CyberMind-FR
b542ac7d3c
Changes: - Enable WAF auto-ban by default (sensitivity: moderate, min_severity: high) - Add whitelist for common safe IPs (localhost, router) - Add browser cache busting via version parameter in CSS loads - Document deployment scripts in secubox-tools/README.md - Create CVE Layer 7 architecture documentation WAF auto-ban now active with: - 3 threats within 5 minutes triggers ban - 4-hour ban duration - Critical CVEs (Log4Shell, SQLi, CMDi) ban immediately Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
207 lines
6.2 KiB
Plaintext
207 lines
6.2 KiB
Plaintext
config mitmproxy 'main'
|
|
option enabled '0'
|
|
option runtime 'lxc'
|
|
# Legacy single-instance settings (deprecated, use instances below)
|
|
option proxy_port '8888'
|
|
option web_port '8081'
|
|
option web_host '0.0.0.0'
|
|
option data_path '/srv/mitmproxy'
|
|
option memory_limit '256M'
|
|
option mode 'regular'
|
|
option ssl_insecure '0'
|
|
option anticache '0'
|
|
option anticomp '0'
|
|
option flow_detail '1'
|
|
|
|
# OUT Instance - LAN to Internet (transparent/forward proxy)
|
|
config instance 'out'
|
|
option enabled '1'
|
|
option description 'LAN->Internet Proxy'
|
|
option container_name 'mitmproxy-out'
|
|
option proxy_port '8888'
|
|
option web_port '8089'
|
|
option web_host '0.0.0.0'
|
|
option data_path '/srv/mitmproxy-out'
|
|
option memory_limit '256M'
|
|
option mode 'transparent'
|
|
option ssl_insecure '0'
|
|
option anticache '0'
|
|
option anticomp '0'
|
|
|
|
# IN Instance - WAN to Services (WAF/reverse proxy)
|
|
config instance 'in'
|
|
option enabled '1'
|
|
option description 'WAF/Reverse Proxy'
|
|
option container_name 'mitmproxy-in'
|
|
option proxy_port '8889'
|
|
option web_port '8090'
|
|
option web_host '0.0.0.0'
|
|
option data_path '/srv/mitmproxy-in'
|
|
option memory_limit '256M'
|
|
option mode 'upstream'
|
|
option ssl_insecure '0'
|
|
option anticache '0'
|
|
option anticomp '0'
|
|
# HAProxy sends traffic here
|
|
option haproxy_backend '1'
|
|
|
|
# WAN Protection Mode - protect services exposed to internet
|
|
# Acts as WAF/reverse proxy for incoming WAN traffic
|
|
config wan_protection 'wan_protection'
|
|
# Enable WAN protection mode (acts as WAF for incoming traffic)
|
|
option enabled '0'
|
|
# WAN interface name (incoming traffic interface)
|
|
option wan_interface 'wan'
|
|
# Ports to intercept on WAN (HTTP)
|
|
option wan_http_port '80'
|
|
# Ports to intercept on WAN (HTTPS)
|
|
option wan_https_port '443'
|
|
# Feed detected threats to CrowdSec for automatic blocking
|
|
option crowdsec_feed '1'
|
|
# Block requests from known bot scanners immediately
|
|
option block_bots '0'
|
|
# Rate limiting: max requests per IP per minute (0=disabled)
|
|
option rate_limit '0'
|
|
|
|
# Auto-ban configuration - automatically ban IPs via CrowdSec
|
|
config autoban 'autoban'
|
|
# Enable automatic banning of detected threats
|
|
option enabled '1'
|
|
# Ban duration (e.g., 1h, 4h, 24h, 7d)
|
|
option ban_duration '4h'
|
|
# Minimum severity to trigger auto-ban: critical, high, medium
|
|
option min_severity 'high'
|
|
# Auto-ban on CVE exploit attempts
|
|
option ban_cve_exploits '1'
|
|
# Auto-ban SQL injection attempts
|
|
option ban_sqli '1'
|
|
# Auto-ban command injection attempts
|
|
option ban_cmdi '1'
|
|
# Auto-ban path traversal attempts
|
|
option ban_traversal '1'
|
|
# Auto-ban known vulnerability scanners
|
|
option ban_scanners '1'
|
|
# Auto-ban on rate limit exceeded
|
|
option ban_rate_limit '0'
|
|
# Auto-ban VoIP/SIP attacks
|
|
option ban_voip '1'
|
|
# Auto-ban XMPP/Jabber attacks
|
|
option ban_xmpp '1'
|
|
# Whitelist IPs from auto-ban (comma-separated)
|
|
# Default: localhost, router IP, common admin IPs
|
|
option whitelist '127.0.0.1,192.168.255.1,192.168.1.1'
|
|
#
|
|
# Sensitivity level: aggressive, moderate, permissive
|
|
# - aggressive: Ban immediately on first detection (critical threats only)
|
|
# - moderate: Ban after repeated attempts within minutes (default)
|
|
# - permissive: Ban after persistent attempts over longer period
|
|
option sensitivity 'moderate'
|
|
#
|
|
# Aggressive level: Immediate ban on first critical threat
|
|
# (CVE exploits, SQL injection, command injection always trigger immediately)
|
|
#
|
|
# Moderate level thresholds
|
|
# Ban after N attempts within the time window
|
|
option moderate_threshold '3'
|
|
option moderate_window '300'
|
|
#
|
|
# Permissive level thresholds
|
|
# Ban after N attempts within the time window
|
|
option permissive_threshold '5'
|
|
option permissive_window '3600'
|
|
|
|
# LAN Transparent mode settings (outbound traffic interception)
|
|
config transparent 'transparent'
|
|
option enabled '0'
|
|
# Interface to intercept traffic from (e.g., br-lan)
|
|
option interface 'br-lan'
|
|
# Redirect HTTP traffic (port 80)
|
|
option redirect_http '1'
|
|
# Redirect HTTPS traffic (port 443)
|
|
option redirect_https '1'
|
|
# Custom HTTP port (default 80)
|
|
option http_port '80'
|
|
# Custom HTTPS port (default 443)
|
|
option https_port '443'
|
|
|
|
# DPI Mirror Mode - feed traffic to network inspection engines
|
|
config dpi_mirror 'dpi_mirror'
|
|
option enabled '0'
|
|
# Interface for DPI mirroring (netifyd/ndpid listens on this)
|
|
option dpi_interface 'br-lan'
|
|
# Enable DPI for WAN traffic (incoming)
|
|
option mirror_wan '0'
|
|
# Enable DPI for LAN traffic (outgoing)
|
|
option mirror_lan '0'
|
|
|
|
# Whitelist/bypass - IPs and domains that bypass the proxy
|
|
config whitelist 'whitelist'
|
|
option enabled '1'
|
|
# Bypass local networks by default
|
|
list bypass_ip '10.0.0.0/8'
|
|
list bypass_ip '172.16.0.0/12'
|
|
list bypass_ip '192.168.0.0/16'
|
|
list bypass_ip '127.0.0.0/8'
|
|
# Bypass sensitive domains (banking, medical, etc.)
|
|
list bypass_domain 'banking'
|
|
list bypass_domain 'paypal.com'
|
|
list bypass_domain 'stripe.com'
|
|
# Add custom bypasses here
|
|
# list bypass_ip 'x.x.x.x'
|
|
# list bypass_domain 'example.com'
|
|
|
|
# HAProxy backend inspection mode
|
|
config haproxy_router 'haproxy_router'
|
|
option enabled '0'
|
|
# Port HAProxy sends traffic to
|
|
option listen_port '8889'
|
|
# Enable threat detection on HAProxy traffic
|
|
option threat_detection '1'
|
|
# Routes file (auto-generated from HAProxy UCI)
|
|
option routes_file '/srv/mitmproxy/haproxy-routes.json'
|
|
|
|
# CDN/MediaFlow filtering addon
|
|
config filtering 'filtering'
|
|
option enabled '0'
|
|
# Log all requests to JSON file
|
|
option log_requests '1'
|
|
# Filter CDN traffic (e.g., cloudflare, akamai, fastly)
|
|
option filter_cdn '0'
|
|
# Filter streaming media
|
|
option filter_media '0'
|
|
# Block ads and trackers
|
|
option block_ads '0'
|
|
# Custom filter script path
|
|
option addon_script '/data/addons/secubox_analytics.py'
|
|
|
|
# Capture settings
|
|
config capture 'capture'
|
|
option save_flows '0'
|
|
option capture_request_headers '1'
|
|
option capture_response_headers '1'
|
|
option capture_request_body '0'
|
|
option capture_response_body '0'
|
|
|
|
# WAF Rules - enable/disable categories
|
|
config waf_rules 'waf_rules'
|
|
option enabled '1'
|
|
# Core attack patterns
|
|
option sqli '1'
|
|
option xss '1'
|
|
option lfi '1'
|
|
option rce '1'
|
|
# CVE exploits
|
|
option cve_2024 '1'
|
|
# Scanner detection
|
|
option scanners '1'
|
|
# Application-specific
|
|
option webmail '1'
|
|
option api_abuse '1'
|
|
# VoIP/XMPP protection
|
|
option voip '1'
|
|
option xmpp '1'
|
|
option cve_voip '1'
|
|
option cve_xmpp '1'
|
|
# Router/IoT botnet protection (CVE-2025-14528, Mirai variants)
|
|
option router_botnet '1'
|