-
Notifications
You must be signed in to change notification settings - Fork 7
/
wwwsas.conf.example
256 lines (196 loc) · 11.2 KB
/
wwwsas.conf.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
#!/bin/bash
# Name: wwwsas.conf.example - the default configuration file of the script bundle WWW Security Assistant.
# Summary: This file is sourced You should create your own configuration file by removing of the ".example" extension.
# When "wwwsas.conf" exists it will be sourced in "wwwsas.sh" and other scripts from the bundle.
# Home: https://github.com/metalevel-tech/wwwsas
# Author: Spas Z. Spasov <spas.z.spasov@gmail.com> (C) 2021
# --------------------------------
# First priority: Private settings
# --------------------------------
# The directory where the script bundle is located
# (the single quotes are importaint, because of the parsing made by SETUP)
WORK_DIR='/etc/wwwsas'
# Get server`s host-name, or set it: HOSTNAME="example.com"
HOSTNAME="$(hostname -f)"
# You can just enter <email@example.com>
EMAIL_FROM="Security Assistant <root@$HOSTNAME>"
# Multiple accounts separated by commas are allowed:
# EMAIL_TO="your@email.foo, your@email.bar, your@email.baz" - the emails sent to these boxes will be HTML formatted
# EMAIL_TO_PLAIN="root@localhost, foo@localhost" - the emails sent to these boxes will be plain text
# If none of these variables is set, script execution will be disconnected before the email section
EMAIL_TO="admin@$HOSTNAME"
EMAIL_TO_PLAIN="root@localhost"
# Time-units can be minutes, hours, days, or weeks; see `man at`; `sudo atq` lists pending jobs; `sudo at -c job_number` shows the job's content;
# BAN_TIME="5 minutes"
BAN_TIME="1 minute"
# Limit of tolerance of transgressions from certain IP
LIMIT="60"
# This value is used within the comunication between `modules/modsecurity-assistant.sh` or `modules/flood-detector.sh`, etc. and `wwwsas.sh`
# This solves an old issue and it is not longer needed - but why not :)
# Note you should use the same format: with dash/minus in the beginning and the end of the string
MY_DIVIDER="-DiViDeR-d1v1d3r-"
# Set verbose mode of the reports (within the emails) for the following features
# To unset this mode jist comment the variable's definitions
REPORT_MODE_MODSEC="verbose"
REPORT_MODE_ABIPDB="verbose"
REPORT_MODE_CRAWLER="verbose"
# ---------------------------------------------------------
# First priority: AbuseIPDB Integration and GeoLite2 Update
# ---------------------------------------------------------
# If you want to use the feature "AbuseIPDB Integration",
# you should register on "www.abuseipdb.com" and provide your API key here.
# The current version requires V2 API Key.
# Once the key is provided the integration will be enabled.
# The IPs will be reported, when the treshold $LIMIT (provided above) is reached.
AbuseIPDB_APIKEY=""
# If you want to ban IPs permanently based on the analyse of the statistic, provided by www.abuseipdb.com, set "$AbuseIPDB_BAN" to "YES"
# Note: For these IPs the $LIMIT will be ignored. This feature will increase the execution time of the action section of "wwwsas.sh"
AbuseIPDB_ANALYSE_IP_AND_BAN="YES"
# The LIMITs used by "modules/abuseipdb-push-pull.sh" when it is called in "analyse_ip" mode from "wwwsas.sh".
AbuseIPDB_totalReportsLimit="15"
AbuseIPDB_abuseConfidenceScoreLimit="15"
AbuseIPDB_CategoryCountLimit="5"
# Aggressive Mode for ModSecurity
# The script "modules/modsecurity-assistant.sh" will export the ModSecurity's disruptive "$RULE_ID" that is cause of the current thread.
# If that "$RULE_ID" belongs to the following array the "$IP" will be reported to AbuseIPDB, no matter (but regard to) the other logic.
# - RuleId "1150" is wwwsas REQUEST_URI words blacklist;
# - RuleId "1160" is wwwsas Deny requests without a host header;
# - RuleId "1170" is wwwsas Deny request that don't use GET, HEAD or POST;
# - RuleId "920350" is owasp Check that the host header is not an IP address.
# - RuleId "920300" is owasp Generates a notice if the Accept header is missing.
# - RuleId "949110" is owasp Anomaly Mode rule.
# - RuleId "959100" is owasp Anomaly Mode rule.
# Comment out the array to enable this feature.
#AbuseIPDB_MODSEC_AGGRESSIVE_MODE_RULES=("1150" "1160" "1170" "920350" "920300" "949110" "959100")
# Aggressive Mode for FloodDetector
# Comment out the variable to enable this feature.
#AbuseIPDB_FLOODT_AGGRESSIVE_MODE="YES"
# In order to download and further update the GeoLite2 data base, used by ModSecurity2,
# you need to provide a license key obtained at: https://www.maxmind.com/en/accounts/<USER ID>/geoip/downloads
MaxMindGeoLite2_LICENSE_KEY=""
# --------------------------------
# Second priority: Common settings
# --------------------------------
# Apavhe2
# The log directory mentioned in /etc/apache2/envvars
APACHE_LOG_DIR="/var/log/apache2"
# ModEvasive for Apache 2
# The log directory mentioned in /etc/apache2/mods-available/evasive.conf
MOD_EVASIVE_LOG_DIR="/var/log/apache2_mod_evasive"
MOD_EVASIVE_LOG_DIR_BAK="${MOD_EVASIVE_LOG_DIR}/bak"
# ModSecurity for Apache 2
# The log directory mentioned in /etc/apache2/mods-available/security2.conf or /etc/modsecurity/modsecurity.conf
MOD_SECURITY_LOG_DIR="/var/log/apache2_mod_security"
# modules/modsecurity-whitelist-rule-generator.sh
MOD_SECURITY_ISSUES_PAGE="/issues.php"
# ModSecurity home directory
MOD_SECURITY_DIR="/etc/modsecurity"
# Used by:
# > Setup (process)
# > modules/modsecurity-whitelist-rule-generator.sh
# The directory of the OWASP ModSec CRS installation, mentioned during the setup process
MOD_SECURITY_CRS_DIR="${MOD_SECURITY_DIR}/coreruleset"
# modules/modsecurity-whitelist-rule-generator.sh
MOD_SECURITY_AUDIT_LOG="${MOD_SECURITY_LOG_DIR}/modsec_audit.log"
MOD_SECURITY_WHITELIST_FILE="${MOD_SECURITY_CRS_DIR}/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
# modules/modsecurity-whitelist-rule-generator.sh
SECURITY_RULE_PARSE_METHOD="latest" # Use the latest rule id in the file $MOD_SECURITY_WHITELIST_FILE as base for the new rule id
#SECURITY_RULE_PARSE_METHOD="greatest" # Use the greatest rule id in the file $MOD_SECURITY_WHITELIST_FILE as base for the new rule id
# ModSecurity and ModEvasive whitelist configuration files
MOD_SECURITY_WWWSAS_CONF="${MOD_SECURITY_DIR}/wwwsas-rules.conf"
MOD_SECURITY_WWWSAS_WLST="${WORK_DIR}/confs/modsec.ip.white-list.conf"
MOD_EVASIVE_WWWSAS_CONF="/etc/apache2/mods-available/evasive.conf"
# Used by: > modules/flood-detector.sh
TCP_STATES=("SYN_RECV")
COMMON_CONNECTIONS_THRESHOLD="120"
SINGLE_CONNECTIONS_THRESHOLD="40"
# Used by: > modules/post-analyse.sh
POST_ANALYSE_LIMIT="50"
# Used by: > modules/geoip-update.sh
GEOLITE2_LEGACY_DIR="${MOD_SECURITY_DIR}/geolite2legacy"
GEOLITE2_DATA_DIR="${MOD_SECURITY_DIR}/geolite2data"
# --------------------------------
# Third priority: Script settings
# --------------------------------
# Set the list of the available Agents in tha Automatic mode
AGENTS=()
AGENT_MODSEC="ModSecurity"
AGENTS+=( "$AGENT_MODSEC" )
AGENT_FLOODT="FloodDetector"
AGENTS+=( "$AGENT_FLOODT" )
AGENT_MODEVS="ModEvasive"
AGENTS+=( "$AGENT_MODEVS" )
AGENT_GUARDI="Guardian"
AGENTS+=( "$AGENT_GUARDI" )
AGENT_A2ANLS="a2Analyst"
AGENTS+=( "$AGENT_A2ANLS" )
AGENT_PSTANL="PostAnalyse"
AGENTS+=( "$AGENT_PSTANL" )
AGENT_ADBIPP="AbuseIPDBPushPull"
AGENTS+=( "$AGENT_ADBIPP" )
AGENT_ISCRWL="IsCrawler"
AGENTS+=( "$AGENT_ISCRWL" )
# Common used strings within the (email) messages, usualy these are our custom shell commands located/linked under /usrl/local/bin
# Note the _FULL names are used in the next section.
WWW_SAS="wwwsas"
WWW_SAS_FULL="wwwsas"
WWW_SAS_EXEC="${WORK_DIR}/${WWW_SAS_FULL}.sh"
WWW_SAS_FLOOD_DETECTOR="wwwsas-flood-detector"
WWW_SAS_FLOOD_DETECTOR_FULL="flood-detector"
WWW_SAS_FLOOD_DETECTOR_EXEC="${WORK_DIR}/modules/${WWW_SAS_FLOOD_DETECTOR_FULL}.sh"
WWW_SAS_POST_ANALYSE="wwwsas-post-analyse"
WWW_SAS_POST_ANALYSE_FULL="post-analyse"
WWW_SAS_POST_ANALYSE_EXEC="${WORK_DIR}/modules/${WWW_SAS_POST_ANALYSE_FULL}.sh"
WWW_SAS_MOD_SECURITY_WLRG="wwwsas-modsec-whitelist-rg"
WWW_SAS_MOD_SECURITY_WLRG_FULL="modsecurity-whitelist-rule-generator"
WWW_SAS_MOD_SECURITY_WLRG_EXEC="${WORK_DIR}/modules/${WWW_SAS_MOD_SECURITY_WLRG_FULL}.sh"
WWW_SAS_ABUSEIPDB="wwwsas-abuseipdb"
WWW_SAS_ABUSEIPDB_FULL="abuseipdb-push-pull"
WWW_SAS_ABUSEIPDB_EXEC="${WORK_DIR}/modules/${WWW_SAS_ABUSEIPDB_FULL}.sh"
WWW_SAS_ISCRAWLER="wwwsas-is-crawler-ip"
WWW_SAS_ISCRAWLER_FULL="is-crawler-ip"
WWW_SAS_ISCRAWLER_EXEC="${WORK_DIR}/modules/${WWW_SAS_ISCRAWLER_FULL}.sh"
WWW_SAS_GEOIPUPDATE="wwwsas-geoip-update"
WWW_SAS_GEOIPUPDATE_FULL="geoip-update"
WWW_SAS_GEOIPUPDATE_EXEC="${WORK_DIR}/modules/${WWW_SAS_GEOIPUPDATE_FULL}.sh"
WWW_SAS_LOGROTATE="wwwsas-logrotate"
WWW_SAS_LOGROTATE_FULL="logrotate"
WWW_SAS_LOGROTATE_EXEC="${WORK_DIR}/modules/${WWW_SAS_LOGROTATE_FULL}.sh"
# Define a custom tmp directory "for files with short livecycle"
WWW_SAS_TMP="${WORK_DIR}/tmp"; [[ "$EUID" -eq 0 ]] && { mkdir -p "$WWW_SAS_TMP" && chown www-data "$WWW_SAS_TMP"; }
# Define a custom log directory "for files with long livecycle"
WWW_SAS_LOG="${WORK_DIR}/logs"; [[ "$EUID" -eq 0 ]] && { mkdir -p "$WWW_SAS_LOG" && chown www-data "$WWW_SAS_LOG"; }
# The file where will be kept the data about the IPs added to the WhiteList. In the white-list put at least your server's IP and localhost IP 127.0.0.1
WWW_SAS_WHITE_LIST="${WORK_DIR}/logs/white-list.log"
# The file where will be kept the data about the IPs added to the BanList
WWW_SAS_BAN_LIST="${WORK_DIR}/logs/black-list.log"
# The file where will be kept the data about the IPs removed from the BanList
WWW_SAS_BAN_CLEAR_LIST="${WORK_DIR}/logs/clear-list.log"
# The file where will be kept the data about the transgressions. Please be careful when manipulate this file manually
WWW_SAS_HISTORY="${WWW_SAS_LOG}/history.log"
# The execution log file used by the satellite scripts
WWW_SAS_EXEC_LOG="${WWW_SAS_TMP}/execution.log"; [[ "$EUID" -eq 0 ]] && { touch "$WWW_SAS_EXEC_LOG" && chown www-data "$WWW_SAS_EXEC_LOG"; }
# Error log file used to log internal messages before send them by email
# USed by: > wwwsas.sh
WWW_SAS_ERROR_LOG="${WWW_SAS_TMP}/internal.msgs.error.log"; [[ "$EUID" -eq 0 ]] && { touch "$WWW_SAS_ERROR_LOG" && chown www-data "$WWW_SAS_ERROR_LOG"; }
# This is a history of the Error logs
# Used by: > wwwsas-post-analyse.sh < > wwwsas.sh
WWW_SAS_ERROR_LOG_HISTORY="${WWW_SAS_TMP}/error.history.log"; [[ "$EUID" -eq 0 ]] && { touch "$WWW_SAS_ERROR_LOG_HISTORY" && chown www-data "$WWW_SAS_ERROR_LOG_HISTORY"; }
# The IPTables chain that is used by the script
WWW_SAS_IPTBL_CHAIN="WWWSAS"
# Here is used additional setup for iptables save/restore on reboot,
# https://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
WWW_SAS_IPTABLES_SAVE="${WORK_DIR}/firewall/iptables-save.sh"
WWW_SAS_IPTABLES_RESTORE="${WORK_DIR}/firewall/iptables-restore.sh"
WWW_SAS_IPSET_SAVE="${WORK_DIR}/firewall/ipset-save.sh"
WWW_SAS_IPSET_RESTORE="${WORK_DIR}/firewall/ipset-restore.sh"
# These files will be automatically deleted - see the bottom of the main script
EMAIL_BODY="${WWW_SAS_TMP}/${WWW_SAS_FULL}.mail.${RANDOM}"
EMAIL_BODY_PLAIN="${EMAIL_BODY}.plain"
# The style sheet of the HTML email
WWW_SAS_MAIL_STYLE_CSS="${WORK_DIR}/assets/email.css"
# Get the time coordinates of the event
TIME="$(date +%H:%M:%S)"
DATE="$(date +%Y-%m-%d)"
# Frequent used messages (same as the above)
USAGE="Usage: $WWW_SAS <IP> [ ModSecurity | ModEvasive 'notes' | Guardian | a2Analyst | FloodDetector 'notes' | PostAnalyse '#' ] or [ --DROP 'notes' | --CLEAR 'notes' | --ACCEPT 'notes' | --ACCEPT-CHAIN 'notes' | --ACCEPT-REMOVE ]"