mirror of
https://github.com/usmannasir/cyberpanel.git
synced 2026-01-15 20:12:06 +01:00
ff382f2d78
- Added new model `CatchAllEmail` to store catch-all email configurations per domain. - Implemented views for fetching, saving, and deleting catch-all email configurations, enhancing email management capabilities. - Updated URL routing to include endpoints for catch-all email operations. - Enhanced error handling and permission checks for email forwarding actions. These changes improve the flexibility and user experience of email management within CyberPanel.
804 lines
31 KiB
Python
804 lines
31 KiB
Python
import sys
|
|
sys.path.append('/usr/local/CyberCP')
|
|
from plogical import CyberCPLogFileWriter as logging
|
|
import subprocess
|
|
import shlex
|
|
import argparse
|
|
from plogical.virtualHostUtilities import virtualHostUtilities
|
|
import os
|
|
import tarfile
|
|
import shutil
|
|
from plogical.mailUtilities import mailUtilities
|
|
from plogical.processUtilities import ProcessUtilities
|
|
from plogical.installUtilities import installUtilities
|
|
|
|
class modSec:
|
|
|
|
installLogPath = "/home/cyberpanel/modSecInstallLog"
|
|
tempRulesFile = "/home/cyberpanel/tempModSecRules"
|
|
mirrorPath = "cyberpanel.net"
|
|
|
|
# Compatible ModSecurity binaries (built against custom OLS headers)
|
|
# These prevent ABI incompatibility crashes (Signal 11/SIGSEGV)
|
|
MODSEC_COMPATIBLE = {
|
|
'rhel8': {
|
|
'url': 'https://cyberpanel.net/mod_security-compatible-rhel8.so',
|
|
'sha256': 'bbbf003bdc7979b98f09b640dffe2cbbe5f855427f41319e4c121403c05837b2'
|
|
},
|
|
'rhel9': {
|
|
'url': 'https://cyberpanel.net/mod_security-compatible-rhel.so',
|
|
'sha256': '19deb2ffbaf1334cf4ce4d46d53f747a75b29e835bf5a01f91ebcc0c78e98629'
|
|
},
|
|
'ubuntu': {
|
|
'url': 'https://cyberpanel.net/mod_security-compatible-ubuntu.so',
|
|
'sha256': 'ed02c813136720bd4b9de5925f6e41bdc8392e494d7740d035479aaca6d1e0cd'
|
|
}
|
|
}
|
|
|
|
@staticmethod
|
|
def detectPlatform():
|
|
"""Detect OS platform for compatible binary selection"""
|
|
try:
|
|
# Check for Ubuntu/Debian
|
|
if os.path.exists('/etc/lsb-release'):
|
|
with open('/etc/lsb-release', 'r') as f:
|
|
content = f.read()
|
|
if 'Ubuntu' in content or 'ubuntu' in content:
|
|
return 'ubuntu'
|
|
|
|
# Check for Debian
|
|
if os.path.exists('/etc/debian_version'):
|
|
return 'ubuntu' # Use Ubuntu binary for Debian
|
|
|
|
# Check for RHEL-based distributions
|
|
if os.path.exists('/etc/os-release'):
|
|
with open('/etc/os-release', 'r') as f:
|
|
content = f.read().lower()
|
|
|
|
# Check for version 8.x
|
|
if 'version="8.' in content or 'version_id="8' in content:
|
|
return 'rhel8'
|
|
|
|
# Check for version 9.x
|
|
if 'version="9.' in content or 'version_id="9' in content:
|
|
return 'rhel9'
|
|
|
|
return 'rhel9' # Default to rhel9
|
|
except:
|
|
return 'rhel9'
|
|
|
|
@staticmethod
|
|
def downloadCompatibleModSec(platform):
|
|
"""Download and install compatible ModSecurity binary"""
|
|
try:
|
|
config = modSec.MODSEC_COMPATIBLE.get(platform)
|
|
if not config:
|
|
logging.CyberCPLogFileWriter.writeToFile(f"No compatible ModSecurity for platform {platform}")
|
|
return False
|
|
|
|
modsec_path = "/usr/local/lsws/modules/mod_security.so"
|
|
tmp_path = "/tmp/mod_security-compatible.so"
|
|
|
|
# Download compatible binary
|
|
command = f"wget -q {config['url']} -O {tmp_path}"
|
|
result = subprocess.call(shlex.split(command))
|
|
if result != 0:
|
|
logging.CyberCPLogFileWriter.writeToFile("Failed to download compatible ModSecurity")
|
|
return False
|
|
|
|
# Verify checksum
|
|
import hashlib
|
|
sha256_hash = hashlib.sha256()
|
|
with open(tmp_path, "rb") as f:
|
|
for byte_block in iter(lambda: f.read(4096), b""):
|
|
sha256_hash.update(byte_block)
|
|
actual_sha256 = sha256_hash.hexdigest()
|
|
|
|
if actual_sha256 != config['sha256']:
|
|
logging.CyberCPLogFileWriter.writeToFile(f"ModSecurity checksum mismatch: expected {config['sha256']}, got {actual_sha256}")
|
|
os.remove(tmp_path)
|
|
return False
|
|
|
|
# Backup original if exists
|
|
if os.path.exists(modsec_path):
|
|
shutil.copy2(modsec_path, f"{modsec_path}.stock")
|
|
|
|
# Install compatible version
|
|
shutil.move(tmp_path, modsec_path)
|
|
os.chmod(modsec_path, 0o644)
|
|
|
|
logging.CyberCPLogFileWriter.writeToFile("Installed compatible ModSecurity binary")
|
|
return True
|
|
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(str(msg) + " [downloadCompatibleModSec]")
|
|
return False
|
|
|
|
@staticmethod
|
|
def installModSec():
|
|
try:
|
|
|
|
mailUtilities.checkHome()
|
|
|
|
if ProcessUtilities.decideDistro() == ProcessUtilities.centos or ProcessUtilities.decideDistro() == ProcessUtilities.cent8:
|
|
command = 'sudo yum install ols-modsecurity -y'
|
|
else:
|
|
command = 'sudo DEBIAN_FRONTEND=noninteractive apt-get install ols-modsecurity -y'
|
|
|
|
cmd = shlex.split(command)
|
|
|
|
with open(modSec.installLogPath, 'w') as f:
|
|
res = subprocess.call(cmd, stdout=f)
|
|
|
|
if res == 1:
|
|
writeToFile = open(modSec.installLogPath, 'a')
|
|
writeToFile.writelines("Can not be installed.[404]\n")
|
|
writeToFile.close()
|
|
logging.CyberCPLogFileWriter.writeToFile("[Could not Install]")
|
|
return 0
|
|
else:
|
|
writeToFile = open(modSec.installLogPath, 'a')
|
|
writeToFile.writelines("ModSecurity Installed.[200]\n")
|
|
writeToFile.close()
|
|
|
|
# Check if custom OLS binary is installed - if so, replace with compatible ModSecurity
|
|
custom_ols_marker = "/usr/local/lsws/modules/cyberpanel_ols.so"
|
|
if os.path.exists(custom_ols_marker):
|
|
writeToFile = open(modSec.installLogPath, 'a')
|
|
writeToFile.writelines("Custom OLS detected, installing compatible ModSecurity...\n")
|
|
writeToFile.close()
|
|
|
|
platform = modSec.detectPlatform()
|
|
if modSec.downloadCompatibleModSec(platform):
|
|
writeToFile = open(modSec.installLogPath, 'a')
|
|
writeToFile.writelines("Compatible ModSecurity installed successfully.\n")
|
|
writeToFile.close()
|
|
else:
|
|
writeToFile = open(modSec.installLogPath, 'a')
|
|
writeToFile.writelines("WARNING: Could not install compatible ModSecurity. May experience crashes.\n")
|
|
writeToFile.close()
|
|
|
|
return 1
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(str(msg) + "[installModSec]")
|
|
|
|
@staticmethod
|
|
def installModSecConfigs():
|
|
try:
|
|
## Try making a dir that will store ModSec configurations
|
|
path = os.path.join(virtualHostUtilities.Server_root,"conf/modsec")
|
|
try:
|
|
os.mkdir(path)
|
|
except:
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
"ModSecurity rules directory already exists." + " [installModSecConfigs]")
|
|
|
|
initialConfigs = """
|
|
module mod_security {
|
|
modsecurity on
|
|
modsecurity_rules `
|
|
SecDebugLogLevel 0
|
|
SecDebugLog /usr/local/lsws/logs/modsec.log
|
|
SecAuditEngine on
|
|
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
|
|
SecAuditLogParts AFH
|
|
SecAuditLogType Serial
|
|
SecAuditLog /usr/local/lsws/logs/auditmodsec.log
|
|
SecRuleEngine On
|
|
`
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/rules.conf
|
|
}
|
|
"""
|
|
|
|
confFile = os.path.join(virtualHostUtilities.Server_root,"conf/httpd_config.conf")
|
|
|
|
confData = open(confFile).readlines()
|
|
confData.reverse()
|
|
|
|
modSecConfigFlag = False
|
|
|
|
for items in confData:
|
|
if items.find('module mod_security') > -1:
|
|
modSecConfigFlag = True
|
|
break
|
|
|
|
if modSecConfigFlag == False:
|
|
conf = open(confFile,'a+')
|
|
conf.write(initialConfigs)
|
|
conf.close()
|
|
|
|
rulesFilePath = os.path.join(virtualHostUtilities.Server_root,"conf/modsec/rules.conf")
|
|
|
|
if not os.path.exists(rulesFilePath):
|
|
initialRules = """SecRule ARGS "\.\./" "t:normalisePathWin,id:99999,severity:4,msg:'Drive Access' ,log,auditlog,deny"
|
|
"""
|
|
rule = open(rulesFilePath,'a+')
|
|
rule.write(initialRules)
|
|
rule.close()
|
|
|
|
print("1,None")
|
|
return
|
|
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
str(msg) + " [installModSecConfigs]")
|
|
print("0," + str(msg))
|
|
|
|
@staticmethod
|
|
def saveModSecConfigs(tempConfigPath):
|
|
try:
|
|
|
|
data = open(tempConfigPath).readlines()
|
|
os.remove(tempConfigPath)
|
|
|
|
if ProcessUtilities.decideServer() == ProcessUtilities.OLS:
|
|
|
|
confFile = os.path.join(virtualHostUtilities.Server_root, "conf/httpd_config.conf")
|
|
confData = open(confFile).readlines()
|
|
conf = open(confFile, 'w')
|
|
|
|
for items in confData:
|
|
|
|
if items.find('modsecurity ') > -1:
|
|
conf.writelines(data[0])
|
|
continue
|
|
elif items.find('SecAuditEngine ') > -1:
|
|
conf.writelines(data[1])
|
|
continue
|
|
elif items.find('SecRuleEngine ') > -1:
|
|
conf.writelines(data[2])
|
|
continue
|
|
elif items.find('SecDebugLogLevel') > -1:
|
|
conf.writelines(data[3])
|
|
continue
|
|
elif items.find('SecAuditLogRelevantStatus ') > -1:
|
|
conf.writelines(data[5])
|
|
continue
|
|
elif items.find('SecAuditLogParts ') > -1:
|
|
conf.writelines(data[4])
|
|
continue
|
|
elif items.find('SecAuditLogType ') > -1:
|
|
conf.writelines(data[6])
|
|
continue
|
|
else:
|
|
conf.writelines(items)
|
|
|
|
conf.close()
|
|
|
|
installUtilities.reStartLiteSpeed()
|
|
|
|
print("1,None")
|
|
return
|
|
else:
|
|
confFile = os.path.join(virtualHostUtilities.Server_root, "conf/modsec.conf")
|
|
confData = open(confFile).readlines()
|
|
conf = open(confFile, 'w')
|
|
|
|
for items in confData:
|
|
|
|
if items.find('SecAuditEngine ') > -1:
|
|
conf.writelines(data[0])
|
|
continue
|
|
elif items.find('SecRuleEngine ') > -1:
|
|
conf.writelines(data[1])
|
|
continue
|
|
elif items.find('SecDebugLogLevel') > -1:
|
|
conf.writelines(data[2])
|
|
continue
|
|
elif items.find('SecAuditLogRelevantStatus ') > -1:
|
|
conf.writelines(data[4])
|
|
continue
|
|
elif items.find('SecAuditLogParts ') > -1:
|
|
conf.writelines(data[3])
|
|
continue
|
|
elif items.find('SecAuditLogType ') > -1:
|
|
conf.writelines(data[5])
|
|
continue
|
|
else:
|
|
conf.writelines(items)
|
|
|
|
conf.close()
|
|
|
|
installUtilities.reStartLiteSpeed()
|
|
|
|
print("1,None")
|
|
return
|
|
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
str(msg) + " [saveModSecConfigs]")
|
|
print("0," + str(msg))
|
|
|
|
@staticmethod
|
|
def saveModSecRules():
|
|
try:
|
|
rulesFile = open(modSec.tempRulesFile,'r')
|
|
data = rulesFile.read()
|
|
rulesFile.close()
|
|
|
|
if ProcessUtilities.decideServer() == ProcessUtilities.OLS:
|
|
rulesFilePath = os.path.join(virtualHostUtilities.Server_root, "conf/modsec/rules.conf")
|
|
else:
|
|
rulesFilePath = os.path.join(virtualHostUtilities.Server_root, "conf/rules.conf")
|
|
|
|
rulesFile = open(rulesFilePath,'w')
|
|
rulesFile.write(data)
|
|
rulesFile.close()
|
|
|
|
installUtilities.reStartLiteSpeed()
|
|
|
|
print("1,None")
|
|
return
|
|
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
str(msg) + " [saveModSecRules]")
|
|
print("0," + str(msg))
|
|
|
|
@staticmethod
|
|
def setupComodoRules():
|
|
try:
|
|
if ProcessUtilities.decideServer() == ProcessUtilities.OLS:
|
|
pathTOOWASPFolder = os.path.join(virtualHostUtilities.Server_root, "conf/modsec/comodo")
|
|
extractLocation = os.path.join(virtualHostUtilities.Server_root, "conf/modsec")
|
|
|
|
if os.path.exists(pathTOOWASPFolder):
|
|
shutil.rmtree(pathTOOWASPFolder)
|
|
|
|
if os.path.exists('comodo.tar.gz'):
|
|
os.remove('comodo.tar.gz')
|
|
|
|
command = "wget https://" + modSec.mirrorPath + "/modsec/comodo.tar.gz"
|
|
result = subprocess.call(shlex.split(command))
|
|
|
|
if result == 1:
|
|
return 0
|
|
|
|
tar = tarfile.open('comodo.tar.gz')
|
|
tar.extractall(extractLocation)
|
|
tar.close()
|
|
|
|
return 1
|
|
else:
|
|
if os.path.exists('/usr/local/lsws/conf/comodo_litespeed'):
|
|
shutil.rmtree('/usr/local/lsws/conf/comodo_litespeed')
|
|
|
|
extractLocation = os.path.join(virtualHostUtilities.Server_root, "conf")
|
|
|
|
if os.path.exists('cpanel_litespeed_vendor'):
|
|
os.remove('cpanel_litespeed_vendor')
|
|
|
|
command = "wget https://waf.comodo.com/api/cpanel_litespeed_vendor"
|
|
result = subprocess.call(shlex.split(command))
|
|
|
|
if result == 1:
|
|
return 0
|
|
|
|
command = "unzip cpanel_litespeed_vendor -d " + extractLocation
|
|
subprocess.call(shlex.split(command))
|
|
|
|
return 1
|
|
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
str(msg) + " [setupComodoRules]")
|
|
return 0
|
|
|
|
@staticmethod
|
|
def installComodo():
|
|
try:
|
|
|
|
if ProcessUtilities.decideServer() == ProcessUtilities.OLS:
|
|
if modSec.setupComodoRules() == 0:
|
|
print('0, Unable to download Comodo Rules.')
|
|
return
|
|
|
|
owaspRulesConf = """modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/modsecurity.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/00_Init_Initialization.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/01_Init_AppsInitialization.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/02_Global_Generic.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/03_Global_Agents.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/04_Global_Domains.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/05_Global_Backdoor.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/06_XSS_XSS.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/07_Global_Other.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/08_Bruteforce_Bruteforce.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/09_HTTP_HTTP.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/10_HTTP_HTTPDoS.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/11_HTTP_Protocol.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/12_HTTP_Request.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/13_Outgoing_FilterGen.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/14_Outgoing_FilterASP.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/15_Outgoing_FilterPHP.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/16_Outgoing_FilterSQL.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/17_Outgoing_FilterOther.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/18_Outgoing_FilterInFrame.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/19_Outgoing_FiltersEnd.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/20_PHP_PHPGen.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/21_SQL_SQLi.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/22_Apps_Joomla.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/23_Apps_JComponent.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/24_Apps_WordPress.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/25_Apps_WPPlugin.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/26_Apps_WHMCS.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/27_Apps_Drupal.conf
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/comodo/28_Apps_OtherApps.conf
|
|
"""
|
|
|
|
confFile = os.path.join(virtualHostUtilities.Server_root, "conf/httpd_config.conf")
|
|
|
|
confData = open(confFile).readlines()
|
|
|
|
conf = open(confFile, 'w')
|
|
|
|
for items in confData:
|
|
if items.find('/usr/local/lsws/conf/modsec/rules.conf') > -1:
|
|
conf.write(owaspRulesConf)
|
|
conf.writelines(items)
|
|
continue
|
|
else:
|
|
conf.writelines(items)
|
|
|
|
conf.close()
|
|
|
|
installUtilities.reStartLiteSpeed()
|
|
print("1,None")
|
|
return
|
|
else:
|
|
if os.path.exists('/usr/local/lsws/conf/comodo_litespeed'):
|
|
shutil.rmtree('/usr/local/lsws/conf/comodo_litespeed')
|
|
|
|
extractLocation = os.path.join(virtualHostUtilities.Server_root, "conf")
|
|
|
|
if os.path.exists('cpanel_litespeed_vendor'):
|
|
os.remove('cpanel_litespeed_vendor')
|
|
|
|
command = "wget --no-check-certificate https://waf.comodo.com/api/cpanel_litespeed_vendor"
|
|
result = subprocess.call(shlex.split(command))
|
|
|
|
if result == 1:
|
|
return 0
|
|
|
|
command = "unzip cpanel_litespeed_vendor -d " + extractLocation
|
|
result = subprocess.call(shlex.split(command))
|
|
|
|
command = 'sudo chown -R lsadm:lsadm /usr/local/lsws/conf'
|
|
subprocess.call(shlex.split(command))
|
|
|
|
installUtilities.reStartLiteSpeed()
|
|
print("1,None")
|
|
return
|
|
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
str(msg) + " [installComodo]")
|
|
print("0," + str(msg))
|
|
|
|
@staticmethod
|
|
def disableComodo():
|
|
try:
|
|
|
|
if ProcessUtilities.decideServer() == ProcessUtilities.OLS:
|
|
confFile = os.path.join(virtualHostUtilities.Server_root, "conf/httpd_config.conf")
|
|
confData = open(confFile).readlines()
|
|
conf = open(confFile, 'w')
|
|
|
|
for items in confData:
|
|
if items.find('modsec/comodo') > -1:
|
|
continue
|
|
else:
|
|
conf.writelines(items)
|
|
|
|
conf.close()
|
|
installUtilities.reStartLiteSpeed()
|
|
|
|
print("1,None")
|
|
|
|
else:
|
|
try:
|
|
shutil.rmtree('/usr/local/lsws/conf/comodo_litespeed')
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(str(msg) + ' [disableComodo]')
|
|
|
|
installUtilities.reStartLiteSpeed()
|
|
print("1,None")
|
|
|
|
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
str(msg) + " [disableComodo]")
|
|
print("0," + str(msg))
|
|
|
|
@staticmethod
|
|
def setupOWASPRules():
|
|
try:
|
|
pathTOOWASPFolder = os.path.join(virtualHostUtilities.Server_root, "conf/modsec/owasp")
|
|
pathToOWASFolderNew = '%s/modsec/owasp-modsecurity-crs-4.18.0' % (virtualHostUtilities.vhostConfPath)
|
|
|
|
command = 'mkdir -p /usr/local/lsws/conf/modsec'
|
|
result = subprocess.call(shlex.split(command))
|
|
if result != 0:
|
|
logging.CyberCPLogFileWriter.writeToFile("Failed to create modsec directory: " + str(result) + " [setupOWASPRules]")
|
|
return 0
|
|
|
|
if os.path.exists(pathToOWASFolderNew):
|
|
shutil.rmtree(pathToOWASFolderNew)
|
|
|
|
if os.path.exists(pathTOOWASPFolder):
|
|
shutil.rmtree(pathTOOWASPFolder)
|
|
|
|
if os.path.exists('owasp.tar.gz'):
|
|
os.remove('owasp.tar.gz')
|
|
|
|
# Clean up any existing zip file
|
|
if os.path.exists('/usr/local/lsws/conf/modsec/owasp.zip'):
|
|
os.remove('/usr/local/lsws/conf/modsec/owasp.zip')
|
|
|
|
command = "wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v4.18.0.zip -O /usr/local/lsws/conf/modsec/owasp.zip"
|
|
logging.CyberCPLogFileWriter.writeToFile("Downloading OWASP rules: " + command + " [setupOWASPRules]")
|
|
result = subprocess.call(shlex.split(command))
|
|
|
|
if result != 0:
|
|
logging.CyberCPLogFileWriter.writeToFile("Failed to download OWASP rules: " + str(result) + " [setupOWASPRules]")
|
|
return 0
|
|
|
|
command = "unzip -o /usr/local/lsws/conf/modsec/owasp.zip -d /usr/local/lsws/conf/modsec/"
|
|
logging.CyberCPLogFileWriter.writeToFile("Extracting OWASP rules: " + command + " [setupOWASPRules]")
|
|
result = subprocess.call(shlex.split(command))
|
|
|
|
if result != 0:
|
|
logging.CyberCPLogFileWriter.writeToFile("Failed to extract OWASP rules: " + str(result) + " [setupOWASPRules]")
|
|
return 0
|
|
|
|
command = 'mv /usr/local/lsws/conf/modsec/coreruleset-4.18.0 /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-4.18.0'
|
|
logging.CyberCPLogFileWriter.writeToFile("Moving OWASP rules: " + command + " [setupOWASPRules]")
|
|
result = subprocess.call(shlex.split(command))
|
|
|
|
if result != 0:
|
|
logging.CyberCPLogFileWriter.writeToFile("Failed to move OWASP rules: " + str(result) + " [setupOWASPRules]")
|
|
return 0
|
|
|
|
command = 'mv %s/crs-setup.conf.example %s/crs-setup.conf' % (pathToOWASFolderNew, pathToOWASFolderNew)
|
|
result = subprocess.call(shlex.split(command))
|
|
|
|
if result != 0:
|
|
return 0
|
|
|
|
command = 'mv %s/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example %s/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf' % (pathToOWASFolderNew, pathToOWASFolderNew)
|
|
result = subprocess.call(shlex.split(command))
|
|
|
|
if result != 0:
|
|
return 0
|
|
|
|
command = 'mv %s/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example %s/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf' % (
|
|
pathToOWASFolderNew, pathToOWASFolderNew)
|
|
result = subprocess.call(shlex.split(command))
|
|
|
|
if result != 0:
|
|
return 0
|
|
|
|
# CRS v4.0.0 uses a different structure - it has a main crs.conf file
|
|
content = """include {pathToOWASFolderNew}/crs.conf
|
|
"""
|
|
writeToFile = open('%s/owasp-master.conf' % (pathToOWASFolderNew), 'w')
|
|
writeToFile.write(content.replace('{pathToOWASFolderNew}', pathToOWASFolderNew))
|
|
writeToFile.close()
|
|
|
|
return 1
|
|
|
|
except BaseException as msg:
|
|
print(str(msg))
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
str(msg) + " [setupOWASPRules]")
|
|
return 0
|
|
|
|
@staticmethod
|
|
def installOWASP():
|
|
try:
|
|
if modSec.setupOWASPRules() == 0:
|
|
print('0, Unable to download OWASP Rules.')
|
|
return
|
|
|
|
if ProcessUtilities.decideServer() == ProcessUtilities.OLS:
|
|
owaspRulesConf = """
|
|
modsecurity_rules_file /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-4.18.0/owasp-master.conf
|
|
"""
|
|
|
|
confFile = os.path.join(virtualHostUtilities.Server_root, "conf/httpd_config.conf")
|
|
|
|
confData = open(confFile).readlines()
|
|
|
|
conf = open(confFile, 'w')
|
|
|
|
for items in confData:
|
|
if items.find('/usr/local/lsws/conf/modsec/rules.conf') > -1:
|
|
conf.writelines(items)
|
|
conf.write(owaspRulesConf)
|
|
continue
|
|
else:
|
|
conf.writelines(items)
|
|
|
|
conf.close()
|
|
|
|
# Verify the installation
|
|
owaspPath = os.path.join(virtualHostUtilities.Server_root, "conf/modsec/owasp-modsecurity-crs-4.18.0")
|
|
if not os.path.exists(owaspPath) or not os.path.exists(os.path.join(owaspPath, "owasp-master.conf")):
|
|
logging.CyberCPLogFileWriter.writeToFile("OWASP installation verification failed - files not found [installOWASP]")
|
|
print("0, OWASP installation verification failed")
|
|
return
|
|
|
|
else:
|
|
confFile = os.path.join('/usr/local/lsws/conf/modsec.conf')
|
|
confData = open(confFile).readlines()
|
|
|
|
conf = open(confFile, 'w')
|
|
|
|
for items in confData:
|
|
if items.find('/conf/comodo_litespeed/') > -1:
|
|
conf.writelines(items)
|
|
conf.write('Include /usr/local/lsws/conf/modsec/owasp-modsecurity-crs-4.18.0/*.conf\n')
|
|
continue
|
|
else:
|
|
conf.writelines(items)
|
|
|
|
conf.close()
|
|
|
|
installUtilities.reStartLiteSpeed()
|
|
|
|
logging.CyberCPLogFileWriter.writeToFile("OWASP ModSecurity rules installed successfully [installOWASP]")
|
|
print("1,None")
|
|
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
str(msg) + " [installOWASP]")
|
|
print("0," + str(msg))
|
|
|
|
@staticmethod
|
|
def disableOWASP():
|
|
try:
|
|
if ProcessUtilities.decideServer() == ProcessUtilities.OLS:
|
|
confFile = os.path.join(virtualHostUtilities.Server_root, "conf/httpd_config.conf")
|
|
confData = open(confFile).readlines()
|
|
conf = open(confFile, 'w')
|
|
|
|
for items in confData:
|
|
if items.find('modsec/owasp') > -1:
|
|
continue
|
|
else:
|
|
conf.writelines(items)
|
|
|
|
conf.close()
|
|
installUtilities.reStartLiteSpeed()
|
|
|
|
print("1,None")
|
|
else:
|
|
confFile = os.path.join("/usr/local/lsws/conf/modsec.conf")
|
|
confData = open(confFile).readlines()
|
|
conf = open(confFile, 'w')
|
|
|
|
for items in confData:
|
|
if items.find('modsec/owasp') > -1:
|
|
continue
|
|
else:
|
|
conf.writelines(items)
|
|
|
|
conf.close()
|
|
installUtilities.reStartLiteSpeed()
|
|
|
|
print("1,None")
|
|
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
str(msg) + " [disableOWASP]")
|
|
print("0," + str(msg))
|
|
|
|
@staticmethod
|
|
def disableRuleFile(fileName, packName):
|
|
try:
|
|
|
|
confFile = os.path.join('/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/owasp-master.conf')
|
|
confData = open(confFile).readlines()
|
|
conf = open(confFile, 'w')
|
|
|
|
for items in confData:
|
|
if items.find('modsec/' + packName) > -1 and items.find(fileName) > -1:
|
|
conf.write("#" + items)
|
|
else:
|
|
conf.writelines(items)
|
|
|
|
conf.close()
|
|
|
|
installUtilities.reStartLiteSpeed()
|
|
|
|
print("1,None")
|
|
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
str(msg) + " [disableRuleFile]")
|
|
print("0," + str(msg))
|
|
|
|
@staticmethod
|
|
def enableRuleFile(fileName, packName):
|
|
try:
|
|
|
|
confFile = os.path.join('/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/owasp-master.conf')
|
|
confData = open(confFile).readlines()
|
|
conf = open(confFile, 'w')
|
|
|
|
for items in confData:
|
|
if items.find('modsec/' + packName) > -1 and items.find(fileName) > -1:
|
|
conf.write(items.lstrip('#'))
|
|
else:
|
|
conf.writelines(items)
|
|
|
|
conf.close()
|
|
|
|
# if ProcessUtilities.decideServer() == ProcessUtilities.OLS:
|
|
# confFile = os.path.join('/usr/local/lsws/conf/modsec/owasp-modsecurity-crs-3.0-master/owasp-master.conf')
|
|
# confData = open(confFile).readlines()
|
|
# conf = open(confFile, 'w')
|
|
#
|
|
# for items in confData:
|
|
# if items.find('modsec/' + packName) > -1 and items.find(fileName) > -1:
|
|
# conf.write(items.lstrip('#'))
|
|
# else:
|
|
# conf.writelines(items)
|
|
#
|
|
# conf.close()
|
|
# else:
|
|
# path = '/usr/local/lsws/conf/comodo_litespeed/'
|
|
# completePath = path + fileName
|
|
# completePathBak = path + fileName + '.bak'
|
|
#
|
|
# command = 'mv ' + completePathBak + ' ' + completePath
|
|
# ProcessUtilities.executioner(command)
|
|
|
|
installUtilities.reStartLiteSpeed()
|
|
|
|
print("1,None")
|
|
|
|
except BaseException as msg:
|
|
logging.CyberCPLogFileWriter.writeToFile(
|
|
str(msg) + " [enableRuleFile]")
|
|
print("0," + str(msg))
|
|
|
|
|
|
def main():
|
|
|
|
parser = argparse.ArgumentParser(description='CyberPanel Installer')
|
|
parser.add_argument('function', help='Specific a function to call!')
|
|
|
|
parser.add_argument('--tempConfigPath', help='Temporary path to configurations data!')
|
|
parser.add_argument('--packName', help='ModSecurity supplier name!')
|
|
parser.add_argument('--fileName', help='Filename to enable or disable!')
|
|
|
|
args = parser.parse_args()
|
|
|
|
if args.function == "installModSecConfigs":
|
|
modSec.installModSecConfigs()
|
|
elif args.function == "installModSec":
|
|
modSec.installModSec()
|
|
elif args.function == "saveModSecConfigs":
|
|
modSec.saveModSecConfigs(args.tempConfigPath)
|
|
elif args.function == "saveModSecRules":
|
|
modSec.saveModSecRules()
|
|
elif args.function == "setupOWASPRules":
|
|
modSec.setupOWASPRules()
|
|
elif args.function == "installOWASP":
|
|
modSec.installOWASP()
|
|
elif args.function == "disableOWASP":
|
|
modSec.disableOWASP()
|
|
elif args.function == "setupComodoRules":
|
|
modSec.setupComodoRules()
|
|
elif args.function == "installComodo":
|
|
modSec.installComodo()
|
|
elif args.function == "disableComodo":
|
|
modSec.disableComodo()
|
|
elif args.function == "disableRuleFile":
|
|
modSec.disableRuleFile(args.fileName, args.packName)
|
|
elif args.function == "enableRuleFile":
|
|
modSec.enableRuleFile(args.fileName, args.packName)
|
|
|
|
if __name__ == "__main__":
|
|
main()
|