gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c59f7cde0b
secubox-openwrt/PROJECT-STATUS-AND-INNOVATION.md
CyberMind-FR 2e772c1fa9 docs: Update project status for v1.0.0-beta release 
- PROJECT-STATUS-AND-INNOVATION.md: Complete rewrite with current status
  - Four-layer architecture documentation
  - Punk Exposure three-channel model
  - All implemented innovations (AI Gateway, MCP, DPI, etc.)
  - Bug bounty scope and attack surface
  - VM distribution details

- README.md: Added default VM credentials

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-15 19:05:07 +01:00

287 lines
9.1 KiB
Markdown
Raw Blame History

# SecuBox v1.0.0-beta — Project Status & Innovation
**Version:** 1.0.0-beta
**Status:** Beta Release — Pen Testing & Bug Bounty Ready
**Date:** 2026-03-15
**Publisher:** [CyberMind.fr](https://cybermind.fr)
---
## Executive Summary
SecuBox is a **production-ready** security and mesh networking platform for OpenWrt, featuring 86 LuCI modules, AI-powered threat analysis, and a unique three-channel service exposure model. The v1.0.0-beta release is ready for security testing and bug bounty programs.
### Key Achievements
| Metric | Value |
|--------|-------|
| **LuCI Modules** | 86 |
| **Total Packages** | 123+ |
| **RPCD Methods** | 400+ |
| **JavaScript Views** | 150+ |
| **Architectures** | x86-64, ARM64, MIPS, MediaTek |
### Release Artifacts
- **Source Code:** [github.com/CyberMind-FR/secubox-openwrt](https://github.com/CyberMind-FR/secubox-openwrt)
- **VM Appliance:** SecuBox-v1.0.0-beta.tar.gz (69 MB)
- **Documentation:** BETA-RELEASE.md, SECURITY.md
---
## Four-Layer Security Architecture
```
+============================================================+
| LAYER 4: MESH NETWORKING |
| MirrorNet / P2P Hub / Services Mirrors |
| +--------------------------------------------------------+ |
| | LAYER 3: AI GATEWAY | |
| | MCP Server / Threat Analyst / DNS Guard | |
| | +----------------------------------------------------+ | |
| | | LAYER 2: TACTICAL | | |
| | | CrowdSec / WAF / Scenarios | | |
| | | +------------------------------------------------+ | | |
| | | | LAYER 1: OPERATIONAL | | | |
| | | | fw4 / DPI / Bouncer / HAProxy | | | |
| | | +------------------------------------------------+ | | |
| | +----------------------------------------------------+ | |
| +--------------------------------------------------------+ |
+============================================================+
```
| Layer | Function | Time Scale | Components |
|-------|----------|------------|------------|
| **Layer 1** | Real-time blocking | ms → seconds | nftables/fw4, netifyd DPI, CrowdSec Bouncer |
| **Layer 2** | Pattern correlation | minutes → hours | CrowdSec Agent/LAPI, mitmproxy WAF, Scenarios |
| **Layer 3** | AI analysis | minutes → hours | MCP Server, Threat Analyst, DNS Guard |
| **Layer 4** | Mesh networking | continuous | P2P Hub, MirrorBox, Services Registry |
---
## Punk Exposure — Three-Channel Service Publishing
The **Peek / Poke / Emancipate** model enables decentralized service exposure:
```
┌─────────────────────────────────────────────────────────────┐
│ YOUR CONTENT/SERVICE │
└─────────────────────────────────────────────────────────────┘
┌──────────────────┼──────────────────┐
▼ ▼ ▼
┌─────────┐ ┌─────────┐ ┌─────────┐
│ TOR │ │ DNS │ │ MESH │
│ .onion │ │ /SSL │ │ P2P │
└─────────┘ └─────────┘ └─────────┘
Anonymous Classical Tribal
Hidden Service HTTPS Gossip Network
```
| Channel | Use Case | Status |
|---------|----------|--------|
| **Tor** | Anonymous hidden services | ✅ Implemented |
| **DNS/SSL** | Classical HTTPS with auto-SSL | ✅ Implemented |
| **Mesh** | Tribal gossip network | ✅ Implemented |
### Emancipate CLI
```bash
# Full emancipation (Tor + DNS + Mesh)
secubox-exposure emancipate myblog 8080 blog.example.com --all
# Selective channels
secubox-exposure emancipate myapp 8080 myapp.secubox.in --dns --mesh
```
---
## Innovation Highlights
### 1. AI Gateway (Implemented)
**Data Classification & Routing:**
- **LOCAL_ONLY:** Sensitive data stays on device
- **SANITIZED:** PII scrubbed before EU cloud processing
- **CLOUD_DIRECT:** Generic queries to opted-in providers
**Provider Priority:** LocalAI → Mistral EU → Claude → OpenAI → Gemini
### 2. MCP Server (Implemented)
Model Context Protocol integration for Claude Desktop:
```json
{
"mcpServers": {
"secubox": {
"command": "ssh",
"args": ["root@192.168.255.1", "/usr/bin/secubox-mcp"]
}
}
}
```
**Available Tools:** `crowdsec.alerts`, `waf.logs`, `dns.queries`, `network.flows`, `ai.analyze_threats`, `ai.suggest_waf_rules`
### 3. Dual-Stream DPI (Implemented)
**Phase 1 — TAP Stream:** tc mirred passive monitoring
**Phase 2 — MITM Double Buffer:** Enhanced correlation
**Phase 3 — Correlation Engine:** Auto-ban for high-reputation IPs
**Phase 4 — LAN Passive Flow:** Zero-MITM LAN observation
### 4. Threat Analyst (Implemented)
Autonomous AI agent for:
- Real-time threat analysis
- CrowdSec scenario generation
- WAF rule suggestions
- CVE lookups and context enrichment
### 5. Configuration Vault (Implemented)
Git-based config versioning with:
- Auto-commit and auto-push
- 9 configuration modules
- Export/import clone tarballs
- Device provisioning workflows
### 6. Unified SMTP Relay (Implemented)
Centralized SMTP configuration:
- Modes: external (Gmail, SendGrid), local (auto-detect), direct
- Shared library: `send_mail()` function
- All SecuBox apps use unified relay
---
## Module Categories
### Core (6 modules)
- luci-app-secubox, luci-app-secubox-portal, luci-app-secubox-admin
- secubox-app-bonus, luci-app-system-hub, luci-theme-secubox
### Security (15 modules)
- CrowdSec, mitmproxy WAF, MAC Guardian, DNS Guard
- Threat Analyst, KSM Manager, Master Link
- Auth Guardian, Client Guardian, Exposure Manager
### Network (12 modules)
- HAProxy, WireGuard, Network Modes, DNS Provider
- Bandwidth Manager, Traffic Shaper, CDN Cache
### AI/LLM (4 modules)
- LocalAI, Ollama, AI Gateway, MCP Server
### Media (7 modules)
- Jellyfin, Lyrion, PhotoPrism, Zigbee2MQTT, Domoticz
### Content Platforms (6 modules)
- Gitea, MetaBlogizer, HexoJS, Streamlit, Jitsi
### P2P Mesh (4 modules)
- P2P Hub, Service Registry, Device Intel, Content Package
---
## Roadmap
| Version | Status | Focus |
|---------|--------|-------|
| v0.17 | ✅ Released | Core Mesh, 38 modules |
| v0.18 | ✅ Released | P2P Hub, AI Gateway, 86 modules |
| v0.19 | ✅ Released | Full P2P intelligence |
| **v1.0.0-beta** | **Current** | Pen testing, bug bounty, documentation |
| v1.1 | Planned | ANSSI certification, GA release |
### v1.1 Targets
1. **ANSSI CSPN Certification** — French security certification
2. **CRA Compliance** — EU Cyber Resilience Act readiness
3. **SBOM Pipeline** — Automated vulnerability scanning
4. **Enterprise Features** — Multi-tenant, SSO, audit logging
---
## Security Testing
The v1.0.0-beta release is specifically prepared for:
### Attack Surface
| Layer | Components | Risk Areas |
|-------|------------|------------|
| **Network Edge** | HAProxy, mitmproxy WAF | WAF bypass, header injection |
| **Applications** | LuCI, RPCD | Shell injection, XSS, CSRF |
| **Containers** | LXC services | Container escape, privilege escalation |
| **Mesh/P2P** | WireGuard, gossip | Key theft, peer impersonation |
### Bug Bounty Scope
| Severity | Category |
|----------|----------|
| **Critical** | RCE, Auth Bypass |
| **High** | Privilege Escalation, WAF Bypass |
| **Medium** | Information Disclosure |
| **Low** | DoS, XSS |
**Report:** security@cybermind.fr
---
## Distribution
### Virtual Appliance
| File | Format | Use |
|------|--------|-----|
| C3Box-SecuBox.ova | OVA | VMware, VirtualBox |
| C3Box-SecuBox.vdi | VDI | VirtualBox |
| C3Box-SecuBox.vmdk | VMDK | VMware |
| C3Box-SecuBox.qcow2 | QCOW2 | Proxmox/KVM |
**Default Login:** root / c3box
### Package Feed
```
src/gz secubox https://secubox.in/feed
```
---
## Technical Stack
| Component | Technology |
|-----------|------------|
| **OS** | OpenWrt 24.10.x / 25.12 |
| **Frontend** | LuCI JavaScript, KISS Theme |
| **Backend** | RPCD/ubus, Shell, Lua |
| **Security** | CrowdSec, mitmproxy, nftables |
| **Containers** | LXC (Alpine/Debian) |
| **AI** | LocalAI, Claude API, Mistral |
| **P2P** | WireGuard, Gossip Protocol |
---
## Contributors
- **Lead:** Gandalf — [CyberMind.fr](https://cybermind.fr)
- **AI Assistance:** Claude (Anthropic)
---
## Links
- **Website:** [secubox.maegia.tv](https://secubox.maegia.tv)
- **GitHub:** [github.com/CyberMind-FR/secubox-openwrt](https://github.com/CyberMind-FR/secubox-openwrt)
- **Security:** [BETA-RELEASE.md](BETA-RELEASE.md) | [SECURITY.md](SECURITY.md)
- **Issues:** [GitHub Issues](https://github.com/CyberMind-FR/secubox-openwrt/issues)
---
**Ex Tenebris, Lux Securitas**
© 2024-2026 CyberMind.fr — Apache-2.0 License
Reference in New Issue View Git Blame Copy Permalink