Hardening: Integrate CVE 2025-2026 defenses (React2Shell, MadeYouReset, SolarWinds, Fortinet)
This commit is contained in:
parent
7af7fa0ec7
commit
b0b9485b1a
|
|
@ -57,6 +57,11 @@ http {
|
|||
open_file_cache_min_uses 2;
|
||||
open_file_cache_errors on;
|
||||
|
||||
# --- HTTP/2 Hardening (CVE-2025-8671: MadeYouReset Mitigation) ---
|
||||
http2_max_concurrent_streams 64;
|
||||
http2_idle_timeout 3m;
|
||||
keepalive_requests 500;
|
||||
|
||||
# 2. Conexões & Timeouts
|
||||
reset_timedout_connection on;
|
||||
client_body_timeout 12s;
|
||||
|
|
|
|||
|
|
@ -77,25 +77,23 @@ map $request_uri $is_suspicious_uri {
|
|||
"~*/wp-content/uploads/.*\.php" 1; # Bloqueio de execução de PHP em uploads
|
||||
"~*(/wp-includes/|/wp-content/plugins/.*\.txt|/wp-content/themes/.*\.txt)" 1;
|
||||
|
||||
# CVE-Specific Exploits (2024-2025)
|
||||
# CVE-Specific Exploits (2024-2026)
|
||||
"~*/reallysimplessl/v1/two_fa/skip_onboarding" 1; # CVE-2024-10924 (Auth Bypass)
|
||||
"~*(/gutenkit/v1/install-active-plugin|/cleantalk-antispam/v1/perform)" 1; # CVE-2024-9234 / CVE-2024-10781
|
||||
"~*(/open-url|/open-stack-frame)" 1; # CVE-2025-11953 (Metro4Shell)
|
||||
"~*/api/fabric/device/status" 1; # CVE-2025-25257 (FortiWeb RCE)
|
||||
"~*/api/fabric/device/status" 1; # CVE-2025-25257 (FortiWeb RCE - Legacy)
|
||||
"~*/api/v2\.0/cmdb/system/admin" 1; # CVE-2025-64446 (FortiWeb Traversal)
|
||||
"~*\/ajax\/" 1; # CVE-2025-40551 (SolarWinds Evasion)
|
||||
"~*/SetupWizard\.aspx" 1; # CVE-2024-1709 (ScreenConnect Bypass)
|
||||
"~*cgi-bin/fwbcgi" 1; # Fortinet CGI signature
|
||||
"~*display=filestore.*&action=testconnection" 1; # CVE-2025-64328 (FreePBX)
|
||||
|
||||
# Server-Specific CVEs (Nginx/Apache/IIS)
|
||||
"~*/AdmissionReview" 1; # CVE-2025-1974 (Ingress-Nginx)
|
||||
"~*(/_vti_bin/|/MSOffice/|/WebDAV/)" 1; # IIS/WebDAV Probes
|
||||
"~*/Cityworks/.*(Common|Config)/" 1; # CVE-2025-0994 (Cityworks on IIS)
|
||||
"~*(\.php/.*AddType|RewriteRule.*\[E=)" 1; # CVE-2024-40725 (Apache Source Disclosure)
|
||||
|
||||
# Framework Debugging & Admin Endpoints (Fast-Fail)
|
||||
"~*(/_ignition/|/_profiler/|/_telescope/|/actuator/|/eureka/|/api-docs)" 1;
|
||||
"~*(/phpmyadmin|/wp-admin/setup-config\.php|/rails/info/properties)" 1;
|
||||
|
||||
# Webshells e Exploracao Ativa Conhecida
|
||||
"~*(/shell\.php|/cmd\.php|/eval-stdin\.php|/xmlrpc\.php|/setup\.php|/install\.php)" 1;
|
||||
"~*\.php$" 1; # General PHP probing (e.g. CVE-2025-0108 PAN-OS)
|
||||
}
|
||||
|
||||
# --- Pathfinder Deep Inspect Payload Map ---
|
||||
|
|
@ -127,8 +125,9 @@ map $args $is_malicious_payload {
|
|||
# 5. Path Traversal & LFI
|
||||
"~*(\.\./|\.\.\\|/etc/passwd|/etc/shadow|boot\.ini|/windows/win\.ini)" 1;
|
||||
|
||||
# 6. PHP & Remote Execution / Binary Probes
|
||||
"~*(<\?php|base64_decode|system\(|shell_exec|proc_open)" 1;
|
||||
# 6. PHP & Remote Execution / Binary Probes / Command Injection (n8n/SolarWinds/FreePBX)
|
||||
"~*(<\?php|base64_decode|system\(|shell_exec|proc_open|exec\()" 1;
|
||||
"~*(child_process|spawn|eval\(|require\(|constructor|fs\.readFile|process\.env)" 1;
|
||||
"~*(\\x00|\\x03|\\xE0|\\x83|\\xF8)" 1; # Binary probes / Buffer overflow patterns
|
||||
}
|
||||
|
||||
|
|
@ -157,10 +156,26 @@ map $http_user_agent $is_protocol_violation {
|
|||
# 3. Geographic Risk (Requires GeoIP2 .mmdb files)
|
||||
map $geoip2_data_country_code $is_high_risk_country {
|
||||
default 0;
|
||||
"CN" 1; # China
|
||||
"RU" 1; # Russia
|
||||
"KP" 1; # North Korea
|
||||
"IR" 1; # Iran
|
||||
"CU" 1; # Cuba
|
||||
"SY" 1; # Syria
|
||||
}
|
||||
|
||||
# --- NOVO: Detecção de Cabeçalhos Suspeitos (CVE-2025-55182 / React2Shell) ---
|
||||
map $http_next_action $react_attack_1 {
|
||||
default 0;
|
||||
"~*(`|\$|\(|\)|<|>|\{|}|;|\|)" 1;
|
||||
"~*(child_process|exec|spawn|eval|require)" 1;
|
||||
}
|
||||
|
||||
map $http_rsc_action_id $react_attack_2 {
|
||||
default 0;
|
||||
"~*(`|\$|\(|\)|<|>|\{|}|;|\|)" 1;
|
||||
"~*(child_process|exec|spawn|eval|require)" 1;
|
||||
}
|
||||
|
||||
map $react_attack_1$react_attack_2 $is_suspicious_header {
|
||||
"00" 0;
|
||||
default 1;
|
||||
}
|
||||
|
||||
# --- Pathfinder Security Decision Engine (PSDE) ---
|
||||
|
|
@ -171,15 +186,16 @@ map $request_method $is_suspicious_method {
|
|||
~*(TRACE|TRACK|CONNECT|DEBUG) 1;
|
||||
}
|
||||
|
||||
# 2. Security Scoring System (7-Vector Combinatorial Matrix)
|
||||
# Ordem: [Bot][URI][Method][Payload][Geo][Protocol][Referer]
|
||||
map $is_bad_bot$is_suspicious_uri$is_suspicious_method$is_malicious_payload$is_high_risk_country$is_protocol_violation$is_spam_referer $security_score {
|
||||
"0000000" 0; # Saudável
|
||||
# 2. Security Scoring System (8-Vector Combinatorial Matrix)
|
||||
# Ordem: [Bot][URI][Method][Payload][Geo][Protocol][Referer][Header]
|
||||
map $is_bad_bot$is_suspicious_uri$is_suspicious_method$is_malicious_payload$is_high_risk_country$is_protocol_violation$is_spam_referer$is_suspicious_header $security_score {
|
||||
"00000000" 0; # Saudável
|
||||
|
||||
# --- BLOQUEIO CRÍTICO (Score 3) ---
|
||||
"~*...1..." 3; # Qualquer Payload
|
||||
"~*......1" 3; # Qualquer Referer Spam
|
||||
"~*[1-9]{3,}" 3; # Qualquer 3 ou mais vetores em simultâneo (Regex para detectar 3 ou mais '1's)
|
||||
"~*...1...." 3; # Qualquer Payload
|
||||
"~*......1." 3; # Qualquer Referer Spam
|
||||
"~*.......1" 3; # Qualquer Cabeçalho Malicioso (React2Shell/etc)
|
||||
"~*[1-9]{3,}" 3; # Qualquer 3 ou mais vetores em simultâneo
|
||||
"~*11[1-9]...." 3; # Bot + URI + Método
|
||||
"~*11...[1-9]." 3; # Bot + URI + Protocolo
|
||||
"~*1.1.1.." 3; # Bot + Método + Geo
|
||||
|
|
|
|||
Loading…
Reference in New Issue