Hardening: Integrate CVE 2025-2026 defenses (React2Shell, MadeYouReset, SolarWinds, Fortinet)
This commit is contained in:
parent
7af7fa0ec7
commit
b0b9485b1a
|
|
@ -57,6 +57,11 @@ http {
|
||||||
open_file_cache_min_uses 2;
|
open_file_cache_min_uses 2;
|
||||||
open_file_cache_errors on;
|
open_file_cache_errors on;
|
||||||
|
|
||||||
|
# --- HTTP/2 Hardening (CVE-2025-8671: MadeYouReset Mitigation) ---
|
||||||
|
http2_max_concurrent_streams 64;
|
||||||
|
http2_idle_timeout 3m;
|
||||||
|
keepalive_requests 500;
|
||||||
|
|
||||||
# 2. Conexões & Timeouts
|
# 2. Conexões & Timeouts
|
||||||
reset_timedout_connection on;
|
reset_timedout_connection on;
|
||||||
client_body_timeout 12s;
|
client_body_timeout 12s;
|
||||||
|
|
|
||||||
|
|
@ -77,25 +77,23 @@ map $request_uri $is_suspicious_uri {
|
||||||
"~*/wp-content/uploads/.*\.php" 1; # Bloqueio de execução de PHP em uploads
|
"~*/wp-content/uploads/.*\.php" 1; # Bloqueio de execução de PHP em uploads
|
||||||
"~*(/wp-includes/|/wp-content/plugins/.*\.txt|/wp-content/themes/.*\.txt)" 1;
|
"~*(/wp-includes/|/wp-content/plugins/.*\.txt|/wp-content/themes/.*\.txt)" 1;
|
||||||
|
|
||||||
# CVE-Specific Exploits (2024-2025)
|
# CVE-Specific Exploits (2024-2026)
|
||||||
"~*/reallysimplessl/v1/two_fa/skip_onboarding" 1; # CVE-2024-10924 (Auth Bypass)
|
"~*/reallysimplessl/v1/two_fa/skip_onboarding" 1; # CVE-2024-10924 (Auth Bypass)
|
||||||
"~*(/gutenkit/v1/install-active-plugin|/cleantalk-antispam/v1/perform)" 1; # CVE-2024-9234 / CVE-2024-10781
|
"~*(/gutenkit/v1/install-active-plugin|/cleantalk-antispam/v1/perform)" 1; # CVE-2024-9234 / CVE-2024-10781
|
||||||
"~*(/open-url|/open-stack-frame)" 1; # CVE-2025-11953 (Metro4Shell)
|
"~*(/open-url|/open-stack-frame)" 1; # CVE-2025-11953 (Metro4Shell)
|
||||||
"~*/api/fabric/device/status" 1; # CVE-2025-25257 (FortiWeb RCE)
|
"~*/api/fabric/device/status" 1; # CVE-2025-25257 (FortiWeb RCE - Legacy)
|
||||||
|
"~*/api/v2\.0/cmdb/system/admin" 1; # CVE-2025-64446 (FortiWeb Traversal)
|
||||||
|
"~*\/ajax\/" 1; # CVE-2025-40551 (SolarWinds Evasion)
|
||||||
"~*/SetupWizard\.aspx" 1; # CVE-2024-1709 (ScreenConnect Bypass)
|
"~*/SetupWizard\.aspx" 1; # CVE-2024-1709 (ScreenConnect Bypass)
|
||||||
|
"~*cgi-bin/fwbcgi" 1; # Fortinet CGI signature
|
||||||
|
"~*display=filestore.*&action=testconnection" 1; # CVE-2025-64328 (FreePBX)
|
||||||
|
|
||||||
# Server-Specific CVEs (Nginx/Apache/IIS)
|
# Server-Specific CVEs (Nginx/Apache/IIS)
|
||||||
"~*/AdmissionReview" 1; # CVE-2025-1974 (Ingress-Nginx)
|
"~*/AdmissionReview" 1; # CVE-2025-1974 (Ingress-Nginx)
|
||||||
"~*(/_vti_bin/|/MSOffice/|/WebDAV/)" 1; # IIS/WebDAV Probes
|
"~*(/_vti_bin/|/MSOffice/|/WebDAV/)" 1; # IIS/WebDAV Probes
|
||||||
"~*/Cityworks/.*(Common|Config)/" 1; # CVE-2025-0994 (Cityworks on IIS)
|
"~*/Cityworks/.*(Common|Config)/" 1; # CVE-2025-0994 (Cityworks on IIS)
|
||||||
"~*(\.php/.*AddType|RewriteRule.*\[E=)" 1; # CVE-2024-40725 (Apache Source Disclosure)
|
"~*(\.php/.*AddType|RewriteRule.*\[E=)" 1; # CVE-2024-40725 (Apache Source Disclosure)
|
||||||
|
"~*\.php$" 1; # General PHP probing (e.g. CVE-2025-0108 PAN-OS)
|
||||||
# Framework Debugging & Admin Endpoints (Fast-Fail)
|
|
||||||
"~*(/_ignition/|/_profiler/|/_telescope/|/actuator/|/eureka/|/api-docs)" 1;
|
|
||||||
"~*(/phpmyadmin|/wp-admin/setup-config\.php|/rails/info/properties)" 1;
|
|
||||||
|
|
||||||
# Webshells e Exploracao Ativa Conhecida
|
|
||||||
"~*(/shell\.php|/cmd\.php|/eval-stdin\.php|/xmlrpc\.php|/setup\.php|/install\.php)" 1;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# --- Pathfinder Deep Inspect Payload Map ---
|
# --- Pathfinder Deep Inspect Payload Map ---
|
||||||
|
|
@ -127,8 +125,9 @@ map $args $is_malicious_payload {
|
||||||
# 5. Path Traversal & LFI
|
# 5. Path Traversal & LFI
|
||||||
"~*(\.\./|\.\.\\|/etc/passwd|/etc/shadow|boot\.ini|/windows/win\.ini)" 1;
|
"~*(\.\./|\.\.\\|/etc/passwd|/etc/shadow|boot\.ini|/windows/win\.ini)" 1;
|
||||||
|
|
||||||
# 6. PHP & Remote Execution / Binary Probes
|
# 6. PHP & Remote Execution / Binary Probes / Command Injection (n8n/SolarWinds/FreePBX)
|
||||||
"~*(<\?php|base64_decode|system\(|shell_exec|proc_open)" 1;
|
"~*(<\?php|base64_decode|system\(|shell_exec|proc_open|exec\()" 1;
|
||||||
|
"~*(child_process|spawn|eval\(|require\(|constructor|fs\.readFile|process\.env)" 1;
|
||||||
"~*(\\x00|\\x03|\\xE0|\\x83|\\xF8)" 1; # Binary probes / Buffer overflow patterns
|
"~*(\\x00|\\x03|\\xE0|\\x83|\\xF8)" 1; # Binary probes / Buffer overflow patterns
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -157,10 +156,26 @@ map $http_user_agent $is_protocol_violation {
|
||||||
# 3. Geographic Risk (Requires GeoIP2 .mmdb files)
|
# 3. Geographic Risk (Requires GeoIP2 .mmdb files)
|
||||||
map $geoip2_data_country_code $is_high_risk_country {
|
map $geoip2_data_country_code $is_high_risk_country {
|
||||||
default 0;
|
default 0;
|
||||||
"CN" 1; # China
|
"CU" 1; # Cuba
|
||||||
"RU" 1; # Russia
|
"SY" 1; # Syria
|
||||||
"KP" 1; # North Korea
|
}
|
||||||
"IR" 1; # Iran
|
|
||||||
|
# --- NOVO: Detecção de Cabeçalhos Suspeitos (CVE-2025-55182 / React2Shell) ---
|
||||||
|
map $http_next_action $react_attack_1 {
|
||||||
|
default 0;
|
||||||
|
"~*(`|\$|\(|\)|<|>|\{|}|;|\|)" 1;
|
||||||
|
"~*(child_process|exec|spawn|eval|require)" 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $http_rsc_action_id $react_attack_2 {
|
||||||
|
default 0;
|
||||||
|
"~*(`|\$|\(|\)|<|>|\{|}|;|\|)" 1;
|
||||||
|
"~*(child_process|exec|spawn|eval|require)" 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
map $react_attack_1$react_attack_2 $is_suspicious_header {
|
||||||
|
"00" 0;
|
||||||
|
default 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
# --- Pathfinder Security Decision Engine (PSDE) ---
|
# --- Pathfinder Security Decision Engine (PSDE) ---
|
||||||
|
|
@ -171,15 +186,16 @@ map $request_method $is_suspicious_method {
|
||||||
~*(TRACE|TRACK|CONNECT|DEBUG) 1;
|
~*(TRACE|TRACK|CONNECT|DEBUG) 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
# 2. Security Scoring System (7-Vector Combinatorial Matrix)
|
# 2. Security Scoring System (8-Vector Combinatorial Matrix)
|
||||||
# Ordem: [Bot][URI][Method][Payload][Geo][Protocol][Referer]
|
# Ordem: [Bot][URI][Method][Payload][Geo][Protocol][Referer][Header]
|
||||||
map $is_bad_bot$is_suspicious_uri$is_suspicious_method$is_malicious_payload$is_high_risk_country$is_protocol_violation$is_spam_referer $security_score {
|
map $is_bad_bot$is_suspicious_uri$is_suspicious_method$is_malicious_payload$is_high_risk_country$is_protocol_violation$is_spam_referer$is_suspicious_header $security_score {
|
||||||
"0000000" 0; # Saudável
|
"00000000" 0; # Saudável
|
||||||
|
|
||||||
# --- BLOQUEIO CRÍTICO (Score 3) ---
|
# --- BLOQUEIO CRÍTICO (Score 3) ---
|
||||||
"~*...1..." 3; # Qualquer Payload
|
"~*...1...." 3; # Qualquer Payload
|
||||||
"~*......1" 3; # Qualquer Referer Spam
|
"~*......1." 3; # Qualquer Referer Spam
|
||||||
"~*[1-9]{3,}" 3; # Qualquer 3 ou mais vetores em simultâneo (Regex para detectar 3 ou mais '1's)
|
"~*.......1" 3; # Qualquer Cabeçalho Malicioso (React2Shell/etc)
|
||||||
|
"~*[1-9]{3,}" 3; # Qualquer 3 ou mais vetores em simultâneo
|
||||||
"~*11[1-9]...." 3; # Bot + URI + Método
|
"~*11[1-9]...." 3; # Bot + URI + Método
|
||||||
"~*11...[1-9]." 3; # Bot + URI + Protocolo
|
"~*11...[1-9]." 3; # Bot + URI + Protocolo
|
||||||
"~*1.1.1.." 3; # Bot + Método + Geo
|
"~*1.1.1.." 3; # Bot + Método + Geo
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue