v3.1

Meet Web application firewall!
2018-08-17 17:55:17 +06:00 · 2018-08-17 17:55:17 +06:00 · da77663484
parent f272ec4ca2
commit da77663484
9 changed files with 183 additions and 27 deletions
--- a/app/options.py
+++ b/app/options.py
@ -102,10 +102,20 @@ if form.getvalue('action_hap') is not None and serv is not None:
 		print("HAproxy was %s" % action)
 	else:
 		print("Bad config, check please")
-		
+	
 if form.getvalue('action_waf') is not None and serv is not None:
 	serv = form.getvalue('serv')
 	action = form.getvalue('action_waf')
 	commands = [ "sudo systemctl %s waf" % action ]
 	funct.ssh_command(serv, commands)		
 if act == "overview":
 	ovw.get_overview()
-
+	
 if act == "overviewwaf":
 	ovw.get_overviewWaf()
 if act == "overviewServers":
 	ovw.get_overviewServers()
@ -161,6 +171,7 @@ if serv is not None and act == "stats":
 if serv is not None and form.getvalue('rows') is not None:
 	rows = form.getvalue('rows')
 	waf = form.getvalue('waf')
 	grep = form.getvalue('grep')
 	hour = form.getvalue('hour')
 	minut = form.getvalue('minut')
@ -179,11 +190,15 @@ if serv is not None and form.getvalue('rows') is not None:
 	if syslog_server_enable is None or syslog_server_enable == "0":
 		local_path_logs = sql.get_setting('local_path_logs')
 		syslog_server = serv	
-		commands = [ "sudo cat %s| awk '$3>\"%s:00\" && $3<\"%s:00\"' |tail -%s  %s %s" % (local_path_logs, date, date1, rows, grep_act, grep) ]	
+		commands = [ "sudo cat %s| awk '$3>\"%s:00\" && $3<\"%s:00\"' |tail -%s  %s %s" % (local_path_logs, date, date1, rows, grep_act, grep) ]		
 	else:
 		commands = [ "sudo cat /var/log/%s/syslog.log | sed '/ %s:00/,/ %s:00/! d' |tail -%s  %s %s" % (serv, date, date1, rows, grep_act, grep) ]
 		syslog_server = sql.get_setting('syslog_server')
-
+	
 	if waf == "1":
 		local_path_logs = '/var/log/modsec_audit.log'
 		commands = [ "sudo cat %s |tail -%s  %s %s" % (local_path_logs, rows, grep_act, grep) ]	
 	funct.ssh_command(syslog_server, commands, show_log="1")
 if serv is not None and form.getvalue('rows1') is not None:
--- a/app/ovw.py
+++ b/app/ovw.py
@ -28,14 +28,35 @@ def get_overview():
 	template = template.render(service_status = servers, role = sql.get_user_role_by_uuid(user_id.value))
 	print(template)	
 def get_overviewWaf():
 	import http.cookies
 	from jinja2 import Environment, FileSystemLoader
 	env = Environment(loader=FileSystemLoader('templates/ajax'))
 	template = env.get_template('overivewWaf.html')
 	cookie = http.cookies.SimpleCookie(os.environ.get("HTTP_COOKIE"))
 	user_id = cookie.get('uuid')
 	haproxy_dir  = sql.get_setting('haproxy_dir')
 	haproxy_sock_port = sql.get_setting('haproxy_sock_port')
 	listhap = sql.get_dick_permit()
 	commands = [ "ps ax |grep waf/bin/modsecurity |grep -v grep |wc -l" ]
 	commands1 = [ "cat %s/waf/modsecurity.conf  |grep SecRuleEngine |grep -v '#' |awk '{print $2}'" % haproxy_dir ]	
 	servers = []
 	for server in listhap:
 		server_status = ()
 		server_status = (server[1],server[2], funct.ssh_command(server[2], commands), funct.ssh_command(server[2], commands1))
 		servers.append(server_status)
 	template = template.render(service_status = servers, role = sql.get_user_role_by_uuid(user_id.value))
 	print(template)	
 def get_overviewServers():
 	import http.cookies
 	from jinja2 import Environment, FileSystemLoader
 	env = Environment(loader=FileSystemLoader('templates/ajax'))
 	template = env.get_template('overviewServers.html')
 	cookie = http.cookies.SimpleCookie(os.environ.get("HTTP_COOKIE"))
 	user_id = cookie.get('uuid')
 	haproxy_sock_port = sql.get_setting('haproxy_sock_port')
 	listhap = sql.get_dick_permit()
@ -58,7 +79,7 @@ def get_overviewServers():
 		server_status = (server[1],server[2], out1, funct.ssh_command(server[2], commands),funct.show_backends(server[2], ret=1))
 		servers.append(server_status)
-	template = template.render(service_status = servers, role = sql.get_user_role_by_uuid(user_id.value))
+	template = template.render(service_status = servers)
 	print(template)	
 def get_map(serv):
--- a/app/scripts/waf.sh
+++ b/app/scripts/waf.sh
@ -28,11 +28,14 @@ fi
 if [ -f $HAPROXY_PATH/waf/modsecurity.conf  ];then
 	echo -e 'error: Haproxy WAF already installed. You can edit config<a href="/app/config.py" title="Edit HAProxy config">here</a> <br /><br />'
 	exit 1
-fi
+fiif hash apt-get 2>/dev/null; then
-wget -O /tmp/yajl-devel-2.0.4-4.el7.x86_64.rpm http://rpmfind.net/linux/centos/7.5.1804/os/x86_64/Packages/yajl-devel-2.0.4-4.el7.x86_64.rpm
+	sudo apt-get install yajl-dev libevent-dev httpd-dev libxml2-dev gcc curl-dev -y
-wget -O /tmp/libevent-devel-2.0.21-4.el7.x86_64.rpm http://mirror.centos.org/centos/7/os/x86_64/Packages/libevent-devel-2.0.21-4.el7.x86_64.rpm
+else
-wget -O /tmp/modsecurity-2.9.2.tar.gz https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz
+	wget -O /tmp/yajl-devel-2.0.4-4.el7.x86_64.rpm http://rpmfind.net/linux/centos/7.5.1804/os/x86_64/Packages/yajl-devel-2.0.4-4.el7.x86_64.rpm
-sudo yum install /tmp/libevent-devel-2.0.21-4.el7.x86_64.rpm /tmp/yajl-devel-2.0.4-4.el7.x86_64.rpm  httpd-devel libxml2-devel gcc curl-devel -y
+	wget -O /tmp/libevent-devel-2.0.21-4.el7.x86_64.rpm http://mirror.centos.org/centos/7/os/x86_64/Packages/libevent-devel-2.0.21-4.el7.x86_64.rpm
 	wget -O /tmp/modsecurity-2.9.2.tar.gz https://www.modsecurity.org/tarball/2.9.2/modsecurity-2.9.2.tar.gz
 	sudo yum install /tmp/libevent-devel-2.0.21-4.el7.x86_64.rpm /tmp/yajl-devel-2.0.4-4.el7.x86_64.rpm  httpd-devel libxml2-devel gcc curl-devel -y
 if
 if [ $? -eq 1 ]; then
 	echo -e "Can't download waf application. Check Internet connection"
@ -119,6 +122,8 @@ sudo tar xf /tmp/owasp.tar.gz
 sudo mv /tmp/owasp-modsecurity-crs-2.2.9/modsecurity_crs_10_setup.conf.example  $HAPROXY_PATH/waf/rules/modsecurity_crs_10_setup.conf 
 sudo mv /tmp/owasp-modsecurity-crs-2.2.9/*rules/* $HAPROXY_PATH/waf/rules/
 sudo sed -i 's/#SecAction/SecAction/' $HAPROXY_PATH/waf/rules/modsecurity_crs_10_setup.conf 
 sudo sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' $HAPROXY_PATH/waf/modsecurity.conf
 sudo sed -i 's/SecAuditLogParts ABIJDEFHZ/SecAuditLogParts ABIJDEH/' $HAPROXY_PATH/waf/modsecurity.conf
 sudo rm -f /tmp/owasp.tar.gz
 sudo bash -c cat << EOF > /etc/systemd/system/multi-user.target.wants/waf.service 
@ -144,7 +149,7 @@ if $programname startswith 'waf' then /var/log/waf.log
 & stop
 EOF
-sudo bash -c cat << EOF > $HAPROXY_PATH/spoe-modsecurity.conf
+sudo bash -c cat << EOF > $HAPROXY_PATH/waf.conf
 [modsecurity]
 spoe-agent modsecurity-agent
   messages check-request
@ -152,7 +157,7 @@ spoe-agent modsecurity-agent
   timeout hello      100ms
   timeout idle       30s
   timeout processing 15ms
-   use-backend spoe-modsecurity
+   use-backend waf
 spoe-message check-request
   args unique-id method path query req.ver req.hdrs_bin req.body_size req.body
@ -163,7 +168,7 @@ if sudo grep -q "backend spoe-modsecurity" $HAPROXY_PATH/haproxy.cfg; then
 else
 	sudo bash -c cat << EOF >> $HAPROXY_PATH/haproxy.cfg
-backend spoe-modsecurity
+backend waf
    mode tcp
    timeout connect 5s
    timeout server  3m
--- a/app/templates/ajax/overivewWaf.html
+++ b/app/templates/ajax/overivewWaf.html
@ -0,0 +1,35 @@
 {% for service in service_status %}
 	<tr class="{{ loop.cycle('odd', 'even') }}">
 		<td class="padding10 first-collumn">
 			<a href="#{{ service.0 }}" title="Go to {{ service.0 }} status" style="color: #000">{{ service.0 }}</a>
 		</td>
 		<td  class="second-collumn">
 		{% if service.2|int() >= 1 %}
 			<span class="serverUp"> UP</span> running {{service.2 }} processes
 		{% else %}
 			<span class="serverDown"> DOWN</span> running {{service.2 }} processes
 		{% endif %}
 		</td>
 		<td>
 		{% if role <= 1 %}
 			<a id="{{ service.1 }}" class="start-waf" title="Start WAF service">
 				<img src=/image/pic/start.png alt="start" class="icon">
 			</a>
 			<a id="{{ service.1 }}" class="stop-waf" title="Stop WAF service">
 				<img src=/image/pic/stop.png alt="start" class="icon">
 			</a>
 			<a id="{{ service.1 }}" class="restart-waf" title="Restart WAF service">
 				<img src=/image/pic/update.png alt="restart" class="icon">
 			</a>
 		{% endif %}
 		</td>
 		<td>
 			{% if service.3 %}
 				{{ service.3 }}
 			{%else %}
 				WAF not installed
 			{% endif %}
 		</td>
 		<td></td>
 	</tr>
 {% endfor %}
--- a/app/templates/logs.html
+++ b/app/templates/logs.html
@ -10,6 +10,7 @@
 				Server
 			{% endif %}
 		</td>
 		<td style="width: 5%;">WAF logs</td>
 		<td style="width: 10%;">Number rows</td>
 		<td class="padding10" style="width: 10%;">Ex for grep</td>
 		<td style="width: 10%;">
@ -44,6 +45,9 @@
 					{% endif %}
 				</select>
 		</td>
 		<td>
 			<label for="waf"></label><input type="checkbox" id="waf"> 
 		</td>
 		<td class="padding10" style="width: 10%;">
 			<input type="number" name="rows" id="rows" value="{{ rows }}" class="form-control" required>
 		</td> 
--- a/app/templates/ovw.html
+++ b/app/templates/ovw.html
@ -97,10 +97,7 @@
 		<td class="padding10 second-collumn">
 			HAproxy status
 		</td>
-		<td class="padding10">
+		<td class="padding10  third-collumn">
 			WAF status
 		</td>
 		<td class="padding10 second-collumn">
 			Action
 		</td>
 		<td class="padding10">
@ -112,6 +109,25 @@
 	</tr>
 <tbody id="ajaxstatus"></tbody>
 <table class="overview">
 	<tr class="overviewHead">
 		<td class="padding10 first-collumn">
 			Server
 		</td class="padding10 second-collumn">
 		<td class="padding10 second-collumn">
 			WAF status
 		</td>
 		<td class="padding10  third-collumn">
 			Action
 		</td>
 		<td class="padding10">
 			WAF mode
 		</td  class="padding10">
 		<td>
 			<a onclick="showOverviewWaf()" title="Refresh" style="float: right; margin-right: 25px;"><img  src="/image/pic/update.png" alt="restart" class="icon"></a>
 		</td>
 	</tr>
 <tbody id="ajaxwafstatus"></tbody>	
 </table>
 <table class="overview" >
 	<tr class="overviewHead">
--- a/image/haproxy-wi-overview.jpeg
+++ b/image/haproxy-wi-overview.jpeg
--- a/inc/overview.js
+++ b/inc/overview.js
@ -14,7 +14,29 @@ function ajaxActionServers(action, id) {
 					if( data ==  'Bad config, check please ' ) {
 						alert(data);
 					} else {
-						setTimeout(showOverview, 2000)
+						setTimeout(showOverview, 2000)					
 					}
 				},
 				error: function(){
 					alert(w.data_error);
 				}					
 			} );
 	}
 function ajaxActionWafServers(action, id) {
 		var bad_ans = 'Bad config, check please';
 		$.ajax( {
 				url: "options.py",
 				data: {
 					action_waf: action,
 					serv: id,
 					token: $('#token').val()
 				},
 				success: function( data ) {
 					data = data.replace(/\s+/g,' ');
 					if( data ==  'Bad config, check please ' ) {
 						alert(data);
 					} else {
 						setTimeout(showOverviewWaf, 2000)						
 					}
 				},
 				error: function(){
@ -22,19 +44,30 @@ function ajaxActionServers(action, id) {
 				}					
 			} );
 	}
 $( function() {
 	$('.start').click(function() {
 		var id = $(this).attr('id');
-		confirmAjaxAction("start", id);
+		confirmAjaxAction("start", "hap", id);
 	});
 	$('.stop').click(function() {
 		var id = $(this).attr('id');
-		confirmAjaxAction("stop", id);
+		confirmAjaxAction("stop", "hap", id);
 	});
 	$('.restart').click(function() {
 		var id = $(this).attr('id');
-		confirmAjaxAction("restart", id);
+		confirmAjaxAction("restart", "hap", id);
 	});
 	$('.start-waf').click(function() {
 		var id = $(this).attr('id');
 		confirmAjaxAction("start", "waf", id);
 	});
 	$('.stop-waf').click(function() {
 		var id = $(this).attr('id');
 		confirmAjaxAction("stop", "waf", id);
 	});
 	$('.restart-waf').click(function() {
 		var id = $(this).attr('id');
 		confirmAjaxAction("restart", "waf", id);
 	});
 	$( "#show-all-users" ).click( function() {
 		if($( "#show-all-users" ).text() == "Show all") {
@ -49,7 +82,7 @@ $( function() {
 	});
 	$('#secIntervals').css('display', 'none');
 });
-function confirmAjaxAction(action, id) {
+function confirmAjaxAction(action, service, id) {
 	$( "#dialog-confirm" ).dialog({
 		resizable: false,
 		height: "auto",
@ -58,8 +91,12 @@ function confirmAjaxAction(action, id) {
 		title: "Are you sure you want "+ action + " " + id + "?",
 		buttons: {
 			"Sure": function() {
-				$( this ).dialog( "close" );	
+				$( this ).dialog( "close" );
-				ajaxActionServers(action, id);
+				if(service == "hap") {
 					ajaxActionServers(action, id);
 				} else if (service == "waf") {
 					ajaxActionWafServers(action, id)
 				}
 			},
 			Cancel: function() {
 				$( this ).dialog( "close" );
--- a/inc/script.js
+++ b/inc/script.js
@ -140,6 +140,7 @@ $( document ).ajaxComplete(function( event, request, settings ) {
 function showOverview() {
 	showOverviewServers();
 	showOverviewWaf()
 	$.ajax( {
 		url: "options.py",
 		data: {
@ -150,6 +151,23 @@ function showOverview() {
 		success: function( data ) {
 			$("#ajaxstatus").empty();
 			$("#ajaxstatus").html(data);
 			$.getScript('/inc/overview.js');
 		}					
 	} );
 }
 function showOverviewWaf() {
 	showOverviewServers();
 	$.ajax( {
 		url: "options.py",
 		data: {
 			act: "overviewwaf",
 			token: $('#token').val()
 		},
 		type: "GET",
 		success: function( data ) {
 			$("#ajaxwafstatus").empty();
 			$("#ajaxwafstatus").html(data);
 			$.getScript('/inc/overview.js');
 		}					
 	} );
 }
@ -185,11 +203,16 @@ function showStats() {
 }
 function showLog() {
 	var waf = 0;
 	if ($('#waf').is(':checked')) {
 		waf = '1';
 	}
 	$.ajax( {
 		url: "options.py",
 		data: {
 			rows: $('#rows').val(),
 			serv: $("#serv").val(),
 			waf: waf,
 			grep: $("#grep").val(),
 			hour: $('#time_range_out_hour').val(),
 			minut: $('#time_range_out_minut').val(),