This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # security.txt | |
| location /security.txt { | |
| return 301 /.well-known/security.txt; | |
| } | |
| location = /.well-known/security.txt { | |
| add_header Content-Type text/plain; | |
| return 200 'Contact: mailto:[email protected]\nExpires: 2024-01-01T00:00:00.000Z'; | |
| } |
LaurenceJJones
/ crowdsec_heartbeat.sh
Last active
November 13, 2024 12:22
Bash script to detect if crowdsec agent hasnt sent a heartbeat over 2 mins
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| current="$(/usr/bin/date '+%s')" | |
| cscli=$(which cscli) | |
| machinesJson=$($cscli -ojson machines list) | |
| echo $machinesJson | /usr/bin/jq -r '.[]| select(.last_heartbeat != null) | [.last_heartbeat, .machineId] | @tsv' | | |
| while IFS=$'\t' read -r hb mid; do | |
| last_hb="$(/usr/bin/date -u -d "$hb" '+%s')" | |
| diff=$((current - last_hb)) | |
| if [ "$diff" -gt "180" ]; then | |
| echo "$mid has not contacted LAPI for more than 2 minutes" |
LaurenceJJones
/ Windows fix
Last active
November 30, 2022 13:27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| onsuccess: next_stage | |
| filter: "evt.Parsed.program == 'windows-firewall' and evt.Parsed.message contains ' DROP TCP ' and evt.Parsed.message contains ' RECEIVE'" | |
| name: crowdsecurity/windows-firewall-logs | |
| description: "Parse windows firewall drop logs" | |
| grok: | |
| pattern: "%{TIMESTAMP_ISO8601:date} DROP TCP %{IP:src_ip} %{IP:dst_ip} %{INT:src_port} %{INT:dst_port} %{INT:size} %{WORD:flags} %{INT:tcpsyn} %{INT:tcpack} %{INT:window} - - - RECEIVE( %{INT:pid})?" | |
| apply_on: message | |
| statics: | |
| - meta: service | |
| value: tcp |
LaurenceJJones
/ nginx-cf-real-ip.sh
Created
November 11, 2022 22:44
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| TARGET_FILE=/etc/nginx/conf.d/cloudflare.conf | |
| REAL_HEADER=CF-Connecting-IP | |
| echo "# AUTOGENERATED FILE" > $TARGET_FILE | |
| for i in `curl -s https://www.cloudflare.com/ips-v4`; | |
| do | |
| echo "set_real_ip_from $i;" >> $TARGET_FILE | |
| done | |
| for i in `curl -s https://www.cloudflare.com/ips-v6`; | |
| do | |
| echo "set_real_ip_from $i;" >> $TARGET_FILE |
LaurenceJJones
/ abuseipdb list
Last active
October 19, 2022 18:10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {{ $list := dict "crowdsecurity/apache_log4j2_cve-2021-44228" "15,21" "jusabatier/apereo-cas-bf" "15,18" "jusabatier/apereo-cas-slow-bf" "15,18" "crowdsecurity/asterisk_bf" "15,18" "crowdsecurity/asterisk_user_enum" "15,18" "lepresidente/authelia-bf" "15,18" "crowdsecurity/ban-defcon-drop_range" "15,18" "jusabatier/cas-slow-bf" "15,18" "crowdsecurity/cpanel-bf" "15,18" "crowdsecurity/cpanel-bf-attempt" "15,18" "crowdsecurity/CVE-2021-4034" "15" "crowdsecurity/CVE-2022-37042" "15,21" "crowdsecurity/dovecot-spam" "11" "lepresidente/emby-bf" "15,18" "crowdsecurity/endlessh-bf" "15,18,22" "crowdsecurity/exchange-bf" "15,18" "crowdsecurity/f5-big-ip-cve-2020-5902" "15,21" "crowdsecurity/fortinet-cve-2018-13379" "15,21" "lepresidente/gitea-bf" "15,18" "timokoessler/gitlab-bf" "15,18" "baudneo/gotify-bf" "15,18" "crowdsecurity/grafana-cve-2021-43798" "15,21" "crowdsecurity/home-assistant-bf" "15,18" "crowdsecurity/http-apiscp-bf" "15,18" "crowdsecurity/http-backdoors-attempts" "15,21" "crowdsecurity/http-bad-user-ag |
LaurenceJJones
/ ipstocrowdseclib.sh
Created
October 13, 2022 14:57
Cron script to fetch ip lists then store within /var/lib/crowdsec/data/
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| dir=/var/lib/crowdsec/data/ | |
| declare -a URLS=("https://quic.cloud/ips?ln,quiccloud_ips.txt" "https://monitoring.platform360.io/whitelist?v4,monitoring360_ips.txt" "https://monitoring.platform360.io/whitelist?v6,monitoring360_ip6s.txt" ) | |
| for i in ${URLS[@]}; do | |
| IFS=, read -r url name <<< $i | |
| /usr/bin/wget -q -O "$dir$name" "$url" | |
| done | |
| /usr/bin/systemctl restart crowdsec.service |
LaurenceJJones
/ nextcloud.txt
Created
October 11, 2022 07:36
Nextcloud route prefixes for whitelist testing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /apps | |
| /custom_apps | |
| /ocs | |
| /ocs-provider | |
| /public.php | |
| /remote.php | |
| /settings |
LaurenceJJones
/ crowdsec_iplist_importer.sh
Last active
May 25, 2023 09:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| tmp_d=$(mktemp -d) | |
| tmp_f="$tmp_d/crowdsec.csv" | |
| curr_dec=$(cscli -ojson decisions list -a | jq '.[].decisions |.[] | select(.duration | contains("-") | not) | .value') | |
| echo "duration,scope,value" > $tmp_f | |
| while read -r -s i; | |
| do | |
| echo "$curr_dec" | grep -qw "$i" | |
| if [ ! "$?" -eq 0 ]; then | |
| echo "24h,ip,$i" >> $tmp_f | |
| fi |
LaurenceJJones
/ rocketchat.js
Created
September 2, 2022 12:57
Rocketchat custom hook into crowdsec to ban ip from channel idea
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const str = 'ban 1.1.1.1 duration 6h source capi' | |
| const [verb, ip, ...args] = str.split(' ') | |
| const splitToChunks = (arr, chunkSize, acc = []) => ( | |
| arr.length > chunkSize ? | |
| splitToChunks( | |
| arr.slice(chunkSize), | |
| chunkSize, | |
| [...acc, arr.slice(0, chunkSize)] | |
| ) : | |
| [...acc, arr] |
LaurenceJJones
/ Crowdsec abuseipdb template
Created
September 1, 2022 12:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {{ $myDict := dict "crowdsecurity/ssh-slow-bf" "22,18" }} | |
| ##Url params | |
| {{range . -}} | |
| ?category={{ get $myDict .Scenario }}&comment={{"[Crowdsec]: Detected via: %s"| replace "%s" .Scenario | urlquery }}&ip={{ .Source.Value | urlquery }} | |
| {{end}} | |
| ## CSV | |
| {{range . -}} |