wwwsas.conf.example

#!/bin/bash

# Name:    wwwsas.conf.example - the default configuration file of the script bundle WWW Security Assistant.
# Summary: This file is sourced You should create your own configuration file by removing of the ".example" extension.
#          When "wwwsas.conf" exists it will be sourced in "wwwsas.sh" and other scripts from the bundle.
# Home:    https://github.com/metalevel-tech/wwwsas
# Author:  Spas Z. Spasov <spas.z.spasov@gmail.com> (C) 2021


# --------------------------------
# First priority: Private settings
# --------------------------------

# The directory where the script bundle is located
# (the single quotes are importaint, because of the parsing made by SETUP)
WORK_DIR='/etc/wwwsas'

# Get server`s host-name, or set it: HOSTNAME="example.com"
HOSTNAME="$(hostname -f)"

# You can just enter <email@example.com>
EMAIL_FROM="Security Assistant <root@$HOSTNAME>"

# Multiple accounts separated by commas are allowed:
# EMAIL_TO="your@email.foo, your@email.bar, your@email.baz" - the emails sent to these boxes will be HTML formatted
# EMAIL_TO_PLAIN="root@localhost, foo@localhost" - the emails sent to these boxes will be plain text
# If none of these variables is set, script execution will be disconnected before the email section
EMAIL_TO="admin@$HOSTNAME"
EMAIL_TO_PLAIN="root@localhost"

# Time-units can be minutes, hours, days, or weeks; see `man at`; `sudo atq` lists pending jobs; `sudo at -c job_number` shows the job's content;
# BAN_TIME="5 minutes"
BAN_TIME="1 minute" 

# Limit of tolerance of transgressions from certain IP
LIMIT="60"

# This value is used within the comunication between `modules/modsecurity-assistant.sh` or `modules/flood-detector.sh`, etc.  and `wwwsas.sh`
# This solves an old issue and it is not longer needed - but why not :)
# Note you should use the same format: with dash/minus in the beginning and the end of the string
MY_DIVIDER="-DiViDeR-d1v1d3r-"

# Set verbose mode of the reports (within the emails) for the following features
# To unset this mode jist comment the variable's definitions
REPORT_MODE_MODSEC="verbose"
REPORT_MODE_ABIPDB="verbose"
REPORT_MODE_CRAWLER="verbose"


# ---------------------------------------------------------
# First priority: AbuseIPDB Integration and GeoLite2 Update
# ---------------------------------------------------------

# If you want to use the feature "AbuseIPDB Integration", 
# you should register on "www.abuseipdb.com" and provide your API key here. 
# The current version requires V2 API Key.
# Once the key is provided the integration will be enabled. 
# The IPs will be reported, when the treshold $LIMIT (provided above) is reached.
AbuseIPDB_APIKEY=""

# If you want to ban IPs permanently based on the analyse of the statistic, provided by www.abuseipdb.com, set "$AbuseIPDB_BAN" to "YES"
# Note: For these IPs the $LIMIT will be ignored. This feature will increase the execution time of the action section of "wwwsas.sh"
AbuseIPDB_ANALYSE_IP_AND_BAN="YES"

# The LIMITs used by "modules/abuseipdb-push-pull.sh" when it is called in "analyse_ip" mode from "wwwsas.sh".
AbuseIPDB_totalReportsLimit="15"
AbuseIPDB_abuseConfidenceScoreLimit="15"
AbuseIPDB_CategoryCountLimit="5"

# Aggressive Mode for ModSecurity
# The script "modules/modsecurity-assistant.sh" will export the ModSecurity's disruptive "$RULE_ID" that is cause of the current thread.
# If that "$RULE_ID" belongs to the following array the "$IP" will be reported to AbuseIPDB, no matter (but regard to) the other logic.
# - RuleId "1150" is wwwsas REQUEST_URI words blacklist;
# - RuleId "1160" is wwwsas Deny requests without a host header;
# - RuleId "1170" is wwwsas Deny request that don't use GET, HEAD or POST;
# - RuleId "920350" is owasp Check that the host header is not an IP address.
# - RuleId "920300" is owasp Generates a notice if the Accept header is missing.
# - RuleId "949110" is owasp Anomaly Mode rule.
# - RuleId "959100" is owasp Anomaly Mode rule.
# Comment out the array to enable this feature.
#AbuseIPDB_MODSEC_AGGRESSIVE_MODE_RULES=("1150" "1160" "1170" "920350" "920300" "949110" "959100")

# Aggressive Mode for FloodDetector
# Comment out the variable to enable this feature.
#AbuseIPDB_FLOODT_AGGRESSIVE_MODE="YES"

# In order to download and further update the GeoLite2 data base, used by ModSecurity2,
# you need to provide a license key obtained at: https://www.maxmind.com/en/accounts/<USER ID>/geoip/downloads
MaxMindGeoLite2_LICENSE_KEY=""


# --------------------------------
# Second priority: Common settings
# --------------------------------

# Apavhe2
# The log directory mentioned in /etc/apache2/envvars
APACHE_LOG_DIR="/var/log/apache2"

# ModEvasive for Apache 2
# The log directory mentioned in /etc/apache2/mods-available/evasive.conf
MOD_EVASIVE_LOG_DIR="/var/log/apache2_mod_evasive"
MOD_EVASIVE_LOG_DIR_BAK="${MOD_EVASIVE_LOG_DIR}/bak"

# ModSecurity for Apache 2
# The log directory mentioned in /etc/apache2/mods-available/security2.conf or /etc/modsecurity/modsecurity.conf
MOD_SECURITY_LOG_DIR="/var/log/apache2_mod_security"

# modules/modsecurity-whitelist-rule-generator.sh
MOD_SECURITY_ISSUES_PAGE="/issues.php"

# ModSecurity home directory
MOD_SECURITY_DIR="/etc/modsecurity"

# Used by:
# > Setup (process)
# > modules/modsecurity-whitelist-rule-generator.sh
# The directory of the OWASP ModSec CRS installation, mentioned during the setup process
MOD_SECURITY_CRS_DIR="${MOD_SECURITY_DIR}/coreruleset"

# modules/modsecurity-whitelist-rule-generator.sh
MOD_SECURITY_AUDIT_LOG="${MOD_SECURITY_LOG_DIR}/modsec_audit.log"
MOD_SECURITY_WHITELIST_FILE="${MOD_SECURITY_CRS_DIR}/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"

# modules/modsecurity-whitelist-rule-generator.sh
SECURITY_RULE_PARSE_METHOD="latest"	# Use the latest rule id in the file $MOD_SECURITY_WHITELIST_FILE as base for the new rule id
#SECURITY_RULE_PARSE_METHOD="greatest"	# Use the greatest rule id in the file $MOD_SECURITY_WHITELIST_FILE as base for the new rule id

# ModSecurity and ModEvasive whitelist configuration files
MOD_SECURITY_WWWSAS_CONF="${MOD_SECURITY_DIR}/wwwsas-rules.conf"
MOD_SECURITY_WWWSAS_WLST="${WORK_DIR}/confs/modsec.ip.white-list.conf"
MOD_EVASIVE_WWWSAS_CONF="/etc/apache2/mods-available/evasive.conf"

# Used by: > modules/flood-detector.sh
TCP_STATES=("SYN_RECV")
COMMON_CONNECTIONS_THRESHOLD="120"
SINGLE_CONNECTIONS_THRESHOLD="40"

# Used by: > modules/post-analyse.sh
POST_ANALYSE_LIMIT="50"

# Used by: > modules/geoip-update.sh
GEOLITE2_LEGACY_DIR="${MOD_SECURITY_DIR}/geolite2legacy"
GEOLITE2_DATA_DIR="${MOD_SECURITY_DIR}/geolite2data"


# --------------------------------
# Third priority: Script settings
# --------------------------------

# Set the list of the available Agents in tha Automatic mode
AGENTS=()

AGENT_MODSEC="ModSecurity"
AGENTS+=( "$AGENT_MODSEC" )
AGENT_FLOODT="FloodDetector"
AGENTS+=( "$AGENT_FLOODT" )
AGENT_MODEVS="ModEvasive"
AGENTS+=( "$AGENT_MODEVS" )
AGENT_GUARDI="Guardian"
AGENTS+=( "$AGENT_GUARDI" )
AGENT_A2ANLS="a2Analyst"
AGENTS+=( "$AGENT_A2ANLS" )
AGENT_PSTANL="PostAnalyse"
AGENTS+=( "$AGENT_PSTANL" )
AGENT_ADBIPP="AbuseIPDBPushPull"
AGENTS+=( "$AGENT_ADBIPP" )
AGENT_ISCRWL="IsCrawler"
AGENTS+=( "$AGENT_ISCRWL" )

# Common used strings within the (email) messages, usualy these are our custom shell commands located/linked under /usrl/local/bin
# Note the _FULL names are used in the next section.
WWW_SAS="wwwsas"
WWW_SAS_FULL="wwwsas"
WWW_SAS_EXEC="${WORK_DIR}/${WWW_SAS_FULL}.sh"

WWW_SAS_FLOOD_DETECTOR="wwwsas-flood-detector"
WWW_SAS_FLOOD_DETECTOR_FULL="flood-detector"
WWW_SAS_FLOOD_DETECTOR_EXEC="${WORK_DIR}/modules/${WWW_SAS_FLOOD_DETECTOR_FULL}.sh"

WWW_SAS_POST_ANALYSE="wwwsas-post-analyse"
WWW_SAS_POST_ANALYSE_FULL="post-analyse"
WWW_SAS_POST_ANALYSE_EXEC="${WORK_DIR}/modules/${WWW_SAS_POST_ANALYSE_FULL}.sh"

WWW_SAS_MOD_SECURITY_WLRG="wwwsas-modsec-whitelist-rg"
WWW_SAS_MOD_SECURITY_WLRG_FULL="modsecurity-whitelist-rule-generator"
WWW_SAS_MOD_SECURITY_WLRG_EXEC="${WORK_DIR}/modules/${WWW_SAS_MOD_SECURITY_WLRG_FULL}.sh"

WWW_SAS_ABUSEIPDB="wwwsas-abuseipdb"
WWW_SAS_ABUSEIPDB_FULL="abuseipdb-push-pull"
WWW_SAS_ABUSEIPDB_EXEC="${WORK_DIR}/modules/${WWW_SAS_ABUSEIPDB_FULL}.sh"

WWW_SAS_ISCRAWLER="wwwsas-is-crawler-ip"
WWW_SAS_ISCRAWLER_FULL="is-crawler-ip"
WWW_SAS_ISCRAWLER_EXEC="${WORK_DIR}/modules/${WWW_SAS_ISCRAWLER_FULL}.sh"

WWW_SAS_GEOIPUPDATE="wwwsas-geoip-update"
WWW_SAS_GEOIPUPDATE_FULL="geoip-update"
WWW_SAS_GEOIPUPDATE_EXEC="${WORK_DIR}/modules/${WWW_SAS_GEOIPUPDATE_FULL}.sh"

WWW_SAS_LOGROTATE="wwwsas-logrotate"
WWW_SAS_LOGROTATE_FULL="logrotate"
WWW_SAS_LOGROTATE_EXEC="${WORK_DIR}/modules/${WWW_SAS_LOGROTATE_FULL}.sh"

# Define a custom tmp directory "for files with short livecycle"
WWW_SAS_TMP="${WORK_DIR}/tmp"; [[ "$EUID" -eq 0 ]] && { mkdir -p "$WWW_SAS_TMP" && chown www-data "$WWW_SAS_TMP"; }

# Define a custom log directory "for files with long livecycle"
WWW_SAS_LOG="${WORK_DIR}/logs"; [[ "$EUID" -eq 0 ]] && { mkdir -p "$WWW_SAS_LOG" && chown www-data "$WWW_SAS_LOG"; }

# The file where will be kept the data about the IPs added to the WhiteList. In the white-list put at least your server's IP and localhost IP 127.0.0.1
WWW_SAS_WHITE_LIST="${WORK_DIR}/logs/white-list.log"

# The file where will be kept the data about the IPs added to the BanList
WWW_SAS_BAN_LIST="${WORK_DIR}/logs/black-list.log"

# The file where will be kept the data about the IPs removed from the BanList
WWW_SAS_BAN_CLEAR_LIST="${WORK_DIR}/logs/clear-list.log"

# The file where will be kept the data about the transgressions. Please be careful when manipulate this file manually
WWW_SAS_HISTORY="${WWW_SAS_LOG}/history.log"

# The execution log file used by the satellite scripts
WWW_SAS_EXEC_LOG="${WWW_SAS_TMP}/execution.log"; [[ "$EUID" -eq 0 ]] && { touch "$WWW_SAS_EXEC_LOG" && chown www-data "$WWW_SAS_EXEC_LOG"; }

# Error log file used to log internal messages before send them by email
# USed by: > wwwsas.sh
WWW_SAS_ERROR_LOG="${WWW_SAS_TMP}/internal.msgs.error.log"; [[ "$EUID" -eq 0 ]] && { touch "$WWW_SAS_ERROR_LOG" && chown www-data "$WWW_SAS_ERROR_LOG"; }

# This is a history of the Error logs
# Used by: > wwwsas-post-analyse.sh < > wwwsas.sh
WWW_SAS_ERROR_LOG_HISTORY="${WWW_SAS_TMP}/error.history.log"; [[ "$EUID" -eq 0 ]] && { touch "$WWW_SAS_ERROR_LOG_HISTORY" && chown www-data "$WWW_SAS_ERROR_LOG_HISTORY"; }

# The IPTables chain that is used by the script
WWW_SAS_IPTBL_CHAIN="WWWSAS"

# Here is used additional setup for iptables save/restore on reboot,
# https://www.cyberciti.biz/faq/iptables-read-and-block-ips-subnets-from-text-file/
WWW_SAS_IPTABLES_SAVE="${WORK_DIR}/firewall/iptables-save.sh"
WWW_SAS_IPTABLES_RESTORE="${WORK_DIR}/firewall/iptables-restore.sh"
WWW_SAS_IPSET_SAVE="${WORK_DIR}/firewall/ipset-save.sh"
WWW_SAS_IPSET_RESTORE="${WORK_DIR}/firewall/ipset-restore.sh"

# These files will be automatically deleted - see the bottom of the main script
EMAIL_BODY="${WWW_SAS_TMP}/${WWW_SAS_FULL}.mail.${RANDOM}"
EMAIL_BODY_PLAIN="${EMAIL_BODY}.plain"

# The style sheet of the HTML email
WWW_SAS_MAIL_STYLE_CSS="${WORK_DIR}/assets/email.css"

# Get the time coordinates of the event
TIME="$(date +%H:%M:%S)"
DATE="$(date +%Y-%m-%d)"

# Frequent used messages (same as the above)
USAGE="Usage: $WWW_SAS <IP> [ ModSecurity | ModEvasive 'notes' | Guardian | a2Analyst | FloodDetector 'notes' | PostAnalyse '#' ] or [ --DROP 'notes' | --CLEAR 'notes' | --ACCEPT 'notes' | --ACCEPT-CHAIN 'notes' | --ACCEPT-REMOVE ]"