CyberMind-FR
c69ae43961
InterceptoR Insider WAF (6th pillar):
- RPCD: get_insider_waf_status() tracking LAN client threats
- Dashboard: 🔒 Insider WAF card with threat stats
- CrowdSec scenarios for insider threats:
- C2 beacon, exfiltration, DNS tunneling, lateral movement
- Cryptominer, IoT botnet, suspicious TLDs, high volume
DDoS Protection Hardening:
- Config Advisor: 8 DDoS checks (SYN cookies, conntrack, RP filter,
ICMP rate, CrowdSec http-dos, HAProxy maxconn, mitmproxy WAF, Vortex)
- ANSSI rules: New "ddos" category with remediation steps
- Documentation: DOCS/DDOS-PROTECTION.md with full guide
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
135 lines
5.4 KiB
Makefile
135 lines
5.4 KiB
Makefile
# Copyright (C) 2024-2025 CyberMind.fr
|
|
# Licensed under Apache-2.0
|
|
|
|
include $(TOPDIR)/rules.mk
|
|
|
|
PKG_NAME:=secubox-app-crowdsec-custom
|
|
PKG_VERSION:=1.1.0
|
|
PKG_RELEASE:=1
|
|
PKG_ARCH:=all
|
|
PKG_LICENSE:=Apache-2.0
|
|
PKG_MAINTAINER:=CyberMind <contact@cybermind.fr>
|
|
|
|
include $(INCLUDE_DIR)/package.mk
|
|
|
|
define Package/secubox-app-crowdsec-custom
|
|
SECTION:=secubox
|
|
CATEGORY:=SecuBox
|
|
TITLE:=CrowdSec Custom Scenarios for SecuBox
|
|
DEPENDS:=+crowdsec +crowdsec-firewall-bouncer
|
|
PKGARCH:=all
|
|
PROVIDES:=secubox-crowdsec-custom
|
|
endef
|
|
|
|
define Package/secubox-app-crowdsec-custom/description
|
|
Custom CrowdSec configurations for SecuBox web interface protection.
|
|
Includes:
|
|
- HTTP authentication bruteforce detection
|
|
- Path scanning/enumeration detection
|
|
- LuCI/uhttpd auth failure monitoring
|
|
- Nginx reverse proxy monitoring (if used)
|
|
- HAProxy backend protection and auth monitoring
|
|
- Gitea web/SSH/API bruteforce detection
|
|
- Streamlit app flooding and auth protection
|
|
- Webapp generic auth bruteforce protection
|
|
- mitmproxy threat detection (SQLi, XSS, SSRF, CVE)
|
|
- Insider WAF: LAN threat detection (C2, exfiltration, lateral movement)
|
|
- Whitelist for trusted networks
|
|
endef
|
|
|
|
define Build/Compile
|
|
endef
|
|
|
|
define Package/secubox-app-crowdsec-custom/install
|
|
# Acquisition configs
|
|
$(INSTALL_DIR) $(1)/etc/crowdsec/acquis.d
|
|
$(INSTALL_DATA) ./files/acquis.d/secubox-uhttpd.yaml $(1)/etc/crowdsec/acquis.d/
|
|
$(INSTALL_DATA) ./files/acquis.d/secubox-nginx.yaml $(1)/etc/crowdsec/acquis.d/
|
|
$(INSTALL_DATA) ./files/acquis.d/secubox-auth.yaml $(1)/etc/crowdsec/acquis.d/
|
|
$(INSTALL_DATA) ./files/acquis.d/secubox-haproxy.yaml $(1)/etc/crowdsec/acquis.d/
|
|
$(INSTALL_DATA) ./files/acquis.d/secubox-gitea.yaml $(1)/etc/crowdsec/acquis.d/
|
|
$(INSTALL_DATA) ./files/acquis.d/secubox-streamlit.yaml $(1)/etc/crowdsec/acquis.d/
|
|
$(INSTALL_DATA) ./files/acquis.d/secubox-webapp.yaml $(1)/etc/crowdsec/acquis.d/
|
|
|
|
# Custom parsers
|
|
$(INSTALL_DIR) $(1)/etc/crowdsec/parsers/s01-parse
|
|
$(INSTALL_DATA) ./files/parsers/s01-parse/secubox-luci-auth.yaml $(1)/etc/crowdsec/parsers/s01-parse/
|
|
$(INSTALL_DATA) ./files/parsers/s01-parse/secubox-haproxy.yaml $(1)/etc/crowdsec/parsers/s01-parse/
|
|
$(INSTALL_DATA) ./files/parsers/s01-parse/secubox-gitea.yaml $(1)/etc/crowdsec/parsers/s01-parse/
|
|
$(INSTALL_DATA) ./files/parsers/s01-parse/secubox-streamlit.yaml $(1)/etc/crowdsec/parsers/s01-parse/
|
|
$(INSTALL_DATA) ./files/parsers/s01-parse/secubox-webapp.yaml $(1)/etc/crowdsec/parsers/s01-parse/
|
|
|
|
$(INSTALL_DIR) $(1)/etc/crowdsec/parsers/s02-enrich
|
|
$(INSTALL_DATA) ./files/parsers/s02-enrich/secubox-whitelist.yaml $(1)/etc/crowdsec/parsers/s02-enrich/
|
|
|
|
# Custom scenarios
|
|
$(INSTALL_DIR) $(1)/etc/crowdsec/scenarios
|
|
$(INSTALL_DATA) ./files/scenarios/secubox-auth-bruteforce.yaml $(1)/etc/crowdsec/scenarios/
|
|
$(INSTALL_DATA) ./files/scenarios/secubox-http-bruteforce.yaml $(1)/etc/crowdsec/scenarios/
|
|
$(INSTALL_DATA) ./files/scenarios/secubox-haproxy-bruteforce.yaml $(1)/etc/crowdsec/scenarios/
|
|
$(INSTALL_DATA) ./files/scenarios/secubox-gitea-bruteforce.yaml $(1)/etc/crowdsec/scenarios/
|
|
$(INSTALL_DATA) ./files/scenarios/secubox-streamlit-bruteforce.yaml $(1)/etc/crowdsec/scenarios/
|
|
$(INSTALL_DATA) ./files/scenarios/secubox-webapp-bruteforce.yaml $(1)/etc/crowdsec/scenarios/
|
|
$(INSTALL_DATA) ./files/scenarios/secubox-insider-threats.yaml $(1)/etc/crowdsec/scenarios/
|
|
|
|
# UCI defaults for first boot setup
|
|
$(INSTALL_DIR) $(1)/etc/uci-defaults
|
|
$(INSTALL_BIN) ./files/99-secubox-app-crowdsec-custom $(1)/etc/uci-defaults/
|
|
endef
|
|
|
|
define Package/secubox-app-crowdsec-custom/postinst
|
|
#!/bin/sh
|
|
[ -n "$${IPKG_INSTROOT}" ] || {
|
|
echo "Installing CrowdSec collections for SecuBox..."
|
|
|
|
# Install standard collections
|
|
cscli collections install crowdsecurity/linux 2>/dev/null || true
|
|
cscli collections install crowdsecurity/sshd 2>/dev/null || true
|
|
cscli collections install crowdsecurity/base-http-scenarios 2>/dev/null || true
|
|
cscli collections install crowdsecurity/http-cve 2>/dev/null || true
|
|
cscli collections install crowdsecurity/nginx 2>/dev/null || true
|
|
cscli collections install crowdsecurity/http-dos 2>/dev/null || true
|
|
cscli collections install crowdsecurity/haproxy 2>/dev/null || true
|
|
|
|
# Install parsers
|
|
cscli parsers install crowdsecurity/syslog-logs 2>/dev/null || true
|
|
cscli parsers install crowdsecurity/http-logs 2>/dev/null || true
|
|
cscli parsers install crowdsecurity/nginx-logs 2>/dev/null || true
|
|
cscli parsers install crowdsecurity/haproxy-logs 2>/dev/null || true
|
|
|
|
# Run uci-defaults
|
|
/etc/uci-defaults/99-secubox-app-crowdsec-custom 2>/dev/null || true
|
|
|
|
# Restart CrowdSec to load new configs
|
|
/etc/init.d/crowdsec restart 2>/dev/null || true
|
|
sleep 2
|
|
|
|
# Restart bouncer
|
|
if [ -f /etc/init.d/crowdsec-firewall-bouncer ]; then
|
|
/etc/init.d/crowdsec-firewall-bouncer restart 2>/dev/null || true
|
|
fi
|
|
|
|
echo ""
|
|
echo "SecuBox CrowdSec protection installed!"
|
|
echo "Protected services: LuCI, uhttpd, nginx, HAProxy, Gitea, Streamlit, Webapp"
|
|
echo ""
|
|
echo "Useful commands:"
|
|
echo " cscli metrics - View detection metrics"
|
|
echo " cscli alerts list - View security alerts"
|
|
echo " cscli decisions list - View active bans"
|
|
}
|
|
exit 0
|
|
endef
|
|
|
|
define Package/secubox-app-crowdsec-custom/postrm
|
|
#!/bin/sh
|
|
[ -n "$${IPKG_INSTROOT}" ] || {
|
|
# Restart CrowdSec to unload configs
|
|
/etc/init.d/crowdsec restart 2>/dev/null || true
|
|
echo "SecuBox CrowdSec custom configs removed"
|
|
}
|
|
exit 0
|
|
endef
|
|
|
|
$(eval $(call BuildPackage,secubox-app-crowdsec-custom))
|