setec-web/modsecurity.py

"""
Command-builder module for managing ModSecurity WAF with OWASP CRS on Nginx.
Each function returns a bash command string for execution on a Linux VPS.
"""

MODSEC_CONF = "/etc/nginx/modsec/modsecurity.conf"
CRS_SETUP_CONF = "/etc/nginx/modsec/owasp-crs/crs-setup.conf"
CRS_RULES_DIR = "/etc/nginx/modsec/owasp-crs/rules"
MAIN_CONF = "/etc/nginx/modsec/main.conf"
EXCLUSIONS_CONF = "/etc/nginx/modsec/exclusions.conf"
AUDIT_LOG = "/var/log/modsec_audit.log"
DEBUG_LOG = "/var/log/modsecurity/modsec_debug.log"
CRS_DIR = "/etc/nginx/modsec/owasp-crs"


def status_cmd():
    """Check if modsecurity module is loaded in nginx, rules active, and SecRuleEngine setting."""
    return (
        "echo '=== Nginx ModSecurity Module ===' && "
        "nginx -V 2>&1 | grep -i modsecurity && "
        "echo '' && "
        "echo '=== SecRuleEngine Setting ===' && "
        f"grep -i 'SecRuleEngine' {MODSEC_CONF} 2>/dev/null || echo 'modsecurity.conf not found' && "
        "echo '' && "
        "echo '=== Active Rules ===' && "
        f"ls {CRS_RULES_DIR}/*.conf 2>/dev/null | wc -l && "
        "echo 'rule files loaded' && "
        "echo '' && "
        "echo '=== Nginx Config Test ===' && "
        "nginx -t 2>&1"
    )


def install_cmd():
    """Install libmodsecurity3, nginx module, download OWASP CRS, configure."""
    return (
        "apt-get update && "
        "apt-get install -y libmodsecurity3 libmodsecurity-dev libnginx-mod-http-modsecurity && "
        "mkdir -p /etc/nginx/modsec && "
        f"cd /etc/nginx/modsec && "
        "if [ ! -d owasp-crs ]; then "
        "git clone https://github.com/coreruleset/coreruleset.git owasp-crs; "
        "fi && "
        f"cp {CRS_DIR}/crs-setup.conf.example {CRS_SETUP_CONF} && "
        "cp /etc/modsecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf && "
        f"sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' {MODSEC_CONF} && "
        f"touch {EXCLUSIONS_CONF} && "
        f"cat > {MAIN_CONF} << 'MAINEOF'\n"
        f"Include {MODSEC_CONF}\n"
        f"Include {CRS_SETUP_CONF}\n"
        f"Include {CRS_RULES_DIR}/*.conf\n"
        f"Include {EXCLUSIONS_CONF}\n"
        "MAINEOF\n"
        "&& nginx -t && systemctl reload nginx"
    )


def enable_cmd():
    """Set SecRuleEngine On in modsecurity.conf."""
    return (
        f"sed -i 's/^SecRuleEngine .*/SecRuleEngine On/' {MODSEC_CONF} && "
        f"grep 'SecRuleEngine' {MODSEC_CONF} && "
        "nginx -t && systemctl reload nginx"
    )


def disable_cmd():
    """Set SecRuleEngine to DetectionOnly (log only, don't block)."""
    return (
        f"sed -i 's/^SecRuleEngine .*/SecRuleEngine DetectionOnly/' {MODSEC_CONF} && "
        f"grep 'SecRuleEngine' {MODSEC_CONF} && "
        "nginx -t && systemctl reload nginx"
    )


def audit_log_cmd(lines=50):
    """Tail the modsecurity audit log."""
    return f"tail -n {int(lines)} {AUDIT_LOG}"


def debug_log_cmd(lines=50):
    """Tail the modsecurity debug log."""
    return f"tail -n {int(lines)} {DEBUG_LOG}"


def rules_list_cmd():
    """List rule files in the OWASP CRS rules directory."""
    return f"ls -la {CRS_RULES_DIR}/*.conf 2>/dev/null"


def rule_disable_cmd(rule_id):
    """Add SecRuleRemoveById to the custom exclusion conf."""
    rid = str(int(rule_id))
    return (
        f"if grep -q 'SecRuleRemoveById {rid}' {EXCLUSIONS_CONF} 2>/dev/null; then "
        f"echo 'Rule {rid} is already disabled'; "
        "else "
        f"echo 'SecRuleRemoveById {rid}' >> {EXCLUSIONS_CONF} && "
        f"echo 'Disabled rule {rid}' && "
        "nginx -t && systemctl reload nginx; "
        "fi"
    )


def rule_enable_cmd(rule_id):
    """Remove a rule ID from the exclusion conf (re-enable it)."""
    rid = str(int(rule_id))
    return (
        f"if grep -q 'SecRuleRemoveById {rid}' {EXCLUSIONS_CONF} 2>/dev/null; then "
        f"sed -i '/SecRuleRemoveById {rid}/d' {EXCLUSIONS_CONF} && "
        f"echo 'Re-enabled rule {rid}' && "
        "nginx -t && systemctl reload nginx; "
        "else "
        f"echo 'Rule {rid} is not in exclusions'; "
        "fi"
    )


def exclusions_cmd():
    """Show current rule exclusions."""
    return (
        f"echo '=== Rule Exclusions ({EXCLUSIONS_CONF}) ===' && "
        f"cat {EXCLUSIONS_CONF} 2>/dev/null || echo 'No exclusions file found'"
    )


def crs_update_cmd():
    """Git pull in the OWASP CRS directory to update rules."""
    return (
        f"cd {CRS_DIR} && "
        "git pull && "
        "echo '' && echo '=== Updated CRS Rules ===' && "
        "nginx -t && systemctl reload nginx"
    )


def config_cmd():
    """Show modsecurity.conf."""
    return f"cat {MODSEC_CONF}"


def config_crs_cmd():
    """Show crs-setup.conf."""
    return f"cat {CRS_SETUP_CONF}"


def test_cmd():
    """Curl localhost with test XSS and SQLi payloads to verify WAF is working."""
    return (
        "echo '=== XSS Test ===' && "
        "curl -s -o /dev/null -w 'HTTP %{http_code}' "
        "'http://localhost/?q=<script>alert(1)</script>' && "
        "echo '' && "
        "echo '=== SQLi Test ===' && "
        "curl -s -o /dev/null -w 'HTTP %{http_code}' "
        "\"http://localhost/?id=1' OR '1'='1\" && "
        "echo '' && "
        "echo '=== Path Traversal Test ===' && "
        "curl -s -o /dev/null -w 'HTTP %{http_code}' "
        "'http://localhost/../../etc/passwd' && "
        "echo '' && "
        "echo '(403 = blocked by WAF, 200 = WAF not blocking)'"
    )


def nginx_status_cmd():
    """Check which nginx server blocks have modsecurity enabled."""
    return (
        "echo '=== Server Blocks with ModSecurity ===' && "
        "grep -rn 'modsecurity' /etc/nginx/sites-enabled/ /etc/nginx/conf.d/ 2>/dev/null || "
        "echo 'No modsecurity directives found in server blocks' && "
        "echo '' && "
        "echo '=== Nginx Module Status ===' && "
        "nginx -V 2>&1 | grep -io 'modsecurity[^ ]*' || echo 'ModSecurity module not found'"
    )


def uninstall_cmd():
    """Remove modsec configs and apt remove packages."""
    return (
        "echo 'Removing ModSecurity configuration...' && "
        "rm -rf /etc/nginx/modsec && "
        "apt-get remove -y libmodsecurity3 libmodsecurity-dev libnginx-mod-http-modsecurity && "
        "apt-get autoremove -y && "
        "echo 'Removed modsec configs and packages' && "
        "echo 'NOTE: Check nginx server blocks and remove modsecurity directives manually' && "
        "nginx -t && systemctl reload nginx"
    )
Initial commit — SETEC LABS Manager (Setec_CDM) Flask-based VPS management panel with SSH remote command execution. Includes E2E encrypted SSH tunnel (AES-256-GCM + Go agent), setup wizard, security hardening tools, DNS management, firewall configs, monitoring, backup, and .sec patch update system. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-13 12:39:02 -07:00			`"""`
			`Command-builder module for managing ModSecurity WAF with OWASP CRS on Nginx.`
			`Each function returns a bash command string for execution on a Linux VPS.`
			`"""`

			`MODSEC_CONF = "/etc/nginx/modsec/modsecurity.conf"`
			`CRS_SETUP_CONF = "/etc/nginx/modsec/owasp-crs/crs-setup.conf"`
			`CRS_RULES_DIR = "/etc/nginx/modsec/owasp-crs/rules"`
			`MAIN_CONF = "/etc/nginx/modsec/main.conf"`
			`EXCLUSIONS_CONF = "/etc/nginx/modsec/exclusions.conf"`
			`AUDIT_LOG = "/var/log/modsec_audit.log"`
			`DEBUG_LOG = "/var/log/modsecurity/modsec_debug.log"`
			`CRS_DIR = "/etc/nginx/modsec/owasp-crs"`


			`def status_cmd():`
			`"""Check if modsecurity module is loaded in nginx, rules active, and SecRuleEngine setting."""`
			`return (`
			`"echo '=== Nginx ModSecurity Module ===' && "`
			`"nginx -V 2>&1 \| grep -i modsecurity && "`
			`"echo '' && "`
			`"echo '=== SecRuleEngine Setting ===' && "`
			`f"grep -i 'SecRuleEngine' {MODSEC_CONF} 2>/dev/null \|\| echo 'modsecurity.conf not found' && "`
			`"echo '' && "`
			`"echo '=== Active Rules ===' && "`
			`f"ls {CRS_RULES_DIR}/*.conf 2>/dev/null \| wc -l && "`
			`"echo 'rule files loaded' && "`
			`"echo '' && "`
			`"echo '=== Nginx Config Test ===' && "`
			`"nginx -t 2>&1"`
			`)`


			`def install_cmd():`
			`"""Install libmodsecurity3, nginx module, download OWASP CRS, configure."""`
			`return (`
			`"apt-get update && "`
			`"apt-get install -y libmodsecurity3 libmodsecurity-dev libnginx-mod-http-modsecurity && "`
			`"mkdir -p /etc/nginx/modsec && "`
			`f"cd /etc/nginx/modsec && "`
			`"if [ ! -d owasp-crs ]; then "`
			`"git clone https://github.com/coreruleset/coreruleset.git owasp-crs; "`
			`"fi && "`
			`f"cp {CRS_DIR}/crs-setup.conf.example {CRS_SETUP_CONF} && "`
			`"cp /etc/modsecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf && "`
			`f"sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' {MODSEC_CONF} && "`
			`f"touch {EXCLUSIONS_CONF} && "`
			`f"cat > {MAIN_CONF} << 'MAINEOF'\n"`
			`f"Include {MODSEC_CONF}\n"`
			`f"Include {CRS_SETUP_CONF}\n"`
			`f"Include {CRS_RULES_DIR}/*.conf\n"`
			`f"Include {EXCLUSIONS_CONF}\n"`
			`"MAINEOF\n"`
			`"&& nginx -t && systemctl reload nginx"`
			`)`


			`def enable_cmd():`
			`"""Set SecRuleEngine On in modsecurity.conf."""`
			`return (`
			`f"sed -i 's/^SecRuleEngine .*/SecRuleEngine On/' {MODSEC_CONF} && "`
			`f"grep 'SecRuleEngine' {MODSEC_CONF} && "`
			`"nginx -t && systemctl reload nginx"`
			`)`


			`def disable_cmd():`
			`"""Set SecRuleEngine to DetectionOnly (log only, don't block)."""`
			`return (`
			`f"sed -i 's/^SecRuleEngine .*/SecRuleEngine DetectionOnly/' {MODSEC_CONF} && "`
			`f"grep 'SecRuleEngine' {MODSEC_CONF} && "`
			`"nginx -t && systemctl reload nginx"`
			`)`


			`def audit_log_cmd(lines=50):`
			`"""Tail the modsecurity audit log."""`
			`return f"tail -n {int(lines)} {AUDIT_LOG}"`


			`def debug_log_cmd(lines=50):`
			`"""Tail the modsecurity debug log."""`
			`return f"tail -n {int(lines)} {DEBUG_LOG}"`


			`def rules_list_cmd():`
			`"""List rule files in the OWASP CRS rules directory."""`
			`return f"ls -la {CRS_RULES_DIR}/*.conf 2>/dev/null"`


			`def rule_disable_cmd(rule_id):`
			`"""Add SecRuleRemoveById to the custom exclusion conf."""`
			`rid = str(int(rule_id))`
			`return (`
			`f"if grep -q 'SecRuleRemoveById {rid}' {EXCLUSIONS_CONF} 2>/dev/null; then "`
			`f"echo 'Rule {rid} is already disabled'; "`
			`"else "`
			`f"echo 'SecRuleRemoveById {rid}' >> {EXCLUSIONS_CONF} && "`
			`f"echo 'Disabled rule {rid}' && "`
			`"nginx -t && systemctl reload nginx; "`
			`"fi"`
			`)`


			`def rule_enable_cmd(rule_id):`
			`"""Remove a rule ID from the exclusion conf (re-enable it)."""`
			`rid = str(int(rule_id))`
			`return (`
			`f"if grep -q 'SecRuleRemoveById {rid}' {EXCLUSIONS_CONF} 2>/dev/null; then "`
			`f"sed -i '/SecRuleRemoveById {rid}/d' {EXCLUSIONS_CONF} && "`
			`f"echo 'Re-enabled rule {rid}' && "`
			`"nginx -t && systemctl reload nginx; "`
			`"else "`
			`f"echo 'Rule {rid} is not in exclusions'; "`
			`"fi"`
			`)`


			`def exclusions_cmd():`
			`"""Show current rule exclusions."""`
			`return (`
			`f"echo '=== Rule Exclusions ({EXCLUSIONS_CONF}) ===' && "`
			`f"cat {EXCLUSIONS_CONF} 2>/dev/null \|\| echo 'No exclusions file found'"`
			`)`


			`def crs_update_cmd():`
			`"""Git pull in the OWASP CRS directory to update rules."""`
			`return (`
			`f"cd {CRS_DIR} && "`
			`"git pull && "`
			`"echo '' && echo '=== Updated CRS Rules ===' && "`
			`"nginx -t && systemctl reload nginx"`
			`)`


			`def config_cmd():`
			`"""Show modsecurity.conf."""`
			`return f"cat {MODSEC_CONF}"`


			`def config_crs_cmd():`
			`"""Show crs-setup.conf."""`
			`return f"cat {CRS_SETUP_CONF}"`


			`def test_cmd():`
			`"""Curl localhost with test XSS and SQLi payloads to verify WAF is working."""`
			`return (`
			`"echo '=== XSS Test ===' && "`
			`"curl -s -o /dev/null -w 'HTTP %{http_code}' "`
			`"'http://localhost/?q=<script>alert(1)</script>' && "`
			`"echo '' && "`
			`"echo '=== SQLi Test ===' && "`
			`"curl -s -o /dev/null -w 'HTTP %{http_code}' "`
			`"\"http://localhost/?id=1' OR '1'='1\" && "`
			`"echo '' && "`
			`"echo '=== Path Traversal Test ===' && "`
			`"curl -s -o /dev/null -w 'HTTP %{http_code}' "`
			`"'http://localhost/../../etc/passwd' && "`
			`"echo '' && "`
			`"echo '(403 = blocked by WAF, 200 = WAF not blocking)'"`
			`)`


			`def nginx_status_cmd():`
			`"""Check which nginx server blocks have modsecurity enabled."""`
			`return (`
			`"echo '=== Server Blocks with ModSecurity ===' && "`
			`"grep -rn 'modsecurity' /etc/nginx/sites-enabled/ /etc/nginx/conf.d/ 2>/dev/null \|\| "`
			`"echo 'No modsecurity directives found in server blocks' && "`
			`"echo '' && "`
			`"echo '=== Nginx Module Status ===' && "`
			`"nginx -V 2>&1 \| grep -io 'modsecurity[^ ]*' \|\| echo 'ModSecurity module not found'"`
			`)`


			`def uninstall_cmd():`
			`"""Remove modsec configs and apt remove packages."""`
			`return (`
			`"echo 'Removing ModSecurity configuration...' && "`
			`"rm -rf /etc/nginx/modsec && "`
			`"apt-get remove -y libmodsecurity3 libmodsecurity-dev libnginx-mod-http-modsecurity && "`
			`"apt-get autoremove -y && "`
			`"echo 'Removed modsec configs and packages' && "`
			`"echo 'NOTE: Check nginx server blocks and remove modsecurity directives manually' && "`
			`"nginx -t && systemctl reload nginx"`
			`)`