Mini Shell
import functools
import re
from defence360agent.subsys.panels.hosting_panel import HostingPanel
MODSEC_RULESET_FULL = "FULL"
MODSEC_RULESET_MINIMAL = "MINIMAL"
_DOS_DETECTOR_DEFAULT_LIMIT = 250
_DOS_DETECTOR_MIN_LIMIT = 1
_DOS_DETECTOR_MIN_INTERVAL = 1
PORT_BLOCKING_MODE_DENY = "DENY"
PORT_BLOCKING_MODE_ALLOW = "ALLOW"
def not_less_than(minimum):
return functools.partial(max, minimum)
def coerce_sort_ports(value):
return sorted(
list(set([v.replace(":", "-") for v in value])),
key=lambda v: int(v.rsplit("-")[0]),
)
def get_default_ports(protocol, direction):
return HostingPanel().OPEN_PORTS[protocol][direction]
def port_in_range(port):
return 1 <= int(port) <= 65535
def validate_port_in_range(field, value, error):
if not port_in_range(value):
error(field, "Port should be within range 0-65535")
def validate_intable_string(field, value, error):
try:
int(value)
except ValueError:
error(field, "Value should be int")
def _validate_is_port_or_range(field, value, error):
"""
{'type': 'boolean'}
"""
ports = re.match(r"^(\d+)([:|-](\d+))?$", value)
if not ports:
error(field, "Port should be integer or range (2-4 or 2:4)")
return
if not port_in_range(ports.group(1)):
error(field, "Port should be within range 0-65535")
return
if ports.group(3) is not None and not port_in_range(ports.group(3)):
error(field, "Port should be within range 0-65535")
return
def list_of_ports(proto, direction):
return {
"type": "list",
"schema": {
"type": "string",
"check_with": _validate_is_port_or_range,
},
"default_setter": lambda value: get_default_ports(proto, direction),
"coerce": coerce_sort_ports,
}
def proactive_defense_rules(proactive_defense):
if (
"php_immunity" in proactive_defense
and proactive_defense["php_immunity"]
):
proactive_defense["mode"] = "KILL"
proactive_defense["blamer"] = True
return proactive_defense
def files_update_disabled_types(files_update):
"""
Coerce the disabled types to a list of strings.
"""
# FILES_UPDATE.disabled_types isn't supported on cPanel
if "disabled_types" in files_update and HostingPanel().NAME == "cPanel":
files_update["disabled_types"] = []
return files_update
def get_root_config():
return {
"AUTO_WHITELIST": {
"type": "dict",
"schema": {
"timeout": {
"type": "integer",
"coerce": int,
"min": 0,
"max": 70000,
"default": 1440,
},
"after_unblock_timeout": {
"type": "integer",
"coerce": int,
"min": 0,
"max": 70000,
"default": 1440,
},
},
"default": {},
},
"NETWORK_INTERFACE": {
"type": "dict",
"schema": {
"eth_device": {
"type": "string",
"default": None,
"nullable": True,
},
"eth6_device": {
"type": "string",
"default": None,
"nullable": True,
},
"eth_device_skip": {"type": "list", "default": []},
},
"default": {},
},
"FIREWALL": {
"type": "dict",
"default": {},
"schema": {
"unified_access_logger": {
"type": "boolean",
"default": True,
},
"port_blocking_mode": {
"type": "string",
"default": PORT_BLOCKING_MODE_ALLOW,
"allowed": [
PORT_BLOCKING_MODE_DENY,
PORT_BLOCKING_MODE_ALLOW,
],
},
"block_port_scan": {
"type": "boolean",
"default": False,
},
"TCP_IN_IPv4": list_of_ports("tcp", "in"),
"TCP_OUT_IPv4": list_of_ports("tcp", "out"),
"UDP_IN_IPv4": list_of_ports("udp", "in"),
"UDP_OUT_IPv4": list_of_ports("udp", "out"),
# artifact from DEF-17989
"internal_use_remote_iplist": {
"type": "boolean",
"default": False,
},
},
},
"DOS": {
"type": "dict",
"schema": {
"default_limit": {
"type": "integer",
"coerce": (int, not_less_than(_DOS_DETECTOR_MIN_LIMIT)),
"min": _DOS_DETECTOR_MIN_LIMIT,
"default": _DOS_DETECTOR_DEFAULT_LIMIT,
},
"interval": {
"type": "integer",
"coerce": (int, not_less_than(_DOS_DETECTOR_MIN_INTERVAL)),
"min": 1,
"default": 30,
},
"port_limits": {
"type": "dict",
"keysrules": {
"type": "string",
"coerce": str,
"check_with": validate_port_in_range,
},
"valuesrules": {
"type": "integer",
"coerce": (
int,
not_less_than(_DOS_DETECTOR_MIN_LIMIT),
),
"min": _DOS_DETECTOR_MIN_LIMIT,
},
"default": {},
},
"enabled": {
"type": "boolean",
"default": True,
},
},
"default": {},
},
"ENHANCED_DOS": {
"type": "dict",
"schema": {
"enabled": {
"type": "boolean",
"default": False,
},
"timeframe": {
"type": "integer",
"coerce": int,
"default": 30,
},
"default_limit": {
"type": "integer",
"coerce": int,
"default": 250,
},
"port_limits": {
"type": "dict",
"keysrules": {
# Since JSON/YAML standard doesn't support integer
# for the dict keys, we have to make them strings
# and do a type casting as needed.
"type": "string",
"coerce": str,
"check_with": validate_port_in_range,
},
"valuesrules": {
"type": "integer",
"coerce": (
int,
not_less_than(_DOS_DETECTOR_MIN_LIMIT),
),
"min": _DOS_DETECTOR_MIN_LIMIT,
},
"default": {},
},
},
"default": {},
},
"MOD_SEC": {
"type": "dict",
"schema": {
"app_specific_ruleset": {
"type": "boolean",
"default": True,
},
"ruleset": {
"type": "string",
"default": MODSEC_RULESET_FULL,
"allowed": [MODSEC_RULESET_MINIMAL, MODSEC_RULESET_FULL],
},
"cms_account_compromise_prevention": {
"type": "boolean",
"nullable": False,
"default": False,
},
"prev_settings": {
"type": "string",
"required": False,
"default": "",
},
},
"default": {},
},
"MOD_SEC_BLOCK_BY_SEVERITY": {
"type": "dict",
"schema": {
"enable": {
"type": "boolean",
"default": True,
},
"max_incidents": {
"type": "integer",
"coerce": int,
"min": 1,
"default": 2,
},
"check_period": {
"type": "integer",
"coerce": int,
"min": 1,
"default": 120,
},
"severity_limit": {
"type": "integer",
"coerce": int,
"min": 0,
"max": 7,
"default": 2,
},
"denied_num_limit": { # FIXME: Depreciated, must be removed.
"type": "integer",
"coerce": int,
"min": 1,
"default": 2,
},
},
"default": {},
},
"MOD_SEC_BLOCK_BY_CUSTOM_RULE": {
"type": "dict",
"keysrules": {
"type": "string",
"coerce": str,
"check_with": validate_intable_string,
},
"valuesrules": {
"type": "dict",
"schema": {
"max_incidents": {
"type": "integer",
"coerce": int,
"min": 1,
"default": 2,
},
"check_period": {
"type": "integer",
"coerce": int,
"min": 1,
"default": 120,
},
},
},
"default": {
"33332": {"check_period": 120, "max_incidents": 10},
"33339": {"check_period": 120, "max_incidents": 10},
},
},
"INCIDENT_LOGGING": {
"type": "dict",
"schema": {
"num_days": {
"type": "integer",
"coerce": int,
"min": 1,
"default": 100,
},
"limit": {
"type": "integer",
"coerce": int,
"min": 1,
"default": 100000,
},
"min_log_level": {
"type": "integer",
"coerce": int,
"min": 0,
"default": 4,
},
"ui_autorefresh_timeout": {
"type": "integer",
"coerce": int,
"min": 5,
"default": 10,
},
},
"default": {},
},
"WEB_SERVICES": {
"type": "dict",
"schema": {
"http_ports": {
"type": "list",
"schema": {"type": "integer"},
"default": [],
},
"https_ports": {
"type": "list",
"schema": {"type": "integer"},
"default": [],
},
},
"default": {},
},
"CAPTCHA": {
"type": "dict",
"schema": {
"cert_refresh_timeout": {"type": "integer", "default": 3600}
},
"default": {},
},
"CAPTCHA_DOS": {
"type": "dict",
"schema": {
"enabled": {
"type": "boolean",
"default": True,
},
"time_frame": {
"type": "integer",
"default": 21600,
},
"max_count": {"type": "integer", "default": 100},
"timeout": {"type": "integer", "default": 864000},
},
"default": {},
},
"BLOCKED_PORTS": {
"type": "dict",
"schema": {
"default_mode": {
"type": "string",
"default": "allowed",
"allowed": ["allowed", "denied"],
}
},
"default": {},
},
"STOP_MANAGING": {
"type": "dict",
"schema": {
"modsec_directives": {
"type": "boolean",
"default": False,
},
},
"default": {},
},
"PROACTIVE_DEFENCE": {
"type": "dict",
"coerce": (dict, proactive_defense_rules),
"schema": {
"mode": {
"type": "string",
"nullable": False,
"default": "LOG",
"allowed": ["DISABLED", "LOG", "KILL"],
},
"blamer": {
"type": "boolean",
"nullable": False,
"default": True,
},
"php_immunity": {
"type": "boolean",
"nullable": False,
"default": False,
},
},
"default": {},
},
"WEBSHIELD": {
"type": "dict",
"schema": {
"enable": {"type": "boolean", "default": True},
"known_proxies_support": {
"type": "boolean",
"nullable": False,
"default": True,
},
"captcha_site_key": { # FIXME: Depreciated, must be removed.
"type": "string",
"nullable": True,
"readonly": True,
},
"captcha_secret_key": { # FIXME: Depreciated, must be removed.
"type": "string",
"nullable": True,
"readonly": True,
},
"splash_screen": {
"type": "boolean",
"default": True,
},
"invisible_captcha": { # FIXME: Depreciated, must be removed.
"type": "boolean",
"nullable": True,
"readonly": True,
},
"panel_protection": {
"type": "boolean",
"default": False,
},
"mode": {
"type": "string",
"default": "proxy",
},
},
"default": {},
},
"SCANLOGD": {
"type": "dict",
"schema": {
"enable": {
"type": "boolean",
"nullable": False,
"default": False,
},
},
"default": {},
},
"OSSEC": {
"type": "dict",
"schema": {
"active_response": {
"type": "boolean",
"nullable": False,
"default": False,
}
},
"default": {},
},
"CSF_INTEGRATION": {
"type": "dict",
"schema": {
"catch_lfd_events": {
"type": "boolean",
"nullable": False,
"default": False,
}
},
"default": {},
},
"PAM": {
"type": "dict",
"schema": {
"enable": {
"type": "boolean",
"nullable": False,
"default": True,
},
"exim_dovecot_protection": {
"type": "boolean",
"nullable": False,
"default": True,
},
"exim_dovecot_native": {
"type": "boolean",
"nullable": False,
"default": False,
},
"ftp_protection": {
"type": "boolean",
"nullable": False,
"default": False,
},
},
"default": {},
},
"KERNELCARE": {
"type": "dict",
"schema": {
"edf": {
"type": "boolean",
"nullable": False,
"default": False,
},
},
"default": {},
},
"SMTP_BLOCKING": {
"type": "dict",
"schema": {
"enable": {
"type": "boolean",
"default": False,
},
"ports": {
"type": "list",
"schema": {
"type": "integer",
"coerce": int,
},
"default": [25, 587, 465],
},
"allow_users": {
"type": "list",
"schema": {
"type": "string",
},
"default": [],
},
"allow_groups": {
"type": "list",
"schema": {
"type": "string",
},
"default": ["mail"],
},
"allow_local": {
"type": "boolean",
"default": False,
},
"redirect": {
"type": "boolean",
"default": False,
},
},
"default": {},
},
"CONTROL_PANEL": {
"type": "dict",
"schema": {
"compromised_user_password_reset": {
"type": "boolean",
"default": False,
},
"compromised_user_admin_notification": {
"type": "boolean",
"default": True,
},
# whether to install must use plugin
"smart_advice_allowed": {
"type": "boolean",
"default": True,
},
# whether to allow advice notifications
"advice_email_notification": {
"type": "boolean",
"default": True,
},
},
"default": {},
},
"PERMISSIONS": {
"type": "dict",
"schema": {
"allow_local_rules_management": {
"type": "boolean",
"default": True,
},
"allow_local_ip_management": {
"type": "boolean",
"default": True,
},
},
"default": {},
},
"FILES_UPDATE": {
"type": "dict",
"coerce": (dict, files_update_disabled_types),
"schema": {
"disabled_types": {
"type": "list",
"schema": {
"type": "string",
"allowed": [
"modsec-rules",
],
},
"default": [],
},
"days_to_keep": {
"type": "integer",
"coerce": int,
"min": 1,
"default": 30,
},
},
"default": {},
},
}
def get_non_root_config():
return {
"PROACTIVE_DEFENCE": {
"type": "dict",
"schema": {
"mode": {
"type": "string",
"nullable": True,
"allowed": ["DISABLED", "LOG", "KILL"],
"default": None,
},
"blamer": {
"type": "boolean",
"nullable": True,
"default": None,
},
},
"default": {},
},
"CONTROL_PANEL": {
"type": "dict",
"schema": {
# whether to install must use plugin
"smart_advice_allowed": {
"type": "boolean",
"default": True,
"nullable": True,
},
# whether to allow advice notifications
"advice_email_notification": {
"type": "boolean",
"default": True,
"nullable": True,
},
},
"default": {},
},
}