Auto-detects DNS server (BIND vs dnsmasq) and generates appropriate
blocklist format:
- BIND: Response Policy Zone (RPZ) with NXDOMAIN responses
- dnsmasq: addn-hosts sinkhole file (existing)
Tested with 46,067 blocked domains on BIND named server.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The handler was looking for dns-guard.detector_${det}.enabled but
UCI config uses dns-guard.${det}.enabled (without detector_ prefix).
This caused all detectors to show as Disabled in the dashboard.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace defunct malwaredomains feed with ThreatFox (abuse.ch)
- Add is_valid_domain() function to validate domain format
- Optimize intel_merge() with batch SQL transactions
- Previous: 765 domains with invalid entries (HTML parsing artifacts)
- Now: 46,056 valid domains from 3 feeds (URLhaus, OpenPhish, ThreatFox)
Performance: Batch import completes in seconds vs minutes for 45K+ domains.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
KISS-style dashboard for Vortex DNS Firewall with:
- Status cards: Active state, Blocked Domains, Total Blocks, x47 Impact
- Quick actions: Update Feeds, Block Domain, Search Domain
- Threat intelligence feeds table with domain counts and update times
- Top blocked domains table with threat badges
- Threat distribution visualization
- Live polling (10s) for real-time stats updates
- Dark mode support
Menu: Services > Vortex DNS Firewall
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Phase 1 implementation of Vortex DNS Firewall - SecuBox's first line
of defense blocking threats at DNS level BEFORE any connection is
established.
Features:
- Threat intel aggregator (URLhaus, OpenPhish, Malware Domains)
- SQLite-based blocklist database with domain deduplication
- dnsmasq integration via sinkhole hosts file
- x47 vitality multiplier concept (each DNS block prevents ~47 connections)
- RPCD handler for LuCI integration with 8 methods
- CLI tool: vortex-firewall intel/stats/start/stop
Tested with 765 blocked domains across 3 threat feeds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Support building images for: mochabin, espressobin-v7, espressobin-ultra, x86-64
- New CLI: secubox-cloner build --device espressobin-v7
- New CLI: secubox-cloner devices (list supported devices)
- RPCD: list_devices method, build_image accepts device_type param
- LuCI: Device selection dropdown in build modal
- LuCI: Device column in images table with badges
- Each device type has its own TFTP image file
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Dashboard with status cards: device, TFTP, tokens, clones
- Quick actions: Build Image, Start/Stop TFTP, Token generation
- Clone images table with size and TFTP-ready status
- Token management with auto-approve option
- U-Boot flash commands display when TFTP is running
- RPCD handler with 10 methods for full cloner management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Pipe | while runs in subshell, json_add calls don't affect parent
- Use temp files to avoid subshell: write data to file, then read
- Fixed https_visitors, top_endpoints, recent_visitors arrays
- All arrays now properly populated with visitor data
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace --no-api + jsonfilter with jq length for counting
- jsonfilter cannot properly count JSON arrays
- --no-api flag returns empty results
- Applied fix to both get_overview() and stats functions
- Active Bans now shows correct count (was showing 0)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add poll.add() for continuous 3-second updates
- Use data-attributes for efficient DOM targeting
- Add CSS pulse animation on value changes
- Add live indicator with timestamp
- Implement updateValue, updateBar, updateList methods
- No page rebuilds - direct element text updates
- KISS and fast real-time metrics
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_active_sessions RPCD method to dashboard module
- Display session counts: Tor circuits, HTTPS, Streamlit, Mitmproxy, SSH
- Add ACTIVE SESSIONS panel with yellow/gold theme
- Add RECENT VISITORS panel showing visitor IPs and countries
- Add TOP ENDPOINTS panel showing accessed paths
- Add ACL permissions for get_active_sessions
- Auto-refresh with other metrics every 10 seconds
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove --no-api flag which returned empty results
- Use jq length instead of jsonfilter for counting arrays
- Add grep fallback when jq is not available
- Count all decisions, alerts, and bouncers correctly
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add callGetVisitStats RPC from security-threats API
- Add WEB TRAFFIC section with total requests, bots/humans counts
- Display country flags and visit counts for top 8 countries
- Add TOP HOSTS section showing top 5 visited hosts
- Green color theme for traffic sections
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_visit_stats RPCD method parsing mitmproxy threats.log
- Returns total requests, by_country, by_host, by_type, by_severity,
bots_vs_humans breakdown, and top_urls (all top 10)
- Add callGetVisitStats RPC declaration to api.js
- Add renderVisitStats function to dashboard with traffic analytics grid
- Shows traffic breakdown by country, host, and URL patterns
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed default visibility from public to private for new Gitea
repositories created by metablogizerctl and streamlitctl.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
MetaBlogizer uses per-site uhttpd instances, not LXC containers.
The watchdog was incorrectly treating it as an LXC service and
constantly trying to restart a non-existent container.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add automatic Gitea push after upload_finalize in Streamlit RPCD
- Add automatic Gitea push after upload_finalize in MetaBlogizer RPCD
- Fix MetaBlogizer to use site name instead of UCI section ID for push
- Fix metablogizerctl to read Gitea config from dedicated gitea section
Uploaded files via LuCI are now automatically synced to Gitea repos.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit:
- App create/deploy now auto-pushes to Gitea when enabled
- Add 'gitea init-all' command to initialize repos for all existing apps
- Scans all app directories and creates Gitea repos
MetaBlogizer:
- Site create now auto-pushes to Gitea when token configured
- Add 'gitea init-all' command to initialize repos for all existing sites
- Iterates over UCI site configs and syncs to Gitea
Usage:
# Configure Gitea once
uci set streamlit.gitea.enabled=1
uci set streamlit.gitea.url='http://192.168.255.1:3000'
uci set streamlit.gitea.user='admin'
uci set streamlit.gitea.token='<token>'
uci commit streamlit
# Initialize all existing apps/sites
streamlitctl gitea init-all
metablogizerctl gitea init-all
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit/MetaBlogizer:
- Add 'gitea push <name>' command to both streamlitctl and metablogizerctl
- Auto-creates Gitea repo via API if it doesn't exist
- Initializes git, commits all files, and pushes to Gitea
- Stores repo reference in UCI for future syncs
Tor Shield:
- Add 'wan_input_allow' option for server preset
- Server mode now properly allows WAN inbound (ports 80, 443, 8443)
- Uses nftables rules to integrate with OpenWrt firewall4
- Outbound traffic still routed through Tor (kill_switch)
- Cleanup nftables rules on stop/disable
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace failing awk-based JSON parsing with jsonfilter per-alert extraction.
Alerts now correctly populate in CrowdSec dashboard.
Changes:
- Use jsonfilter to extract created_at, scenario, source_ip per alert
- Loop through up to 8 alerts with index-based access
- Remove Python dependency (not available on OpenWrt)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Backend uses timestamp/source_ip but JS was looking for time/ip.
Fixed field mappings:
- timestamp -> time display
- source_ip -> ip display
- request -> details fallback
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Alerts data was loaded but not displayed. Added new section showing:
- Time, IP, country, type, severity, details
- Limited to 25 most recent alerts
- Clear alerts button
- Proper severity colors and icons
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HAProxy multi-domain SSL certificate matching issue
- Document crt-list solution for SNI issues
- Minor updates to settings and streamlit readme
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add TRUSTED_PATH_PREFIXES for LuCI, ubus, and CGI paths
- Fix moderate mode to always require threshold (3 attempts in 5 min)
instead of immediate ban on critical threats
- Add WireGuard endpoint whitelist support to prevent VPN peer bans
- New script: mitmproxy-sync-wg-endpoints extracts peer IPs from UCI
- Bump version to v2.4
Prevents accidental bans from legitimate external LuCI login attempts.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Shows all CrowdSec bans with:
- IP address, reason, source (WAF/CrowdSec), country, expiration
- Summary counts: total, WAF autobans, CrowdSec detections
- Unban button for each entry with confirmation dialog
- Empty state when no bans active
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New methods for threats monitor dashboard:
- bans: Get CrowdSec decisions with counts by source
Returns total, mitmproxy_autoban, crowdsec counts + full bans array
- unban: Remove ban by IP address
Updates ACL to include new methods for LuCI access.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New haproxyctl path commands:
- path list: Show all path ACLs with patterns and backends
- path sync <prefix> <host>: Auto-generate ACLs from all backends
Extracts short name from backend (metablog_X -> X, streamlit_Y -> Y)
Skips existing ACLs, only adds new ones
- path add: Manually add single path ACL
- path remove: Remove specific path ACL
- path clear: Remove all ACLs matching prefix
This enables dynamic route updates when backends change.
Example: haproxyctl path sync /gk2 secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Path-based ACLs are now sorted by pattern length (longest first) before
being emitted to haproxy.cfg. This ensures specific paths like /gk2/evolution
match before general paths like /gk2.
Two-phase approach:
- _collect_path_acl() stores ACL data with pattern length prefix
- _emit_sorted_path_acls() sorts by length descending and emits rules
Enables apex domain path routing: secubox.in/gk2/** instead of *.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add _add_path_acl() function to process UCI 'acl' sections
- Support path_beg, path_end, path, path_reg, path_dir match types
- Path ACLs are processed before vhost ACLs (higher priority)
- Fix http_request list handling to avoid duplicate output
- Enables gk2.secubox.in/evolution routing to streamlit_evolution
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Support suffix matching for wildcard domains (*.domain.tld)
- Add match_type option: exact, suffix, regex
- Enable subdomain-to-path mapping for mesh publishing
- Prepare infrastructure for distributed Vortex DNS nodes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Display per-subdomain request/threat counts
- Show protocol distribution (HTTP/HTTPS)
- Show top URIs and countries per domain
- Sort by request count, limit to top 25
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Track requests, threats, protocols per subdomain
- Record HTTP methods, status codes, top URIs, countries
- New RPCD method: subdomain_metrics
- Metrics auto-saved to /tmp/secubox-subdomain-metrics.json
- Add wan_setup/wan_clear to ACL write permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add vhost for presse.cybermood.eu
- Add backend cybermood_presse on port 4001
- Add ACME certificate entry
- Add ACL routing rules
- Fix backends to use LAN IP (192.168.255.1) instead of localhost
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add vhost entries for cybermood.eu and www.cybermood.eu
- Add backend configuration (cybermood_web on port 4000)
- Add ACME certificate entries for SSL
- Add ACL routing rules in template
- Switch to crt-list for multi-certificate SNI support
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed fetch_file() TTL from 300s to 60s
- All tabs now refresh every minute like Devel tab
- Updated footer to reflect unified refresh interval
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New "🚀 Devel" tab with live GitHub commit activity (1-min cache)
- Metrics: Commits Today, This Week, Contributors, Stars
- Commit type distribution (feat/fix/docs/refactor/chore)
- Recent commits list with hash, message, author, relative time
- Repository stats: forks, watchers, open issues
- Cyberpunk-themed commit cards with color-coding
- Pulsing live indicator animation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The HAProxy LXC container was missing lxc.mount.auto = proc:mixed sys:ro
which caused lxc-attach to fail with "mount -t proc proc /proc" error.
This prevented the LED watchdog from checking HAProxy status via
lxc-attach -n haproxy -- pgrep haproxy, triggering false SPUNK alerts.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add secubox-landing script to generate landing pages from HAProxy vhosts
- Integrate landing command into secubox CLI
- Add boot hook to regenerate landing pages on startup
- Fix HAProxy multi-cert SNI using crt-list instead of directory mode
- Fix backend IPs from 127.0.0.1 to 192.168.255.1 for LXC compatibility
- Auto-convert localhost IPs in RPCD handler and CLI tools
Landing page features:
- Groups all services by zone with stats header
- Shows SSL certificate status per domain
- Categorizes by type: Streamlit, Blog, Admin, Media, Dev, etc.
- Regenerates at boot (30s after startup)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SecuBox Fabricator - Universal Constructor for SecuBox Components:
- Main dashboard with live stats from UCI and JSON cache
- Collectors page: manage stats scripts, view/run collectors, JSON cache
- Apps page: Streamlit instance management with test/restart/deploy
- Blogs page: MetaBlogizer site management from UCI config
- Services page: HAProxy vhosts/backends, Peek/Poke/Emancipate
- Widgets page: dashboard widget designer with live stats preview
All pages now use actual live data from UCI configs and /tmp/secubox/*.json
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add DNS resolution test to heartbeat status
- Include BIND, CrowdSec, HAProxy, mitmproxy service checks
- Add security metrics (crowdsec_bans, dns_response)
- Improve health score calculation with all services
Router changes (not in repo):
- Enabled BIND recursion with forwarders (9.9.9.9, 1.1.1.1)
- Added BIND query/security logging
- Added CrowdSec acquisition for BIND logs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
