# Copyright (C) 2024-2025 CyberMind.fr # Licensed under Apache-2.0 include $(TOPDIR)/rules.mk PKG_NAME:=secubox-app-crowdsec-custom PKG_VERSION:=1.1.0 PKG_RELEASE:=1 PKG_ARCH:=all PKG_LICENSE:=Apache-2.0 PKG_MAINTAINER:=CyberMind include $(INCLUDE_DIR)/package.mk define Package/secubox-app-crowdsec-custom SECTION:=secubox CATEGORY:=SecuBox TITLE:=CrowdSec Custom Scenarios for SecuBox DEPENDS:=+crowdsec +crowdsec-firewall-bouncer PKGARCH:=all PROVIDES:=secubox-crowdsec-custom endef define Package/secubox-app-crowdsec-custom/description Custom CrowdSec configurations for SecuBox web interface protection. Includes: - HTTP authentication bruteforce detection - Path scanning/enumeration detection - LuCI/uhttpd auth failure monitoring - Nginx reverse proxy monitoring (if used) - HAProxy backend protection and auth monitoring - Gitea web/SSH/API bruteforce detection - Streamlit app flooding and auth protection - Webapp generic auth bruteforce protection - mitmproxy threat detection (SQLi, XSS, SSRF, CVE) - Insider WAF: LAN threat detection (C2, exfiltration, lateral movement) - Whitelist for trusted networks endef define Build/Compile endef define Package/secubox-app-crowdsec-custom/install # Acquisition configs $(INSTALL_DIR) $(1)/etc/crowdsec/acquis.d $(INSTALL_DATA) ./files/acquis.d/secubox-uhttpd.yaml $(1)/etc/crowdsec/acquis.d/ $(INSTALL_DATA) ./files/acquis.d/secubox-nginx.yaml $(1)/etc/crowdsec/acquis.d/ $(INSTALL_DATA) ./files/acquis.d/secubox-auth.yaml $(1)/etc/crowdsec/acquis.d/ $(INSTALL_DATA) ./files/acquis.d/secubox-haproxy.yaml $(1)/etc/crowdsec/acquis.d/ $(INSTALL_DATA) ./files/acquis.d/secubox-gitea.yaml $(1)/etc/crowdsec/acquis.d/ $(INSTALL_DATA) ./files/acquis.d/secubox-streamlit.yaml $(1)/etc/crowdsec/acquis.d/ $(INSTALL_DATA) ./files/acquis.d/secubox-webapp.yaml $(1)/etc/crowdsec/acquis.d/ # Custom parsers $(INSTALL_DIR) $(1)/etc/crowdsec/parsers/s01-parse $(INSTALL_DATA) ./files/parsers/s01-parse/secubox-luci-auth.yaml $(1)/etc/crowdsec/parsers/s01-parse/ $(INSTALL_DATA) ./files/parsers/s01-parse/secubox-haproxy.yaml $(1)/etc/crowdsec/parsers/s01-parse/ $(INSTALL_DATA) ./files/parsers/s01-parse/secubox-gitea.yaml $(1)/etc/crowdsec/parsers/s01-parse/ $(INSTALL_DATA) ./files/parsers/s01-parse/secubox-streamlit.yaml $(1)/etc/crowdsec/parsers/s01-parse/ $(INSTALL_DATA) ./files/parsers/s01-parse/secubox-webapp.yaml $(1)/etc/crowdsec/parsers/s01-parse/ $(INSTALL_DIR) $(1)/etc/crowdsec/parsers/s02-enrich $(INSTALL_DATA) ./files/parsers/s02-enrich/secubox-whitelist.yaml $(1)/etc/crowdsec/parsers/s02-enrich/ # Custom scenarios $(INSTALL_DIR) $(1)/etc/crowdsec/scenarios $(INSTALL_DATA) ./files/scenarios/secubox-auth-bruteforce.yaml $(1)/etc/crowdsec/scenarios/ $(INSTALL_DATA) ./files/scenarios/secubox-http-bruteforce.yaml $(1)/etc/crowdsec/scenarios/ $(INSTALL_DATA) ./files/scenarios/secubox-haproxy-bruteforce.yaml $(1)/etc/crowdsec/scenarios/ $(INSTALL_DATA) ./files/scenarios/secubox-gitea-bruteforce.yaml $(1)/etc/crowdsec/scenarios/ $(INSTALL_DATA) ./files/scenarios/secubox-streamlit-bruteforce.yaml $(1)/etc/crowdsec/scenarios/ $(INSTALL_DATA) ./files/scenarios/secubox-webapp-bruteforce.yaml $(1)/etc/crowdsec/scenarios/ $(INSTALL_DATA) ./files/scenarios/secubox-insider-threats.yaml $(1)/etc/crowdsec/scenarios/ # UCI defaults for first boot setup $(INSTALL_DIR) $(1)/etc/uci-defaults $(INSTALL_BIN) ./files/99-secubox-app-crowdsec-custom $(1)/etc/uci-defaults/ endef define Package/secubox-app-crowdsec-custom/postinst #!/bin/sh [ -n "$${IPKG_INSTROOT}" ] || { echo "Installing CrowdSec collections for SecuBox..." # Install standard collections cscli collections install crowdsecurity/linux 2>/dev/null || true cscli collections install crowdsecurity/sshd 2>/dev/null || true cscli collections install crowdsecurity/base-http-scenarios 2>/dev/null || true cscli collections install crowdsecurity/http-cve 2>/dev/null || true cscli collections install crowdsecurity/nginx 2>/dev/null || true cscli collections install crowdsecurity/http-dos 2>/dev/null || true cscli collections install crowdsecurity/haproxy 2>/dev/null || true # Install parsers cscli parsers install crowdsecurity/syslog-logs 2>/dev/null || true cscli parsers install crowdsecurity/http-logs 2>/dev/null || true cscli parsers install crowdsecurity/nginx-logs 2>/dev/null || true cscli parsers install crowdsecurity/haproxy-logs 2>/dev/null || true # Run uci-defaults /etc/uci-defaults/99-secubox-app-crowdsec-custom 2>/dev/null || true # Restart CrowdSec to load new configs /etc/init.d/crowdsec restart 2>/dev/null || true sleep 2 # Restart bouncer if [ -f /etc/init.d/crowdsec-firewall-bouncer ]; then /etc/init.d/crowdsec-firewall-bouncer restart 2>/dev/null || true fi echo "" echo "SecuBox CrowdSec protection installed!" echo "Protected services: LuCI, uhttpd, nginx, HAProxy, Gitea, Streamlit, Webapp" echo "" echo "Useful commands:" echo " cscli metrics - View detection metrics" echo " cscli alerts list - View security alerts" echo " cscli decisions list - View active bans" } exit 0 endef define Package/secubox-app-crowdsec-custom/postrm #!/bin/sh [ -n "$${IPKG_INSTROOT}" ] || { # Restart CrowdSec to unload configs /etc/init.d/crowdsec restart 2>/dev/null || true echo "SecuBox CrowdSec custom configs removed" } exit 0 endef $(eval $(call BuildPackage,secubox-app-crowdsec-custom))