '1' # Auto-ban SQL injection attempts @@ -88,7 +88,8 @@ config autoban 'autoban' # Auto-ban XMPP/Jabber attacks option ban_xmpp '1' # Whitelist IPs from auto-ban (comma-separated) - option whitelist '' + # Default: localhost, router IP, common admin IPs + option whitelist '127.0.0.1,192.168.255.1,192.168.1.1' # # Sensitivity level: aggressive, moderate, permissive # - aggressive: Ban immediately on first detection (critical threats only) diff --git a/secubox-tools/README.md b/secubox-tools/README.md index f65fd716..ea6cbd18 100644 --- a/secubox-tools/README.md +++ b/secubox-tools/README.md @@ -160,6 +160,139 @@ opkg install /tmp/luci-app-system-hub*.ipk /etc/init.d/rpcd restart ``` +### Image & Deployment Tools + +#### secubox-image.sh + +Build SecuBox firmware images via the OpenWrt ASU (Attended SysUpgrade) API. + +**Usage:** +```bash +# Build firmware image for device +./secubox-tools/secubox-image.sh build mochabin + +# Generate firmware-selector config +./secubox-tools/secubox-image.sh firmware-selector mochabin + +# Check build status +./secubox-tools/secubox-image.sh status + +# Download completed build +./secubox-tools/secubox-image.sh download +``` + +**Features:** +- Uses firmware-selector.openwrt.org backend (ASU API) +- Supports MOCHAbin, ESPRESSObin V7/Ultra, x86-64 +- Maximum rootfs partition (1024 MB) +- First-boot script auto-installs SecuBox packages +- Image resizing for full eMMC utilization + +**Output:** Firmware images in `build/images/` with SHA256 checksums + +#### secubox-sysupgrade.sh + +Upgrade a running SecuBox device in-place while preserving packages. + +**Usage:** +```bash +# Check current version and available upgrades +secubox-sysupgrade check + +# Build sysupgrade image (without flashing) +secubox-sysupgrade build + +# Build + download + flash (full upgrade) +secubox-sysupgrade upgrade + +# Show device info +secubox-sysupgrade status +``` + +**Features:** +- Auto-detects device, version, and installed packages +- Requests custom image with all packages preserved +- Preserves /etc/config, /etc/secubox, /srv/ across upgrades +- Uses /etc/board.json for device detection + +#### quick-deploy.sh + +Fast development deployment to router. + +**Usage:** +```bash +# Deploy IPK package +./secubox-tools/quick-deploy.sh --ipk /tmp/package.ipk + +# Deploy from source directory +./secubox-tools/quick-deploy.sh --src package/secubox/luci-app-example + +# Shortcut for LuCI apps +./secubox-tools/quick-deploy.sh --app system-hub + +# Deploy from git repo +./secubox-tools/quick-deploy.sh --git https://github.com/user/repo --branch develop + +# List available apps +./secubox-tools/quick-deploy.sh --list-apps +``` + +**Features:** +- Multiple source modes: IPK, APK, tar, git +- Automatic LuCI app detection +- Post-deploy verification and cache busting +- Backup and restore capability +- SSH multiplexing for faster transfers + +#### c3box-vm-builder.sh + +Build portable C3Box VM images for VMware/VirtualBox. + +**Usage:** +```bash +# Build x86-64 firmware +./secubox-tools/c3box-vm-builder.sh build + +# Convert to VM formats +./secubox-tools/c3box-vm-builder.sh convert + +# Full build + convert +./secubox-tools/c3box-vm-builder.sh full + +# Create distributable archive +./secubox-tools/c3box-vm-builder.sh package +``` + +**Output formats:** VMDK (VMware), OVA, VDI (VirtualBox), QCOW2 (KVM) + +#### secubox-clone-station.sh + +Orchestrate cloning of SecuBox devices via dual USB serial. + +**Usage:** +```bash +# Detect serial devices +./secubox-tools/secubox-clone-station.sh detect + +# Extract master config +./secubox-tools/secubox-clone-station.sh pull --master /dev/ttyUSB0 + +# Flash target device +./secubox-tools/secubox-clone-station.sh flash --target /dev/ttyUSB1 + +# Full clone workflow +./secubox-tools/secubox-clone-station.sh clone +``` + +**Features:** +- Extract config from master device +- Build clone image with ASU API +- Generate join token for mesh +- U-Boot automation via MOKATOOL +- TFTP-based flashing + +--- + ### Logging & Debug Utilities #### secubox-log.sh