gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: WAF auto-ban, cache busting, deployment docs, CVE Layer 7 docs

Browse Source 
Changes:
- Enable WAF auto-ban by default (sensitivity: moderate, min_severity: high)
- Add whitelist for common safe IPs (localhost, router)
- Add browser cache busting via version parameter in CSS loads
- Document deployment scripts in secubox-tools/README.md
- Create CVE Layer 7 architecture documentation

WAF auto-ban now active with:
- 3 threats within 5 minutes triggers ban
- 4-hour ban duration
- Critical CVEs (Log4Shell, SQLi, CMDi) ban immediately

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-02-28 18:06:12 +01:00
parent 18987a96dc
commit b542ac7d3c
4 changed files with 448 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

305
DOCS/CVE-LAYER7.md Normal file
View File

@ -0,0 +1,305 @@
# SecuBox CVE Layer 7 Defense System
**Version:** 1.0.0
**Last Updated:** 2026-02-28
## Overview
The CVE Layer 7 innovation combines three defense pillars for comprehensive web application security:
1. **mitmproxy WAF** - Real-time threat pattern detection (70+ CVE patterns)
2. **CrowdSec Scenarios** - Intelligent ban decisions with adaptive thresholds
3. **CVE Triage Agent** - AI-powered vulnerability assessment and remediation
## Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ LAYER 7: Request Processing │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ HAProxy (port 8080) → mitmproxy (MITM inspection) │ │
│ │ ↓ │ │
│ │ secubox_analytics.py │ │
│ │ (70+ CVE patterns, sub-100ms detection) │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ↓ │
│ [Decision Tree] │
│ ┌────────────────┬─────────────┬──────────────┐ │
│ ↓ ↓ ↓ ↓ │
│ [Allow] [Log Threat] [Auto-Ban] [Alert] │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ THREAT LOG PIPELINE │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Log Files: │ │
│ │ • /var/log/secubox-access.log (all requests) │ │
│ │ • /data/threats.log (CrowdSec parser input) │ │
│ │ • /data/autoban-requests.log (ban decisions) │ │
│ │ • /tmp/secubox-subdomain-metrics.json (analytics) │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ↓ │
│ [CrowdSec Engine] │
│ 8 mitmproxy-specific scenarios │
│ ┌─────────────────┬──────────────┬──────────┐ │
│ ↓ ↓ ↓ ↓ │
│ [CVE] [Scanner] [SSRF] [Shell] │
│ 30m ban 10-30m ban 10m ban 60m ban │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ RESPONSE & REMEDIATION │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ CrowdSec Firewall Bouncer: │ │
│ │ • IP-based blocks (iptables/nftables rules) │ │
│ │ • Whitelist/blacklist integration │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ↓ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ CVE Triage Agent (optional): │ │
│ │ • Correlates CVE patterns with NVD data │ │
│ │ • LocalAI impact assessment │ │
│ │ • Patch recommendations │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
```
## Component 1: mitmproxy WAF Analytics
### Location
- **Config:** `/etc/config/mitmproxy`
- **Analytics Addon:** `/srv/mitmproxy/addons/secubox_analytics.py`
- **WAF Rules:** `/srv/mitmproxy/waf-rules.json`
### CVE Pattern Categories
| Category | Patterns | Severity | Auto-Ban |
|----------|----------|----------|----------|
| **SQL Injection** | 18 | Critical | Yes |
| **Command Injection** | 16 | Critical | Yes |
| **XSS** | 17 | High | Threshold |
| **Path Traversal** | 14 | High | Threshold |
| **XXE** | 8 | Critical | Yes |
| **SSRF** | 14 | High | Threshold |
| **Log4Shell/JNDI** | 8 | Critical | Yes |
| **CVE 2021-2025** | 70+ | Critical | Immediate |
| **Router Botnet** | 20+ | Critical | Immediate |
### Supported CVEs (2021-2025)
**2024-2025:**
- CVE-2025-15467 (OpenSSL CMS stack overflow)
- CVE-2025-0282 (Ivanti Connect Secure)
- CVE-2024-3400 (PAN-OS GlobalProtect)
- CVE-2024-21887 (Ivanti Connect Secure)
- CVE-2024-1708/1709 (ScreenConnect)
- CVE-2024-27198 (TeamCity)
- CVE-2024-21762 (Fortinet FortiOS)
**2023:**
- CVE-2023-34362 (MOVEit SQL injection)
- CVE-2023-22515 (Confluence privilege escalation)
- CVE-2023-46747 (F5 BIG-IP)
- CVE-2023-4966 (Citrix Bleed)
**2021-2022:**
- CVE-2021-44228 (Log4Shell)
- CVE-2021-41773 (Apache path traversal)
- CVE-2022-22965 (Spring4Shell)
- CVE-2022-1388 (F5 BIG-IP)
### Auto-Ban Configuration
```uci
config autoban 'autoban'
option enabled '1'
option ban_duration '4h'
option min_severity 'high'
option sensitivity 'moderate'
option moderate_threshold '3'
option moderate_window '300'
option whitelist '127.0.0.1,192.168.255.1'
```
**Sensitivity Levels:**
- **Aggressive:** Immediate ban on first critical threat
- **Moderate:** Ban after 3 threats within 5 minutes (default)
- **Permissive:** Ban after 5 threats within 1 hour
## Component 2: CrowdSec Scenarios
### Location
- **Scenarios:** `/etc/crowdsec/scenarios/`
- **Parser:** `/etc/crowdsec/parsers/s01-parse/secubox-mitmproxy.yaml`
- **Acquisition:** `/etc/crowdsec/acquis.d/secubox-mitmproxy.yaml`
### mitmproxy Threat Scenarios
| Scenario | Type | Trigger | Ban Duration |
|----------|------|---------|--------------|
| `secubox/mitmproxy-attack` | Leaky | SQLi, XSS, CMDi, LFI, XXE | 15m |
| `secubox/mitmproxy-cve` | Trigger | CVE + critical severity | 30m |
| `secubox/mitmproxy-botscan` | Leaky | Vulnerability scanners | 30m |
| `secubox/mitmproxy-shell-hunter` | Trigger | Shell/backdoor hunting | 60m |
| `secubox/mitmproxy-config-hunter` | Leaky | Config file hunting | 30m |
| `secubox/mitmproxy-scanner` | Leaky | Admin/env scanning | 10m |
| `secubox/mitmproxy-ssrf` | Leaky | SSRF attempts | 10m |
| `secubox/mitmproxy-suspicious-ua` | Leaky | Suspicious User-Agent | 15m |
### Log Format (JSON)
```json
{
"timestamp": "2026-02-28T12:00:00Z",
"source_ip": "1.2.3.4",
"host": "example.com",
"request": "GET /../../../etc/passwd HTTP/1.1",
"threat_type": "path_traversal",
"pattern": "../../../etc/passwd",
"severity": "critical",
"cve": "",
"category": "lfi",
"is_bot": true,
"bot_type": "vulnerability_scanner",
"bot_behavior": "config_hunting"
}
```
## Component 3: CVE Triage Agent
### Location
- **Config:** `/etc/config/cve-triage`
- **CLI:** `/usr/bin/cve-triage`
- **Library:** `/usr/lib/cve-triage/`
### Workflow
1. **Collector** (`collector.sh`):
- Gathers installed packages (opkg, dpkg, apk)
- Scans LXC containers and Docker images
- Cross-references with NVD API
2. **Analyzer** (`analyzer.sh`):
- CVSS-based severity scoring
- LocalAI impact assessment (optional)
- Attack vector analysis
3. **Recommender** (`recommender.sh`):
- Patch recommendations
- Mitigation strategies
- Monitoring guidance
4. **Applier** (`applier.sh`):
- Queue-based approval workflow
- Auto-apply option (configurable)
- Rollback capability
### Configuration
```uci
config cve-triage 'main'
option enabled '1'
option scan_interval '3600'
option min_severity 'medium'
option auto_apply_patches '0'
option localai_analysis '1'
```
## Integration Points
### mitmproxy → CrowdSec
1. mitmproxy writes JSON threat logs to `/data/threats.log`
2. CrowdSec `secubox-mitmproxy` parser extracts fields
3. 8 scenarios evaluate severity and decide ban duration
4. Firewall bouncer applies IP blocks
### mitmproxy → CVE Triage
1. CVE field from detection passed to triage agent
2. Triage correlates with NVD API
3. Generates remediation recommendations
4. Updates auto-ban sensitivity if needed
### Auto-Ban Feedback Loop
1. High-severity CVE attempts trigger immediate bans
2. Repeated attempts from same IP escalate ban duration
3. Whitelist/WireGuard endpoint protection prevents false positives
4. CrowdSec community blocklist integration
## File Locations
| Component | Path | Purpose |
|-----------|------|---------|
| WAF Config | `/etc/config/mitmproxy` | Auto-ban settings |
| WAF Rules | `/srv/mitmproxy/waf-rules.json` | Pattern definitions |
| Analytics | `/srv/mitmproxy/addons/secubox_analytics.py` | Detection engine |
| Threats Log | `/data/threats.log` | CrowdSec input |
| Access Log | `/var/log/secubox-access.log` | All requests |
| Auto-ban Log | `/data/autoban-requests.log` | Ban decisions |
| Scenarios | `/etc/crowdsec/scenarios/` | CrowdSec rules |
| CVE Triage | `/usr/lib/cve-triage/` | Agent library |
## Metrics & Monitoring
### Subdomain Metrics
Real-time JSON export: `/tmp/secubox-subdomain-metrics.json`
- Request counts per domain
- Threat type distribution
- Top 20 URIs per subdomain
- Country-based statistics
### Rate Limiting
```python
RATE_LIMITS = {
'path_scan': {'window': 60, 'max': 20},
'auth_attempt': {'window': 60, 'max': 10},
'bot_request': {'window': 60, 'max': 30},
'normal': {'window': 60, 'max': 100},
}
```
## Commands
### View active threats
```bash
# Recent threats
tail -f /data/threats.log | jq
# Auto-ban log
cat /data/autoban-requests.log
# CrowdSec decisions
cscli decisions list
```
### Manual ban/unban
```bash
# Ban IP for 4 hours
cscli decisions add --ip 1.2.3.4 --duration 4h --reason "Manual ban"
# Remove ban
cscli decisions delete --ip 1.2.3.4
```
### Check status
```bash
# mitmproxy WAF status
mitmproxyctl status
# CrowdSec status
cscli metrics
# CVE Triage status
cve-triage status
```
## See Also
- [mitmproxy UCI Configuration](../package/secubox/secubox-app-mitmproxy/README.md)
- [CrowdSec Custom Scenarios](../package/secubox/secubox-app-crowdsec-custom/README.md)
- [CVE Triage Agent](../package/secubox/secubox-cve-triage/README.md)

7
package/secubox/luci-app-secubox/htdocs/luci-static/resources/secubox/nav.js
View File

@ -47,6 +47,10 @@ var mainTabs = [
var _themeInitialized = false; var _themeInitialized = false;
var _cssLoaded = false; var _cssLoaded = false;
// Cache busting version - updated during build or can use timestamp
// Format: YYMMDD.HHMM or git short SHA
var _cacheBustVersion = '260228.1200';
return baseclass.extend({ return baseclass.extend({
/** /**
* Get main SecuBox tabs * Get main SecuBox tabs
@ -95,7 +99,8 @@ return baseclass.extend({
link.id = id; link.id = id;
link.rel = 'stylesheet'; link.rel = 'stylesheet';
link.type = 'text/css'; link.type = 'text/css';
link.href = L.resource(file); // Add cache busting version parameter
link.href = L.resource(file) + '?v=' + _cacheBustVersion;
document.head.appendChild(link); document.head.appendChild(link);
}); });

7
package/secubox/secubox-app-mitmproxy/files/etc/config/mitmproxy
View File

@ -66,11 +66,11 @@ config wan_protection 'wan_protection'
# Auto-ban configuration - automatically ban IPs via CrowdSec # Auto-ban configuration - automatically ban IPs via CrowdSec
config autoban 'autoban' config autoban 'autoban'
# Enable automatic banning of detected threats # Enable automatic banning of detected threats
option enabled '0' option enabled '1'
# Ban duration (e.g., 1h, 4h, 24h, 7d) # Ban duration (e.g., 1h, 4h, 24h, 7d)
option ban_duration '4h' option ban_duration '4h'
# Minimum severity to trigger auto-ban: critical, high, medium # Minimum severity to trigger auto-ban: critical, high, medium
option min_severity 'critical' option min_severity 'high'
# Auto-ban on CVE exploit attempts # Auto-ban on CVE exploit attempts
option ban_cve_exploits '1' option ban_cve_exploits '1'
# Auto-ban SQL injection attempts # Auto-ban SQL injection attempts
@ -88,7 +88,8 @@ config autoban 'autoban'
# Auto-ban XMPP/Jabber attacks # Auto-ban XMPP/Jabber attacks
option ban_xmpp '1' option ban_xmpp '1'
# Whitelist IPs from auto-ban (comma-separated) # Whitelist IPs from auto-ban (comma-separated)
option whitelist '' # Default: localhost, router IP, common admin IPs
option whitelist '127.0.0.1,192.168.255.1,192.168.1.1'
# #
# Sensitivity level: aggressive, moderate, permissive # Sensitivity level: aggressive, moderate, permissive
# - aggressive: Ban immediately on first detection (critical threats only) # - aggressive: Ban immediately on first detection (critical threats only)

133
secubox-tools/README.md
View File

@ -160,6 +160,139 @@ opkg install /tmp/luci-app-system-hub*.ipk
/etc/init.d/rpcd restart /etc/init.d/rpcd restart
``` ```
### Image & Deployment Tools
#### secubox-image.sh
Build SecuBox firmware images via the OpenWrt ASU (Attended SysUpgrade) API.
**Usage:**
```bash
# Build firmware image for device
./secubox-tools/secubox-image.sh build mochabin
# Generate firmware-selector config
./secubox-tools/secubox-image.sh firmware-selector mochabin
# Check build status
./secubox-tools/secubox-image.sh status <build-hash>
# Download completed build
./secubox-tools/secubox-image.sh download <build-hash>
```
**Features:**
- Uses firmware-selector.openwrt.org backend (ASU API)
- Supports MOCHAbin, ESPRESSObin V7/Ultra, x86-64
- Maximum rootfs partition (1024 MB)
- First-boot script auto-installs SecuBox packages
- Image resizing for full eMMC utilization
**Output:** Firmware images in `build/images/` with SHA256 checksums
#### secubox-sysupgrade.sh
Upgrade a running SecuBox device in-place while preserving packages.
**Usage:**
```bash
# Check current version and available upgrades
secubox-sysupgrade check
# Build sysupgrade image (without flashing)
secubox-sysupgrade build
# Build + download + flash (full upgrade)
secubox-sysupgrade upgrade
# Show device info
secubox-sysupgrade status
```
**Features:**
- Auto-detects device, version, and installed packages
- Requests custom image with all packages preserved
- Preserves /etc/config, /etc/secubox, /srv/ across upgrades
- Uses /etc/board.json for device detection
#### quick-deploy.sh
Fast development deployment to router.
**Usage:**
```bash
# Deploy IPK package
./secubox-tools/quick-deploy.sh --ipk /tmp/package.ipk
# Deploy from source directory
./secubox-tools/quick-deploy.sh --src package/secubox/luci-app-example
# Shortcut for LuCI apps
./secubox-tools/quick-deploy.sh --app system-hub
# Deploy from git repo
./secubox-tools/quick-deploy.sh --git https://github.com/user/repo --branch develop
# List available apps
./secubox-tools/quick-deploy.sh --list-apps
```
**Features:**
- Multiple source modes: IPK, APK, tar, git
- Automatic LuCI app detection
- Post-deploy verification and cache busting
- Backup and restore capability
- SSH multiplexing for faster transfers
#### c3box-vm-builder.sh
Build portable C3Box VM images for VMware/VirtualBox.
**Usage:**
```bash
# Build x86-64 firmware
./secubox-tools/c3box-vm-builder.sh build
# Convert to VM formats
./secubox-tools/c3box-vm-builder.sh convert
# Full build + convert
./secubox-tools/c3box-vm-builder.sh full
# Create distributable archive
./secubox-tools/c3box-vm-builder.sh package
```
**Output formats:** VMDK (VMware), OVA, VDI (VirtualBox), QCOW2 (KVM)
#### secubox-clone-station.sh
Orchestrate cloning of SecuBox devices via dual USB serial.
**Usage:**
```bash
# Detect serial devices
./secubox-tools/secubox-clone-station.sh detect
# Extract master config
./secubox-tools/secubox-clone-station.sh pull --master /dev/ttyUSB0
# Flash target device
./secubox-tools/secubox-clone-station.sh flash --target /dev/ttyUSB1
# Full clone workflow
./secubox-tools/secubox-clone-station.sh clone
```
**Features:**
- Extract config from master device
- Build clone image with ASU API
- Generate join token for mesh
- U-Boot automation via MOKATOOL
- TFTP-based flashing
---
### Logging & Debug Utilities ### Logging & Debug Utilities
#### secubox-log.sh #### secubox-log.sh