joao.goncalves
/
NgixProxy_Pathfinder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: joao.goncalves:93d0324426d1949287fdbdfd5519e21d4685adb2
Branches Tags
joao.goncalves:main
joao.goncalves:producao
joao.goncalves:antes-do-docker
..
compare: joao.goncalves:f81ac3aa731d0cd9e9ed394896b9ad01829cf1dd
Branches Tags
joao.goncalves:producao
joao.goncalves:antes-do-docker
joao.goncalves:main

No commits in common. "93d0324426d1949287fdbdfd5519e21d4685adb2" and "f81ac3aa731d0cd9e9ed394896b9ad01829cf1dd" have entirely different histories.
93d0324426 ... f81ac3aa73

6 changed files with 35 additions and 224 deletions
Show Stats Expand all files Collapse all files

35
README.md
View File

@ -73,31 +73,17 @@ O Pathfinder Proxy utiliza o **ModSecurity v3** compilado sob medida para o Ngin
- **Versão ModSec**: 3.0.14.
- **Regras**: OWASP Core Rule Set (CRS) v4.
- **Plugins**: Utiliza plugins oficiais do CRS para **Nextcloud** e **WordPress**, garantindo zero falsos positivos nessas plataformas.
- **CVE Hardening**: Regras específicas para vulnerabilidades críticas de 2024-2025:
- **WordPress**: Auth Bypass (Really Simple Security) e Plugin Installs maliciosos.
- **React/Metro**: Proteção contra RCE (React2Shell/Metro4Shell).
- **Servidores**: Mitigação de exploits em Nginx (IngressNightmare), Apache (Source Disclosure) e IIS.
- **Infra**: Bloqueio de exfiltração em PostgreSQL e bypass em FortiWeb/ScreenConnect.
- **Tuning**: Arquivo `modsec/app_specific_modsec_tuning.conf` centraliza exceções para UniFi, vCenter, Exchange, Zabbix e Veeam.
---
## 🧠 Motor de Segurança PSDE "Elite" (7-Vector Matrix)
## 🧠 Motor de Segurança PSDE (Pathfinder Security Engine)
Diferente de firewalls comuns, o Pathfinder utiliza uma **Matriz de Pontuação Combinatória** no `security_maps.conf` que analisa 7 vetores simultâneos:
1. **🛡️ Bot:** Bloqueio de 600+ user-agents maliciosos.
2. **🌐 URI:** Acesso a arquivos sensíveis e assinaturas de CVEs recentes.
3. **⚙️ Method:** Métodos HTTP perigosos (TRACE, DEBUG) em rotas críticas.
4. **🔥 Payload:** Inspeção profunda de `$args` (SQLi, XSS, RCE, Log4j).
5. **🌍 Geo:** Risco por país (CN, RU, KP, IR) via **GeoIP2**.
6. **🚦 Protocol:** Violações como User-Agents vazios ou falsificados.
7. **🔗 Referer:** 400+ domínios de spam e phishing bloqueados instantaneamente.
### 📈 Lógica de Decisão
- **Nivel 3 (ATAQUE_CRITICO)**: Payloads maliciosos, Referer Spam ou qualquer combinação de 3+ vetores.
- **Nivel 2 (RISCO_ALTO)**: Combinação de 2 vetores de risco (ex: Bot + Geo-Risco).
- **Nivel 1 (SUSPEITO)**: Detecção de sinais individuais.
Diferente de firewalls comuns, o Pathfinder usa o `security_maps.conf` para calcular um **Security Score** em tempo real baseado em:
- **Bad Bots:** Crawlers maliciosos e ferramentas de scan.
- **Suspicious URIs:** Tentativas de acesso a `.env`, `wp-admin`, `.git`, etc.
- **Methods:** Bloqueio de métodos HTTP incomuns em rotas sensíveis.
- **Risk Level:** Traduz o score em níveis (Limpo, Suspeito, Crítico) para os logs JSON.
---
@ -162,11 +148,8 @@ sudo nginx -t
sudo systemctl reload nginx
```
### Auditoria e Diagnósticos
O Pathfinder agora reporta a **razão exata** do bloqueio nos logs JSON:
`tail -f /var/log/nginx/access_json.log | jq -r '"[\(.risk_category)] -> \(.risk_reason) | \(.request)"'`
- **`risk_category`**: TAG curta para máquinas (LIMPO, SUSPEITO, RISCO_ALTO, ATAQUE_CRITICO).
- **`risk_reason`**: Motivo humano detalhado (ex: "COMBINACAO: Bot conhecido em local sensivel").
### Auditoria em Tempo Real
Para visualizar ataques bloqueados e o PSDE Scoring em formato amigável:
`tail -f /var/log/nginx/access_json.log | jq` (necessários logs JSON ativos e `jq` instalado).
---

11
nginx/nginx.conf
View File

@ -28,19 +28,10 @@ events {
}
http {
# modsecurity_rules_file /etc/nginx/modsec/main.conf;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# GeoIP2 Databases (Pathfinder-Ready)
geoip2 /usr/share/GeoIP/GeoLite2-Country.mmdb {
auto_reload 5m;
$geoip2_data_country_code default=XX country iso_code;
}
geoip2 /usr/share/GeoIP/GeoLite2-City.mmdb {
auto_reload 5m;
$geoip2_data_city_name default=Unknown city names en;
}
# Performance
sendfile on;
tcp_nopush on;

3
nginx/snippets/log_formats.conf
View File

@ -76,8 +76,7 @@ log_format detailed_proxy escape=json
'"is_bad_bot":"$is_bad_bot",'
'"is_suspicious_uri":"$is_suspicious_uri",'
'"block_request":"$block_request",'
'"risk_category":"$risk_category",'
'"risk_reason":"$risk_reason",'
'"risk_level":"$risk_level",'
'"security_score":"$security_score",'
'"is_internal_ip":"$is_internal",'

2
nginx/snippets/security_headers.conf
View File

@ -27,4 +27,4 @@ add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), usb=(),
# 6. Ofuscação de Servidor (Opcional - Requer módulo 'headers-more')
# Remove o nome 'nginx' totalmente do header Server.
more_clear_headers Server;
# more_clear_headers Server;

207
nginx/snippets/security_maps.conf
View File

@ -4,8 +4,6 @@
# Bad Bot Detection
map $http_user_agent $is_bad_bot {
default 0;
# --- Categorias Originais (Preservadas) ---
# Scanners, Exploracao e Reconhecimento de Rede (RECON)
"~*(nikto|sqlmap|wpscan|gobuster|dirbuster|feroxbuster|nessus|nmap|curl|wget|python|php|perl|ruby|java)" 1;
"~*(Acunetix|Netsparker|AppScan|Zgrab|Masscan|OpenVAS|Scanbot|ZmEu|Morfeus|Jorgee|Havij|Nuclei|Tsunami)" 1;
@ -26,34 +24,6 @@ map $http_user_agent $is_bad_bot {
"~*(FacebookBot|Meta-ExternalAgent|meta-webindexer|Applebot-Extended|Amazonbot|Applebot)" 1;
"~*(PerplexityBot|Perplexity-User|Bytespider|CCBot|Diffbot|Cohere-Ai|DeepseekBot|Youbot)" 1;
"~*(Omgilibot|Omgili|webzio-extended|HuggingFace-Bot|Brightbot|FirecrawlAgent|Seekr|Sentibot)" 1;
# --- Mitchell Krog's Ultimate Bad Bot List (Update 2026) ---
# Bloco 01 - 01h4x to BacklinkCrawler
"~*(01h4x\.com|360Spider|404checker|404enemy|80legs|ADmantX|AIBOT|ALittle\ Client|ASPSeek|Abonti|Aboundex|Aboundexbot|AdsTxtCrawlerTP|AfD-Verbotsverfahren|Ai2Bot|AiHitBot|Aipbot|Alexibot|Aliyun|AliyunSecBot|AllSubmitter|Alligator|AlphaBot|Anarchie|Anarchy|Anarchy99|Ankit|Anthill|Apexoo|Aspiegel|Asterias|Atomseobot|Attach|AwarioBot|AwarioRssBot|AwarioSmartBot|BBBike|BDCbot|BDFetch|BackDoorBot|BackStreet|BackWeb|Backlink-Ceck|BacklinkCrawler)" 1;
# Bloco 02 - BacklinksExtendedBot to Craftbot
"~*(BacklinksExtendedBot|Badass|Bandit|Barkrowler|BatchFTP|Battleztar\ Bazinga|BetaBot|Bigfoot|Bitacle|BlackWidow|Black\ Hole|Blackboard|Blow|BlowFish|Boardreader|Bolt|BotALot|Brandprotect|Brandwatch|Buck|Buddy|BuiltBotTough|BuiltWith|Bullseye|BunnySlippers|BuzzSumo|CATExplorador|CODE87|CSHttp|Calculon|CazoodleBot|Cegbfeieh|CensysInspect|CheTeam|CheeseBot|CherryPicker|ChinaClaw|Chlooe|Citoid|Claritybot|Cliqzbot|Cloud\ mapping|Cocolyzebot|Cogentbot|Collector|Copier|CopyRightCheck|Copyscape|Cosmos|Craftbot)" 1;
# Bloco 03 - Crawling at Home to DnyzBot
"~*(Crawling\ at\ Home\ Project|CrazyWebCrawler|Crescent|CrunchBot|Curious|Custo|CyotekWebCopy|DBLBot|DIIbot|DSearch|DTS\ Agent|DataCha0s|DatabaseDriverMysqli|Demon|Deusu|Devil|Digincore|DigitalPebble|Disco|Discobot|Discoverybot|Dispatch|DittoSpyder|DnBCrawler-Analytics|DnyzBot)" 1;
# Bloco 04 - DomCopBot to Getintent
"~*(DomCopBot|DomainAppender|DomainCrawler|DomainSigmaCrawler|DomainStatsBot|Domains\ Project|Download\ Wonder|Dragonfly|Drip|ECCP/1\.0|EMail\ Siphon|EMail\ Wolf|EasyDL|Ebingbong|Ecxi|EirGrabber|EroCrawler|Evil|Exabot|Express\ WebPictures|ExtLinksBot|Extractor|ExtractorPro|Extreme\ Picture\ Finder|EyeNetIE|Ezooms|FDM|FHscan|FemtosearchBot|Firefox/7\.0|FlashGet|Flunky|Foobot|Freeuploader|FrontPage|Fuzz|FyberSpider|Fyrebot|G-i-g-a-b-o-t|GT::WWW|GalaxyBot|GeedoProductSearch|Genieo|GermCrawler|GetRight|GetWeb|Getintent)" 1;
# Bloco 05 - Gigabot to Information Security Team
"~*(Gigabot|Go!Zilla|Go-Ahead-Got-It|GoZilla|Gotit|GrabNet|Grabber|Grafula|GrapeFX|GrapeshotCrawler|GridBot|HEADMasterSEO|HMView|HTMLparser|HTTP::Lite|Haansoft|HaosouSpider|Harvest|Heritrix|Hloader|HonoluluBot|Humanlinks|HybridBot|IDBTE4M|IDBot|IRLbot|Iblog|Id-search|IlseBot|Image\ Fetch|Image\ Sucker|ImagesiftBot|IndeedBot|Indy\ Library|InfoNaviRobot|InfoTekies|Information\ Security\ Team\ InfraSec\ Scanner|InfraSec\ Scanner)" 1;
# Bloco 06 - Intelliseek to MarkWatch
"~*(Intelliseek|InterGET|InternetMeasurement|InternetSeer|Internet\ Ninja|Iria|Iskanie|IstellaBot|JOC\ Web\ Spider|JamesBOT|Jbrofuzz|JennyBot|JetCar|Jetty|JikeSpider|Joomla|JustView|Jyxobot|Kenjin\ Spider|Keybot\ Translation-Search-Machine|Keyword\ Density|Kinza|Kozmosbot|LNSpiderguy|LWP::Simple|Lanshanbot|Larbin|Leap|LeechFTP|LeechGet|LexiBot|Lftp|LibWeb|Libwhisker|LieBaoFast|Lightspeedsystems|Likse|LinkScan|LinkWalker|Linkbot|LinkextractorPro|LinkpadBot|LinksManager|LinqiaMetadataDownloaderBot|LinqiaRSSBot|LinqiaScrapeBot|Lipperhey|Lipperhey\ Spider|Litemage_walker|Lmspider|Ltx71|MFC_Tear_Sample|MIDown\ tool|MIIxpc|MQQBrowser|MSFrontPage|MSIECrawler|MTRobot|Mag-Net|Magnet|Mail\.RU_Bot|Majestic-SEO|Majestic12|Majestic\ SEO|MarkMonitor|MarkWatch)" 1;
# Bloco 07 - Mass Downloader to OpenVAS
"~*(Mass\ Downloader|Mata\ Hari|MauiBot|Mb2345Browser|MeanPath\ Bot|Mediatoolkitbot|MegaIndex\.ru|Metauri|MicroMessenger|Microsoft\ Data\ Access|Microsoft\ URL\ Control|Minefield|Mister\ PiX|Moblie\ Safari|Mojeek|Mojolicious|MolokaiBot|Mozlila|Mr\.4x3|Msrabot|Musobot|NICErsPRO|NPbot|Name\ Intelligence|Nameprotect|Navroad|NearSite|Needle|NetAnts|NetLyzer|NetMechanic|NetSpider|NetZIP|Net\ Vampire|Netcraft|Nettrack|Netvibes|NextGenSearchBot|Nibbler|Niki-bot|NimbleCrawler|Nimbostratus|Ninja|Nutch|Octopus|OnCrawl|OpenLinkProfiler)" 1;
# Bloco 08 - Openfind to Rankivabot
"~*(Openfind|Openvas|OrangeBot|OrangeSpider|OutclicksBot|OutfoxBot|PECL::HTTP|PHPCrawl|POE-Component-Client-HTTP|PageAnalyzer|PageGrabber|PageScorer|PageThing\.com|Page\ Analyzer|Pandalytics|Panscient|Papa\ Foto|Pavuk|PeoplePal|Petalbot|Pi-Monster|Picscout|Picsearch|PictureFinder|Piepmatz|Pimonster|Pixray|PleaseCrawl|Pockey|ProPowerBot|ProWebWalker|Probethenet|Proximic|Psbot|Pu_iN|Pump|PxBroker|PyCurl|QueryN\ Metasearch|Quick-Crawler|RSSingBot|Rainbot|RankActive|RankActiveLinkBot|RankFlex|RankingBot|RankingBot2|Rankivabot)" 1;
# Bloco 09 - RankurBot to ScrepyBot
"~*(RankurBot|Re-re|ReGet|RealDownload|Reaper|RebelMouse|Recorder|RedesScrapy|RepoMonkey|Ripper|RocketCrawler|Rogerbot|SBIder|SEOkicks|SEOkicks-Robot|SEOlyt|SEOlyticsCrawler|SEOprofiler|SISTRIX|SMTBot|SalesIntelligent|ScoutJet|ScreenerBot|ScrepyBot)" 1;
# Bloco 10 - Searchestate to SputnikBot
"~*(Searchestate|SearchmetricsBot|Seekport|SeekportBot|SemanticJuice|Semrush|SemrushBot-BA|SemrushBot-FT|SemrushBot-OCOB|SemrushBot-SI|SemrushBot-SWA|SenutoBot|SeoCherryBot|SeoSiteCheckup|SeobilityBot|Seomoz|Siphon|SiteAuditBot|SiteCheckerBotCrawler|SiteExplorer|SiteLockSpider|SiteSnagger|SiteSucker|Site\ Sucker|Sitebeam|Siteimprove|Sitevigil|SlySearch|SmartDownload|Snake|Snapbot|Snoopy|SocialRankIOBot|Sociscraper|Sogou\ web\ spider|Sosospider|Sottopop|SpaceBison|Spammen|SpankBot|Spanner|Spbot|Spider_Bot|Spider_Bot/3\.0|Spinn3r|SplitSignalBot|SputnikBot)" 1;
# Bloco 11 - Sqlworm to TurnitinBot
"~*(Sqlworm|Sqworm|Steeler|Stripper|Sucker|Sucuri|SuperBot|SuperHTTP|Surfbot|SurveyBot|Suzuran|Swiftbot|Szukacz|T0PHackTeam|T8Abot|Teleport|Telesoft|Telesphoreo|Telesphorep|TheNomad|The\ Intraformant|Thumbor|TightTwatBot|TinyTestBot|Titan|Toata|Toweyabot|Tracemyfile|Trendiction|Trendictionbot|True_Robot|Turingos|Turnitin|TurnitinBot)" 1;
# Bloco 12 - TwengaBot to WiseGuys Robot
"~*(TwengaBot|Twice|URLy\.Warning|URLy\ Warning|UnisterBot|Upflow|V-BOT|VB\ Project|VCI|Vacuum|Vagabondo|VelenPublicWebCrawler|VeriCiteCrawler|VidibleScraper|Virusdie|VoidEYE|Voil|Voltron|WASALive-Bot|WBSearchBot|WEBDAV|WISENutbot|WWW-Collector-E|WWW-Mechanize|WWW::Mechanize|WWWOFFLE|Wallpapers|Wallpapers/3\.0|WallpapersHD|WeSEE|WebAuto|WebBandit|WebCollage|WebCopier|WebEnhancer|WebFetch|WebFuck|WebGo\ IS|WebImageCollector|WebLeacher|WebPix|WebReaper|WebSauger|WebStripper|WebSucker|WebWhacker|WebZIP|Webalta|WebmasterWorldForumBot|Webshag|WebsiteExtractor|WebsiteQuester|Website\ Quester|Webster|Whack|Whacker|Whatweb|Who\.is\ Bot|Widow|WinHTTrack|WiseGuys\ Robot)" 1;
# Bloco 13 - Wonderbot to zgrab
"~*(Wonderbot|Woobot|Wotbox|Wprecon|Xaldon\ WebSpider|Xaldon_WebSpider|YaK|YoudaoBot|Zade|Zauba|Zermelo|Zeus|Zitebot|ZoomBot|ZumBot|ZyBorg|adscanner|allenai\.org|archive\.org_bot|arquivo-web-crawler|arquivo\.pt|autoemailspider|awario\.com|backlink-check|cah\.io\.community|check1\.exe|clark-crawler|coccocbot|cognitiveseo|com\.plumanalytics|crawl\.sogou\.com|crawler\.feedback|crawler4j|dataforseo\.com|dataprovider|demandbase-bot|domainsproject\.org|eCatch|evc-batch|everyfeed-spider|facebookscraper|gopher|imagesift\.com|instabid|internetVista\ monitor|ips-agent|isitwp\.com|iubenda-radar|l9scan|leakix|linkdexbot|linkfluence|lwp-request|lwp-trivial|magpie-crawler|mediawords|muhstik-scan|netEstate\ NE\ Crawler|oBot|omgili|openai|openai\.com|page\ scorer|pcBrowser|plumanalytics|polaris\ version|probe-image-size|ripz|s1z\.ru|satoristudio\.net|scalaj-http|scan\.lol|seobility|seocompany\.store|seoscanners|seostar|serpstatbot|sexsearcher|sitechecker\.pro|siteripz|sogouspider|sp_auditbot|spyfu|sysscan|tAkeOut|trendiction\.com|trendiction\.de|ubermetrics-technologies\.com|voyagerx\.com|webgains-bot|webmeup-crawler|webpros\.com|webprosbot|x09Mozilla|x22Mozilla|xpymep1\.exe|zauba\.io)" 1;
}
# Suspicious URI Detection (Bloqueio de Borda / Fast-Fail)
@ -66,30 +36,13 @@ map $request_uri $is_suspicious_uri {
"~*(docker-compose\.ya?ml|Dockerfile|kubernetes\.s?yaml)" 1;
# Arquivos de Configuracao, Credenciais e Segredos (Deep leaking)
"~*(\.env(\..+)?|\.git|\.aws|\.ssh|\.docker|\.config|config\.php|wp-config\.php|xmlrpc\.php)" 1;
"~*(\.env(\..+)?|\.git|\.aws|\.ssh|\.docker|\.config|config\.php|wp-config\.php)" 1;
"~*(composer\.(json|lock)|package(-lock)?\.json|yarn\.lock|pnpm-lock\.yaml)" 1;
"~*(web\.config|appsettings\.json|settings\.py|local_settings\.py)" 1;
# Backups, Dumps e Arquivos Temporarios
"~*(\.(bak|old|orig|save|sql|db|sqlite|tar\.gz|zip|swp|rar|7z)$|/autobackup/)" 1;
# Wordpress Hardening & CMS Specifics
"~*/wp-content/uploads/.*\.php" 1; # Bloqueio de execução de PHP em uploads
"~*(/wp-includes/|/wp-content/plugins/.*\.txt|/wp-content/themes/.*\.txt)" 1;
# CVE-Specific Exploits (2024-2025)
"~*/reallysimplessl/v1/two_fa/skip_onboarding" 1; # CVE-2024-10924 (Auth Bypass)
"~*(/gutenkit/v1/install-active-plugin|/cleantalk-antispam/v1/perform)" 1; # CVE-2024-9234 / CVE-2024-10781
"~*(/open-url|/open-stack-frame)" 1; # CVE-2025-11953 (Metro4Shell)
"~*/api/fabric/device/status" 1; # CVE-2025-25257 (FortiWeb RCE)
"~*/SetupWizard\.aspx" 1; # CVE-2024-1709 (ScreenConnect Bypass)
# Server-Specific CVEs (Nginx/Apache/IIS)
"~*/AdmissionReview" 1; # CVE-2025-1974 (Ingress-Nginx)
"~*(/_vti_bin/|/MSOffice/|/WebDAV/)" 1; # IIS/WebDAV Probes
"~*/Cityworks/.*(Common|Config)/" 1; # CVE-2025-0994 (Cityworks on IIS)
"~*(\.php/.*AddType|RewriteRule.*\[E=)" 1; # CVE-2024-40725 (Apache Source Disclosure)
# Framework Debugging & Admin Endpoints (Fast-Fail)
"~*(/_ignition/|/_profiler/|/_telescope/|/actuator/|/eureka/|/api-docs)" 1;
"~*(/phpmyadmin|/wp-admin/setup-config\.php|/rails/info/properties)" 1;
@ -98,71 +51,6 @@ map $request_uri $is_suspicious_uri {
"~*(/shell\.php|/cmd\.php|/eval-stdin\.php|/xmlrpc\.php|/setup\.php|/install\.php)" 1;
}
# --- Pathfinder Deep Inspect Payload Map ---
# Detecta injeções e ataques vindos via Query String ($args)
map $args $is_malicious_payload {
default 0;
# 1. SQL Injection (Multi-DB: MySQL, Postgres, MSSQL)
"~*(SELECT|UNION|DROP|WHERE|INSERT|UPDATE|DELETE|benchmark|waitfor|delay|pg_sleep)" 1;
"~*(information_schema|pg_stat_activity|@@version|xp_cmdshell|load_file|MD5\()" 1;
"~*(lo_export|pg_read_file|lo_put)" 1; # CVE-2025-1094 (Postgres Exfiltration)
"~*(\-\-|%20\/\*|%23|\)%23)" 1; # Comentários e encerramentos de SQL
# 2. XSS & JS Injection (React/Modern Web)
"~*(script>|alert\(|onerror|window\.|javascript:|onmouseover|svg\s+onload|<body\s+onload)" 1;
"~*(dangerouslySetInnerHTML|eval\(|String\.fromCharCode|constructor\.prototype)" 1;
"~*(__proto__)" 1; # Prototype Pollution
# 3. NoSQL Injection (MongoDB/NoSQL Security)
"~*(\$gt|\$ne|\$where|\$regex|\$expr|\$exists|\$mod|\$all)" 1;
# 4. Advanced Exploits (Log4j, Shellshock, SSTP, Server-CVEs)
"~*\$\{jndi:(ldap|rmi|dns|nis|iiop|corba|nds|http)\}" 1; # Log4j / Log4Shell
"~*\(\)\s*\{\s*:\s*;\s*\}\s*;" 1; # Shellshock (CVE-2014-6271)
"~*(SSTP_DUPLEX_POST|sra_\{BA195980-CD49-458b-9E23-C84EE0ADCD75\})" 1; # SSTP Tunneling
"~*(ssl_engine|load_module|AdmissionReview)" 1; # CVE-2025-1974 Patterns
"~*(\.mp4\?.*(start|end|offset)=.*%.*%)" 1; # CVE-2024-7347 (Nginx MP4 DoS)
# 5. Path Traversal & LFI
"~*(\.\./|\.\.\\|/etc/passwd|/etc/shadow|boot\.ini|/windows/win\.ini)" 1;
# 6. PHP & Remote Execution / Binary Probes
"~*(<\?php|base64_decode|system\(|shell_exec|proc_open)" 1;
"~*(\\x00|\\x03|\\xE0|\\x83|\\xF8)" 1; # Binary probes / Buffer overflow patterns
}
# --- Pathfinder Extra Risk Vectors ---
# 1. Referer Spam Detection (Mitchell Krog's Bad Referrers)
map $http_referer $is_spam_referer {
default 0;
# Bloco 01 - 000free to acortarurl
"~*(000free\.us|007angels\.com|00author\.com|00go\.com|00it\.com|00webcams\.com|01apple\.com|03e\.info|03p\.info|08800\.top|0daymusic\.org|0lovespells0\.blogspot\.com|1-99seo\.com|1-free-share-buttons\.com|100dollars-seo\.com|101billion\.com|101lesbian\.xyz|123movies\.love|1kdailyprofit\.me|1millionusd\.xyz|1webmaster\.ml|acmebtn\.ml|acortarurl\.es)" 1;
# Bloco 02 - actionnooz to amanda-porn
"~*(actionnooz\.com|activepr\.ru|acunetix-referrer\.com|ad-words\.ru|adamoads\.com|adbetclickin\.pink|adcash\.com|adclickthru\.net|adconscious\.com|adf\.ly|adidas\.frwebs\.fr|admeasures\.com|admitad\.com|adnotbad\.com|adpremium\.org|adprotect\.net|adrunnr\.com|ads-cool\.pro|ads-seo\.men|ads\.gold|adsref\.men|adssafeprotected\.com|adtiger\.tk|adult-shop\.com\.ua|adultfriendfinder\.com|adultnet\.in|advokat-grodno\.by|advokateg\.xyz|adzpower\.com|aero2\.ru|affiliate-fr\.com|afslankpillen2017nl\.eu|agecheckadult\.com|aghanyna\.com|ahhjf\.com|aibolita\.com|aihelen\.net|akama\.com|alert-fdm\.xyz|alert\.scansafe\.net|alessandraleone\.com|alibestsale\.com|alienwheels\.de|alkoravto\.ru|all4invest\.ru|allfinweb\.com|allornamenti\.com|allwidewallpapers\.com|aloofly\.com|alot\.com|amanda-porn\.ga)" 1;
# Bloco 03 - amateurgalls to asdfg
"~*(amateurgalls\.com|amateurmatch\.com|amazingpic\.net|amazon-adsystem\.com|amazon-seo-service\.com|amehdaily\.com|amigobulls\.com|ample-awards-today\.us|amung\.us|anabolics\.shop|analnoeporno\.tv|analytics-ads\.xyz|ananas\-acresar\.tk|android-systems\.ru|angigreene\.com|angkortours\.vn|animalia-life\.club|animalrank\.com|animaltoplist\.com|animebox\.com\.ua|anjalika\.co\.in|anniemation\.com|anonymous-redirect\.com|anonymousfox\.co|anti-virus-removal\.info|anticrawler\.org|ap.senai\.br|apartmentratings\.com|apessay\.com|api\.stathat\.com|app-ready\.xyz|appearance-cool\.com|appfastplay\.com|appfixing\.space|appiq\.mobi|apple\.com-cleaner\.systems|applyneedy\.xyz|appmsr\.org|approved\.su|apps-analytics\.net|appsaurus\.com|appsecurityr\.com|aproposde\.com|apxeo\.info|arabsexxxtube\.com|arabseyes\.com|arcadeplayhouse\.com|architecturebest\.com|arclk\.net|arcteryxsale\.online|arewater\.com|arius\.tech|arkkivoltti\.net|arraty\.altervista\.org|articlesdirectoryme\.info|art picso\.com|aruplighting\.com|as5000\.com|ascat\.porn|asdfg\.pro)" 1;
# Bloco 04 - Originais e Famosos
"~*(semalt\.com|best-seo-offer\.com|buttons-for-website\.com|napaleon\.com|darodar\.com|hulfingtonpost\.com|ilovevitaly\.com|vpn-special\.com)" 1;
}
# 2. Protocol & Header Violations
map $http_user_agent $is_protocol_violation {
default 0;
"" 1; # User-Agent Vazio (Geralmente Malicioso)
"~*^.{0,5}$" 1; # User-Agent suspeitosamente curto
}
# 3. Geographic Risk (Requires GeoIP2 .mmdb files)
map $geoip2_data_country_code $is_high_risk_country {
default 0;
"CN" 1; # China
"RU" 1; # Russia
"KP" 1; # North Korea
"IR" 1; # Iran
}
# --- Pathfinder Security Decision Engine (PSDE) ---
# 1. Detecção de Métodos HTTP Incomuns/Perigosos
@ -171,74 +59,24 @@ map $request_method $is_suspicious_method {
~*(TRACE|TRACK|CONNECT|DEBUG) 1;
}
# 2. Security Scoring System (7-Vector Combinatorial Matrix)
# Ordem: [Bot][URI][Method][Payload][Geo][Protocol][Referer]
map $is_bad_bot$is_suspicious_uri$is_suspicious_method$is_malicious_payload$is_high_risk_country$is_protocol_violation$is_spam_referer $security_score {
"0000000" 0; # Saudável
# --- BLOQUEIO CRÍTICO (Score 3) ---
"~*...1..." 3; # Qualquer Payload
"~*......1" 3; # Qualquer Referer Spam
"~*[1-9]{3,}" 3; # Qualquer 3 ou mais vetores em simultâneo (Regex para detectar 3 ou mais '1's)
"~*11[1-9]...." 3; # Bot + URI + Método
"~*11...[1-9]." 3; # Bot + URI + Protocolo
"~*1.1.1.." 3; # Bot + Método + Geo
# --- RISCO ALTO (Score 2 - Combinações de 2 Vetores) ---
"~*11....." 2; # Bot + URI
"~*1.1...." 2; # Bot + Método
"~*1...1.." 2; # Bot + Geo
"~*1....1." 2; # Bot + Protocolo
"~*.11...." 2; # URI + Método
"~*.1..1.." 2; # URI + Geo
"~*.1...1." 2; # URI + Protocolo
"~*..1.1.." 2; # Método + Geo
"~*..1..1." 2; # Método + Protocolo
"~*....11." 2; # Geo + Protocolo
# --- SUSPEITO (Score 1 - Vetores Individuais) ---
"~*1......" 1; # Apenas Bot
"~*.1....." 1; # Apenas URI
"~*..1...." 1; # Apenas Método
"~*....1.." 1; # Apenas Geo
"~*.....1." 1; # Apenas Protocolo
default 1;
# 2. Security Scoring System (Concatenado)
# Padrão: [Bot][URI][Method] -> Ex: "110" (Bot detectado + URI suspeita + Método normal)
map $is_bad_bot$is_suspicious_uri$is_suspicious_method $security_score {
"000" 0; # Tudo limpo
"100" 1; # Apenas Bot (Bloqueio Simples)
"010" 1; # Apenas URI Suspeita (Bloqueio Simples)
"110" 2; # Bot + URI Suspeita (Risco Alto)
"111" 3; # Bot + URI Suspeita + Método Malicioso (Ataque Crítico)
"001" 1; # Apenas Método Malicioso
default 1; # Por segurança, qualquer outra combinação bloqueia
}
# 3. Nível de Risco para Auditoria (Diagnóstico Descritivo JSON)
map $is_bad_bot$is_suspicious_uri$is_suspicious_method$is_malicious_payload$is_high_risk_country$is_protocol_violation$is_spam_referer $risk_category {
"0000000" "LIMPO";
"~*...1..." "ATAQUE_CRITICO";
"~*......1" "ATAQUE_CRITICO";
"~*[1-9]{3,}" "ATAQUE_CRITICO"; # Combos triplos são críticos
"~*[1-9]{2}" "RISCO_ALTO"; # Combos duplos são risco alto
default "SUSPEITO";
}
map $is_bad_bot$is_suspicious_uri$is_suspicious_method$is_malicious_payload$is_high_risk_country$is_protocol_violation$is_spam_referer $risk_reason {
"0000000" "Trafego limpo";
# Prioridades de Ataque (Combos Triplos+)
"~*...1..." "ATAQUE_DIRETO: Payload Malicioso Detectado";
"~*......1" "ATAQUE_DIRETO: Origem de Referer Fraudulento";
"~*[1-9]{3,}" "ATAQUE_COORDENADO: Multiplos vetores de risco detectados";
# Combinações Duplas (Risco Alto)
"~*11....." "COMBINACAO: Bot conhecido em local sensivel";
"~*1...1.." "COMBINACAO: Bot em regiao de alto risco";
"~*.1..1.." "COMBINACAO: Acesso sensivel vindo de regiao de risco";
"~*....11." "COMBINACAO: Geo-risco com quebra de protocolo";
"~*[1-9]{2}" "COMBINACAO: Dois sinais de alerta detectados";
# Sinais Unitários (Suspeito)
"~*1......" "SUSPEITO: Bot conhecido (Scraper/Crawler)";
"~*.1....." "SUSPEITO: Acesso a URI restrita ou sensivel";
"~*..1...." "SUSPEITO: Metodo HTTP incomum";
"~*....1.." "SUSPEITO: Origem geografica de alto risco";
"~*.....1." "SUSPEITO: Violacao de protocolo (UA invalido)";
default "Atividade anomala detectada";
# 3. Nível de Risco para Auditoria (Verboso em Português)
map $security_score $risk_level {
0 "TRAFEGO_LIMPO_ACESSO_LEGITIMO";
1 "SUSPEITO_COMPORTAMENTO_ANOMALO";
2 "PERIGO_ALTO_RISCO_TENTATIVA_VAZAMENTO";
3 "ATAQUE_CRITICO_BLOQUEIO_DE_EXPLORACAO";
}
# 4. Decisão de Bloqueio Final
@ -252,12 +90,11 @@ map $security_score $block_request {
geo $is_internal {
default 0;
10.10.0.0/16 1; 10.11.0.0/16 1; 10.12.0.0/16 1; 172.16.0.0/16 1;
# Subnets Simplificadas (Agrupamento de IPs)
45.169.73.154/31 1; # .154 e .155
201.73.213.128/30 1; # .128 ate .131
177.74.160.16/29 1; # .16 ate .23
45.169.87.168/29 1; # .168 ate .175
45.169.73.155 1; 201.73.213.130 1; 177.74.160.17 1; 177.74.160.18 1;
177.74.160.19 1; 177.74.160.20 1; 177.74.160.21 1; 177.74.160.22 1;
177.74.160.23 1; 45.169.87.168 1; 45.169.87.169 1; 45.169.87.170 1;
45.169.87.171 1; 45.169.87.172 1; 45.169.87.173 1; 45.169.87.174 1;
45.169.87.175 1; 45.169.73.154 1; 201.73.213.129 1;
}
# --- modern Rate Limiting & Performance Maps ---

1
producao Submodule

@ -0,0 +1 @@
Subproject commit 78c3c82a69fc8f67de0d33aa2fe4d4912ada0877