- Add devstatus.js with modules list, roadmap, and changelog
- Reorder public pages: Crowdfunding (10), Bug Bounty (20), Dev Status (30)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The 403 error was caused by missing ACL file. Added
luci-app-secubox-portal.json with read permissions for
luci.secubox and luci.system-hub ubus methods.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move Debug Console from Client Guardian to System Hub
- Add Auto-Zoning Rules dedicated view in Client Guardian
- Add public pages for Bug Bounty and Crowdfunding (no ACL)
- Fix auth-logger to only detect real login attempts
- Add private IP whitelist for CrowdSec (RFC1918 ranges)
- Update navigation menus across all apps
- Bump secubox-auth-logger to v1.2.2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- v2.0.0: Multi-runtime support with auto-detection
- LXC preferred when available (150MB RAM vs 300MB for Docker)
- New lyrionctl commands: runtime, shell
- Alpine Linux rootfs creation for LXC
- UCI config: runtime option (auto/docker/lxc)
- Memory limit configuration via cgroups
- Updated plugin manifest with runtime info
Runtime selection:
option runtime 'auto' - Auto-detect (LXC preferred)
option runtime 'docker' - Force Docker
option runtime 'lxc' - Force LXC
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add explicit 644 permissions for overview.js and dashboard.css
- Fixes HTTP 403 error when accessing the view
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add sync command to synchronize packages from package/secubox to local-feed
- Add local-feed deletion to clean-all command
- Add missing packages to package/secubox:
- luci-app-secubox-crowdsec
- secubox-crowdsec-setup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- v1.2.1: Remove timestamp generation (ucode time functions unavailable)
- Use simple format: secubox-auth[1]: authentication failure for...
- Update parser to use raw line parsing with custom label type
- Change acquisition from type:syslog to type:secubox-auth
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-auth-logger v1.2.0: Patch LuCI ucode dispatcher.uc to log
authentication failures server-side instead of relying on JS hooks
- crowdsec-firewall-bouncer: Add helper function for UCI list reading
and default to eth1, br-lan, br-wan interfaces to ensure WAN traffic
is checked against the blocklist
- Update postrm to properly restore dispatcher backup on uninstall
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CGI hook to capture client IP during failed auth attempts
- Add JavaScript hook to intercept ubus session.login failures
- Add rpcd plugin for ubus-based auth logging
- Update CrowdSec parser for case-insensitive matching
- Inject JS hook into LuCI theme headers on install
This enables CrowdSec to detect and block brute-force attacks
on the LuCI web interface, which previously only logged
successful authentications.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Local Protection Mode banner when CAPI unavailable (LAPI still works)
- Save enrollment key to UCI config for future repairs
- Improve text contrast in wizard (better readability)
- Simplify LAPI repair function based on official OpenWrt approach
- Never delete CAPI credentials to avoid rate-limiting
- Add get_settings/save_settings RPC methods
- Bump version to 0.7.0-r27
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add automatic restart after successful console enrollment
- Update wizard UI to inform user about validation on app.crowdsec.net
- Service must restart after enrollment is validated on CrowdSec Console
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Service restarts during bouncer registration and service start can
cause XHR connections to abort. Treat these as success since the
operation likely completed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New wizard approach:
- Automatic health check on load (LAPI, CAPI, Bouncer, nftables, collections)
- Single configuration page with all options visible
- Only repairs what's broken
- No hub update without CAPI connection
- Single "Apply Configuration" button at the end
- Progress bar during apply
- Summary of what was done at completion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC method was returning "Access denied" because it was missing
from the rpcd ACL configuration.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Large package feed files exceed GitHub's 100MB limit.
These are build artifacts that should be generated locally.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_public_ips method to secubox-core rpcd backend
- Fetch public IPs from multiple services with fallback
- Display in new "Public IP Addresses" panel on dashboard
- Auto-update IPs on poll refresh
- Bump luci-app-secubox to 0.7.1-r2
- Bump secubox-core to 0.10.0-r4
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Treat XHR abort as success when CrowdSec restarts after acquisition config
- Auto-advance to Step 5 after brief delay
- Bump to 0.7.0-r21
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- repair_lapi() now removes stale online_api_credentials.yaml and retries
- New repair_capi() function for dedicated CAPI repair
- console_enroll() handles CAPI credential cleanup before retry
- Added repairCapi API method in frontend
- Bump luci-app-crowdsec-dashboard to 0.7.0-r20
- Add openwrt-luci-bf.yaml scenario for LuCI brute force detection
- Add secubox-auth-acquis.yaml acquisition config
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The serviceWarning variable was null when CrowdSec is running, and
LuCI's E() function rendered it as literal "null" text. Fixed by
using empty fragment when no warning needed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The refreshView() call was aborting the pending configureAcquisition
XHR request by triggering new API calls. Now only updates the button
state without a full view refresh.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CrowdSec on OpenWrt doesn't support "source: command" acquisition.
Changed to file-based acquisition reading /var/log/messages.
Also configures busybox syslog to write to file automatically.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When SSH logging is enabled in the wizard, automatically:
- Set dropbear.@dropbear[0].verbose=1 to log auth failures
- Restart dropbear to apply changes
This ensures CrowdSec can detect SSH brute force attempts.
Without verbose mode, Dropbear doesn't log failed auth to syslog.
Also enable uhttpd syslog when HTTP logging is enabled.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Parse ndpid-apps.json array format [{name: "TLS.YouTube", ...}]
- Use jq contains() instead of test() regex (ONIGURUMA not available on OpenWrt)
- Filter streaming services: YouTube, Netflix, Spotify, AppleiTunes, etc.
- Aggregate streams by app name (combine TLS.YouTube + QUIC.YouTube)
- Estimate quality based on data volume (SD/HD/FHD)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add SecuBox dark theme initialization to all views (dashboard, alerts,
clients, services, history)
- Fix flow count detection by using jsonfilter instead of jq (OpenWrt native)
- Prioritize /var/run/netifyd/status.json for ndpid-compat flow data
- Remove filtering expect{} from API.getActiveStreams() RPC declaration
- Update CLAUDE.md with jsonfilter usage guidelines for OpenWrt
The dashboard now correctly displays:
- Total Flows count from nDPId via ndpid-compat
- nDPId/Netifyd status indicators
- SecuBox dark theme with portal header
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change 'config main' to 'config ndpid main' for proper section naming
- Change 'config compat' to 'config ndpid compat'
- Enable ndpid by default (enabled='1')
- Init scripts expect named sections, not typed sections
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Scan ALL nftables sets (CAPI, cscli, etc.) instead of just base set
- Display blocked IPs count by origin (Community vs Local)
- Show sample of blocked IPs with Unban button
- Add ipv4_capi_count, ipv4_cscli_count, ipv4_total_count to API response
- Support for 14,000+ community blocklist IPs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add health_check API with LAPI/CAPI/Console status verification
- Add capi_metrics API for community blocklist statistics
- Add hub_available, install_hub_item, remove_hub_item APIs
- Add System Health panel to overview with visual status indicators
- Add CAPI Blocklist section showing community vs local decisions
- Add Installed Collections card with version display
- Fix settings.js syntax error (missing comma)
- Fix metrics.js null display in acquisition statistics
- Update ACL file with new RPC method permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rebuilt all luci-app-* and secubox-app-* packages for aarch64-cortex-a72
- Updated local-build.sh with FORCE=1 to bypass rsync prereq check
- Removed packages that failed SDK build (require full buildroot)
- Updated Packages index and apps-local.json manifest
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Include all built .ipk packages in luci-app-secubox-bonus
- Generate Packages index and apps-local.json manifest
- Remove .gitignore to allow package tracking
- Enables offline package installation via SecuBox > Local Packages
Packages included:
- 27 luci-app-* packages
- 11 secubox-app-* packages
- luci-theme-secubox
- secubox-core
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create /etc/opkg/customfeeds.conf with secubox feed pre-configured
- Install file via Makefile instead of postinst script
- Mark as conffile to preserve user modifications on upgrade
- Add .gitignore to exclude built .ipk files from git tracking
(packages are embedded at build time by embed_local_feed)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add embed_local_feed() to local-build.sh that copies built packages
into bonus app as /www/secubox-feed/ for offline installation
- Generate Packages index and apps-local.json manifest for opkg
- Add RPCD backend (luci.secubox-store) for package install/remove
- Add LuCI view for browsing and managing local packages
- Fix OPENWRT_ONLY_PACKAGES to allow secubox-app-* wrappers in SDK build
- Remove experimental python3-* packages (unfinished mitmproxy native plan)
- Set rootfs partition size to 16GB for larger overlay
- Bump luci-app-secubox-bonus to v0.2.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package: crowdsec-firewall-bouncer (v0.0.34)
- Based on official OpenWrt package from openwrt/packages
- Full nftables integration with IPv4/IPv6 support
- Timeout-based sets for automatic ban expiration
- Input and forward chain filtering
- Interface-based filtering
- procd service management with ujail support
- UCI configuration
Init script features:
- Creates nftables tables: crowdsec (IPv4), crowdsec6 (IPv6)
- Creates timeout-enabled sets for blocklists
- Generates YAML config from UCI settings
- Automatic cleanup on service stop
Updated secubox-app-crowdsec-bouncer to v0.0.32
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New features:
- New RPCD method: acquisition_metrics for detailed stats
- Realtime metrics display with 10-second polling
- Visual stat cards: lines read, parsed, unparsed, buckets
- Parse rate progress bar with color coding
- Active acquisition sources badges
- Rate calculation (events/sec) between polls
- Live update indicator with timestamp
API changes:
- Added getAcquisitionMetrics() to API layer
- Added acquisition_metrics to ACL permissions
Bumped version to 0.7.0-17
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OpenWrt uses logd by default which doesn't write to files.
CrowdSec file-based acquisition needs /var/log/messages to exist.
Changes:
- Init script: setup_syslog() configures log_file before each start
- Defaults script: setup_syslog_file() configures at install time
- openwrt-syslog.yaml: Remove non-existent /var/log/syslog reference
The init script sets:
uci set system.@system[0].log_file='/var/log/messages'
uci set system.@system[0].log_size='512'
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Native OpenWrt package for zstandard compression library.
Can be used as alternative to pip installation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The zstandard package required by mitmproxy 8.1.1 doesn't have musllinux
wheels in older versions, causing pip to try compiling from source which
fails without gcc on the router.
Fix: Pre-install zstandard 0.23.0 which has musllinux aarch64 wheels
before installing mitmproxy.
Changes:
- Bump version to 2.1.0
- Revert to pip-based installation (native build requires full toolchain)
- Add zstandard 0.23.0 pre-install step in postinst
- Restore wrapper scripts for mitmproxy/mitmdump/mitmweb
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add OpenWrt .config for mvebu/cortexa72 target
- Update .gitignore
- Update Claude settings
- Minor portal.js update
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 9.x requires mitmproxy-wireguard (Rust).
Version 8.1.1 is pure Python and works on OpenWrt.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.x requires mitmproxy-rs which needs Rust compiler.
Version 9.0.1 is pure Python and works on OpenWrt.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
LuCI requires modules to use baseclass.extend() pattern.
Fixed "factory yields invalid constructor" error.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Portal Integration:
- Add mitmproxy to Security section with service status tracking
- Add vhost-manager to new Services section
- Add Services section to portal navigation header
- Update path detection for security/mitmproxy and services/vhosts
mitmproxy Changes:
- Move menu from admin/secubox/mitmproxy to admin/secubox/security/mitmproxy
- Update view navigation links to use new path structure
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 11.x requires Python 3.12 which is not available on OpenWrt.
Version 10.4.2 is the last stable release supporting Python 3.10+.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Switch to runtime pip installation instead of build-time
- Remove complex build dependencies (python3-package.mk)
- Add wrapper scripts for mitmproxy, mitmdump, mitmweb
- Postinst installs mitmproxy==11.1.3 via pip on device
- Supports all architectures with PKGARCH:=all
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update mitmproxy to v11.1.3
- Build from Python source (no prebuilt arm64 binaries)
- Add Python dependencies
- Add mitmproxy to local-build.sh and sync-openwrt-packages.sh
- Set PKGARCH:=all for Python package
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages for full URL/cookie/header capture via MITM proxy:
secubox-app-mitmproxy:
- Downloads mitmproxy v11.1.2 binary for aarch64
- Transparent proxy mode with iptables integration
- mitmweb UI on port 8081
- Auto CA certificate generation
- mitmproxyctl CLI management tool
luci-app-mitmproxy:
- SecuBox themed dashboard with red color scheme
- Real-time request capture view
- Top hosts statistics
- CA certificate management
- Full UCI settings interface
- RPCD backend for ubus API
This enables full HTTP/HTTPS inspection including:
- Complete URLs (not just hostnames like nDPId)
- Cookies and headers
- Request/response bodies
- Flow recording for replay
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
