History

CyberMind-FR 1bbd345cee refactor(luci): Mass KissTheme UI rework across all LuCI apps Convert 90+ LuCI view files from legacy cbi-button-* classes to KissTheme kiss-btn-* classes for consistent dark theme styling. Pattern conversions applied: - cbi-button-positive → kiss-btn-green - cbi-button-negative/remove → kiss-btn-red - cbi-button-apply → kiss-btn-cyan - cbi-button-action → kiss-btn-blue - cbi-button (plain) → kiss-btn Also replaced hardcoded colors (#080, #c00, #888, etc.) with CSS variables (--kiss-green, --kiss-red, --kiss-muted, etc.) for proper dark theme compatibility. Apps updated include: ai-gateway, auth-guardian, bandwidth-manager, cloner, config-advisor, crowdsec-dashboard, dns-provider, exposure, glances, haproxy, hexojs, iot-guard, jellyfin, ksm-manager, mac-guardian, magicmirror2, master-link, meshname-dns, metablogizer, metabolizer, mqtt-bridge, netdata-dashboard, picobrew, routes-status, secubox-admin, secubox-mirror, secubox-p2p, secubox-security-threats, service-registry, simplex, streamlit, system-hub, tor-shield, traffic-shaper, vhost-manager, vortex-dns, vortex-firewall, webradio, wireguard-dashboard, zigbee2mqtt, zkp, and more. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>		2026-03-12 11:09:34 +01:00
..
htdocs/luci-static/resources	refactor(luci): Mass KissTheme UI rework across all LuCI apps	2026-03-12 11:09:34 +01:00
root	feat(security): Add ndpid to security dashboard, Streamlit/MetaBlogizer to apps	2026-02-17 15:29:54 +01:00
Makefile	fix(tor-shield,security-threats): Preset persistence and firewall stats	2026-01-30 19:46:26 +01:00
README.md	ok	2026-01-08 09:08:46 +01:00

README.md

SecuBox Security Threats Dashboard

Overview

A unified LuCI dashboard that integrates netifyd DPI security risks with CrowdSec threat intelligence for comprehensive network threat monitoring and automated blocking.

Features

Real-time Threat Detection: Monitors netifyd's 52 security risk types
CrowdSec Integration: Correlates with CrowdSec alerts and decisions
Risk Scoring: Calculates 0-100 risk scores based on multiple factors
Auto-blocking: Configurable rules for automatic threat blocking
Per-host Analysis: Track threats by IP address
Visual Dashboard: Stats, charts, and real-time threat table

Architecture

netifyd DPI Engine → RPCD Backend → ubus API → LuCI Dashboard
                          ↓
                    CrowdSec LAPI
                          ↓
                  nftables (blocking)

Dependencies

luci-base: LuCI framework
rpcd: Remote Procedure Call daemon
netifyd: Deep Packet Inspection engine
crowdsec: Threat intelligence and blocking
jq: JSON processing
jsonfilter: UCI-compatible JSON filtering

Installation

Build the package:

cd /path/to/openwrt
make package/secubox/luci-app-secubox-security-threats/compile

Install on router:

opkg install luci-app-secubox-security-threats_*.ipk

Restart services:

/etc/init.d/rpcd restart
/etc/init.d/uhttpd restart

Usage

Access Dashboard

Navigate to: Admin → SecuBox → Security → Threat Monitor → Dashboard

Configure Auto-block Rules

Edit /etc/config/secubox_security_threats:

config block_rule 'my_rule'
    option name 'Block Malware'
    option enabled '1'
    option threat_types 'malware'
    option duration '24h'
    option threshold '60'

Apply changes:

uci commit secubox_security_threats

Manual Blocking

Via dashboard:

Click "Block" button next to threat
Confirm action
IP will be blocked via CrowdSec

Via CLI:

ubus call luci.secubox-security-threats block_threat '{"ip":"192.168.1.100","duration":"4h","reason":"Test"}'

Whitelist Host

ubus call luci.secubox-security-threats whitelist_host '{"ip":"192.168.1.100","reason":"Admin workstation"}'

Risk Scoring Algorithm

Base Score (0-50): risk_count × 10 (capped)

Severity Weights:

Malware indicators (MALICIOUS_JA3, DGA): +20
Web attacks (SQL injection, XSS): +15
Network anomalies (RISKY_ASN, DNS tunneling): +10
Protocol threats (BitTorrent, Mining): +5

CrowdSec Correlation:

Active decision: +30

Severity Levels:

Critical: ≥80
High: 60-79
Medium: 40-59
Low: <40

Threat Categories

malware: Malicious JA3, DGA domains, suspicious entropy
web_attack: SQL injection, XSS, RCE attempts
anomaly: DNS tunneling, risky ASNs, unidirectional traffic
protocol: BitTorrent, mining, Tor, unauthorized protocols
tls_issue: Certificate problems, weak ciphers

Testing

Backend (ubus CLI)

# Test status
ubus call luci.secubox-security-threats status

# Get active threats
ubus call luci.secubox-security-threats get_active_threats

# Test blocking
ubus call luci.secubox-security-threats block_threat '{"ip":"192.168.1.100","duration":"4h","reason":"Test"}'

# Verify in CrowdSec
cscli decisions list

Frontend

Navigate to dashboard in LuCI
Verify stats cards display
Verify threats table populates
Test "Block" button
Check real-time polling (10s refresh)

Troubleshooting

No threats detected

Check if netifyd is running: ps | grep netifyd
Verify netifyd data: cat /var/run/netifyd/status.json
Enable netifyd risk detection in config

Auto-blocking not working

Check if auto-blocking is enabled: uci get secubox_security_threats.global.auto_block_enabled
Verify block rules are enabled: uci show secubox_security_threats
Check logs: logread | grep security-threats

CrowdSec integration issues

Check if CrowdSec is running: ps | grep crowdsec
Test cscli: cscli version
Verify permissions: ls -l /usr/bin/cscli

Files

Backend:

/usr/libexec/rpcd/luci.secubox-security-threats - RPCD backend (mode 755)
/etc/config/secubox_security_threats - UCI configuration

Frontend:

/www/luci-static/resources/secubox-security-threats/api.js - API wrapper
/www/luci-static/resources/view/secubox-security-threats/dashboard.js - Dashboard view

Configuration:

/usr/share/luci/menu.d/luci-app-secubox-security-threats.json - Menu
/usr/share/rpcd/acl.d/luci-app-secubox-security-threats.json - Permissions

Runtime:

/tmp/secubox-threats-history.json - Threat history (volatile)

License

Apache-2.0

Authors

CyberMind.fr - Gandalf

Version

1.0.0 (2026-01-07)

README.md Unescape Escape