diff --git a/.github/workflows/build-secubox-images.yml b/.github/workflows/build-secubox-images.yml index 655af82..7b1e76c 100644 --- a/.github/workflows/build-secubox-images.yml +++ b/.github/workflows/build-secubox-images.yml @@ -11,8 +11,6 @@ on: options: - espressobin-v7 - espressobin-ultra - - sheeva64 - - sheeva64-wifi - mochabin - all openwrt_version: @@ -79,20 +77,6 @@ jobs: "profile": "globalscale_espressobin-ultra", "description": "ESPRESSObin Ultra (PoE, WiFi)" }, - { - "device": "sheeva64", - "target": "mvebu", - "subtarget": "cortexa53", - "profile": "globalscale_sheeva64", - "description": "Sheeva64 (Plug computer)" - }, - { - "device": "sheeva64-wifi", - "target": "mvebu", - "subtarget": "cortexa53", - "profile": "globalscale_sheeva64", - "description": "Sheeva64 WiFi (802.11ac + BT)" - }, { "device": "mochabin", "target": "mvebu", @@ -370,19 +354,11 @@ jobs: EOF ;; - espressobin-ultra|sheeva64-wifi) + espressobin-ultra) # WiFi support cat >> .config << EOF CONFIG_PACKAGE_kmod-mt76=y CONFIG_PACKAGE_kmod-mac80211=y - EOF - ;; - - sheeva64*) - # Minimal for plug computer - cat >> .config << EOF - # Optimized for plug form factor - CONFIG_PACKAGE_kmod-ledtrig-heartbeat=y EOF ;; esac diff --git a/package/secubox/CROWDSEC-OPENWRT-24.md b/package/secubox/CROWDSEC-OPENWRT-24.md index 5dceac1..3a8e151 100644 --- a/package/secubox/CROWDSEC-OPENWRT-24.md +++ b/package/secubox/CROWDSEC-OPENWRT-24.md @@ -39,7 +39,7 @@ secubox-crowdsec-setup --install opkg update # Install required packages -opkg install crowdsec crowdsec-firewall-bouncer-nftables syslog-ng4 +opkg install crowdsec crowdsec-firewall-bouncer syslog-ng # Install LuCI dashboard (optional) opkg install luci-app-secubox-crowdsec @@ -55,7 +55,7 @@ opkg install luci-app-secubox-crowdsec +--------------+--------------+ | | +-------v-------+ +---------v---------+ - | syslog-ng4 | | logread -f | + | syslog-ng | | logread -f | | (UDP 5140) | | (fallback) | +-------+-------+ +---------+---------+ | | @@ -88,7 +88,7 @@ opkg install luci-app-secubox-crowdsec ## Components -### 1. syslog-ng4 Configuration +### 1. syslog-ng Configuration Located at `/etc/syslog-ng/syslog-ng.conf`, this configuration: - Captures all system logs via Unix socket @@ -306,9 +306,9 @@ secubox-crowdsec-setup --uninstall /etc/init.d/syslog-ng stop opkg remove luci-app-secubox-crowdsec -opkg remove crowdsec-firewall-bouncer-nftables +opkg remove crowdsec-firewall-bouncer opkg remove crowdsec -opkg remove syslog-ng4 +opkg remove syslog-ng # Clean nftables nft delete table ip crowdsec diff --git a/package/secubox/luci-app-secubox-crowdsec/Makefile b/package/secubox/luci-app-secubox-crowdsec/Makefile index cb49608..96a61ea 100644 --- a/package/secubox/luci-app-secubox-crowdsec/Makefile +++ b/package/secubox/luci-app-secubox-crowdsec/Makefile @@ -11,7 +11,7 @@ PKG_VERSION:=1.0.0 PKG_RELEASE:=1 LUCI_TITLE:=LuCI SecuBox CrowdSec Dashboard -LUCI_DEPENDS:=+luci-base +crowdsec +crowdsec-firewall-bouncer-nftables +LUCI_DEPENDS:=+luci-base +crowdsec +crowdsec-firewall-bouncer LUCI_PKGARCH:=all PKG_MAINTAINER:=Gerald Kerma diff --git a/package/secubox/luci-app-secubox-crowdsec/root/usr/libexec/rpcd/luci.secubox-crowdsec b/package/secubox/luci-app-secubox-crowdsec/root/usr/libexec/rpcd/luci.secubox-crowdsec old mode 100644 new mode 100755 diff --git a/package/secubox/luci-app-secubox-portal/Makefile b/package/secubox/luci-app-secubox-portal/Makefile index c671cc9..41d34ec 100644 --- a/package/secubox/luci-app-secubox-portal/Makefile +++ b/package/secubox/luci-app-secubox-portal/Makefile @@ -15,7 +15,6 @@ PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=SecuBox Team -include ../../luci.mk +include $(TOPDIR)/feeds/luci/luci.mk -# call BuildPackage - OpenWrt buildance! -$(eval $(call BuildPackage,luci-app-secubox-portal)) +# call BuildPackage - OpenWrt buildroot signature diff --git a/package/secubox/luci-app-secubox-security-threats/Makefile b/package/secubox/luci-app-secubox-security-threats/Makefile index 40651e8..8e13370 100644 --- a/package/secubox/luci-app-secubox-security-threats/Makefile +++ b/package/secubox/luci-app-secubox-security-threats/Makefile @@ -25,3 +25,4 @@ PKG_FILE_MODES:=/usr/libexec/rpcd/luci.secubox-security-threats:root:root:755 include $(TOPDIR)/feeds/luci/luci.mk # call BuildPackage - OpenWrt buildroot signature +$(eval $(call BuildPackage,luci-app-secubox-security-threats)) diff --git a/package/secubox/secubox-app-crowdsec/Makefile b/package/secubox/secubox-app-crowdsec/Makefile deleted file mode 100644 index 5d8072d..0000000 --- a/package/secubox/secubox-app-crowdsec/Makefile +++ /dev/null @@ -1,250 +0,0 @@ -# SPDX-License-Identifier: MIT -# -# Copyright (C) 2021-2022 Gerald Kerma -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=crowdsec -PKG_VERSION:=1.7.4 -PKG_RELEASE:=3 -PKG_ARCH:=all - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://codeload.github.com/crowdsecurity/crowdsec/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=755b5c2c1a8cef24b56fd2fbc7d2942f6fc525c625a78f9c65229e5b3b305327 - -PKG_LICENSE:=MIT -PKG_LICENSE_FILES:=LICENSE -PKG_MAINTAINER:=Gerald Kerma - -PKG_BUILD_DEPENDS:=golang/host -PKG_BUILD_PARALLEL:=1 -PKG_BUILD_FLAGS:=no-mips16 - -CWD_SYSTEM:=openwrt - -CWD_BUILD_VERSION?=v$(PKG_VERSION) -CWD_BUILD_GOVERSION:=$(shell go version 2>/dev/null | cut -d " " -f3 | sed -E 's/[go]+//g' || echo "1.23") -CWD_BUILD_CODENAME:=alphaga -CWD_BUILD_TIMESTAMP:=$(shell date +%F"_"%T) -CWD_BUILD_TAG:=openwrt-$(PKG_VERSION)-$(PKG_RELEASE) - -CWD_VERSION_PKG:=github.com/crowdsecurity/go-cs-lib/version - -GO_PKG:=github.com/crowdsecurity/crowdsec -GO_PKG_INSTALL_ALL:=1 -GO_PKG_LDFLAGS_X:=$(CWD_VERSION_PKG).Version=$(CWD_BUILD_VERSION) \ - $(CWD_VERSION_PKG).System=$(CWD_SYSTEM) \ - $(CWD_VERSION_PKG).BuildDate=$(CWD_BUILD_TIMESTAMP) \ - $(CWD_VERSION_PKG).Codename=$(CWD_BUILD_CODENAME) \ - $(CWD_VERSION_PKG).Tag=$(CWD_BUILD_TAG) \ - $(CWD_VERSION_PKG).GoVersion=$(CWD_BUILD_GOVERSION) - -include $(INCLUDE_DIR)/package.mk -include $(TOPDIR)/feeds/packages/lang/golang/golang-package.mk - -# Keep Go in module mode so it honors our local replacements. -GO_MOD_ARGS+=-mod=mod - -CWD_GO_CSLIB_VERSION:=v0.0.24 -CWD_GO_VENDOR_ROOT:=secubox-vendor -CWD_GO_VENDOR_MODULES:= \ - github.com/crowdsecurity/go-cs-lib@$(CWD_GO_CSLIB_VERSION) \ - github.com/crowdsecurity/time@v0.13.0-crowdsec.20250912 \ - github.com/moby/moby/api@v1.52.1-0.20251116162601-e9ff10bf365a \ - github.com/moby/moby/client@v0.1.1-0.20251116162601-e9ff10bf365a \ - golang.org/x/crypto@v0.42.0 \ - golang.org/x/mod@v0.28.0 \ - golang.org/x/net@v0.44.0 \ - golang.org/x/sync@v0.17.0 \ - golang.org/x/sys@v0.37.0 \ - golang.org/x/term@v0.35.0 \ - golang.org/x/text@v0.29.0 \ - golang.org/x/tools@v0.37.0 \ - golang.org/x/telemetry@v0.0.0-20250908211612-aef8a434d053 - -define CWD/EnsureModuleSource - if [ ! -d "$(DL_DIR)/go-mod-cache/$(1)@$(2)" ]; then \ - $(INSTALL_DIR) "$(DL_DIR)/go-mod-cache/cache/download/$(1)/@v"; \ - wget -q -O "$(DL_DIR)/go-mod-cache/cache/download/$(1)/@v/$(2).zip" \ - "https://proxy.golang.org/$(1)/@v/$(2).zip"; \ - unzip -q -d "$(DL_DIR)/go-mod-cache" \ - "$(DL_DIR)/go-mod-cache/cache/download/$(1)/@v/$(2).zip"; \ - fi -endef - -define CWD/StageVendorModule - $(call CWD/EnsureModuleSource,$(1),$(2)) - rm -rf $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1) - $(INSTALL_DIR) $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1) - $(CP) \ - $(DL_DIR)/go-mod-cache/$(1)@$(2)/. \ - $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)/ - if [ -f $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)/go.mod ]; then \ - $(SED) 's,^go 1\.[2-9][0-9]*.*,go 1.23,' \ - $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/$(1)/go.mod; \ - fi -endef - -define Build/Prepare - $(call Build/Prepare/Default) - # CrowdSec upstream requires Go 1.25+, but our SDK ships 1.23.x. - # Force the go.mod directive down so the stock toolchain can build it. - $(SED) 's,go 1\.[2-9][0-9]*.*,go 1.23,' $(PKG_BUILD_DIR)/go.mod - # Stage Go modules that require newer compilers so we can pin them locally and drop their go directive. - $(call CWD/StageVendorModule,github.com/crowdsecurity/go-cs-lib,$(CWD_GO_CSLIB_VERSION)) - $(call CWD/StageVendorModule,github.com/crowdsecurity/time,v0.13.0-crowdsec.20250912) - $(call CWD/StageVendorModule,github.com/moby/moby/api,v1.52.1-0.20251116162601-e9ff10bf365a) - $(call CWD/StageVendorModule,github.com/moby/moby/client,v0.1.1-0.20251116162601-e9ff10bf365a) - $(call CWD/StageVendorModule,golang.org/x/crypto,v0.42.0) - $(call CWD/StageVendorModule,golang.org/x/mod,v0.28.0) - $(call CWD/StageVendorModule,golang.org/x/net,v0.44.0) - $(call CWD/StageVendorModule,golang.org/x/sync,v0.17.0) - $(call CWD/StageVendorModule,golang.org/x/sys,v0.37.0) - $(call CWD/StageVendorModule,golang.org/x/term,v0.35.0) - $(call CWD/StageVendorModule,golang.org/x/text,v0.29.0) - $(call CWD/StageVendorModule,golang.org/x/tools,v0.37.0) - $(call CWD/StageVendorModule,golang.org/x/telemetry,v0.0.0-20250908211612-aef8a434d053) - $(SED) 's@for line := range strings.SplitSeq@for _, line := range strings.SplitSeq@g' \ - $(PKG_BUILD_DIR)/pkg/appsec/appsec_rules_collection.go - $(SED) 's@for f := range strings.SplitSeq@for _, f := range strings.SplitSeq@g' \ - $(PKG_BUILD_DIR)/pkg/parser/runtime.go - $(SED) 's,strings.SplitSeq,strings.Split,g' \ - $(PKG_BUILD_DIR)/pkg/appsec/appsec_rules_collection.go - $(SED) 's,strings.SplitSeq,strings.Split,g' \ - $(PKG_BUILD_DIR)/pkg/parser/runtime.go - - $(SED) 's@for line := range strings.SplitSeq(description, "\\n") {@for _, line := range strings.Split(description, "\\n") {@g' \ - $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/golang.org/x/tools/internal/mcp/generate.go - $(SED) 's@for field := range strings.FieldsSeq(line) {@for _, field := range strings.Fields(line) {@g' \ - $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/golang.org/x/tools/internal/mcp/generate.go - $(SED) 's@for line := range strings.SplitSeq(stdout.String(), "\\n") {@for _, line := range strings.Split(stdout.String(), "\\n") {@g' \ - $(PKG_BUILD_DIR)/$(CWD_GO_VENDOR_ROOT)/golang.org/x/tools/internal/stdlib/generate.go -endef - -define Package/crowdsec/Default - SECTION:=net - CATEGORY:=Network - TITLE:=Crowdsec detection engine - URL:=https://crowdsec.net/ -endef - -define Package/crowdsec -$(call Package/crowdsec/Default) - DEPENDS:=$(GO_ARCH_DEPENDS) +libc -endef - -define Package/golang-crowdsec-dev -$(call Package/crowdsec/Default) -$(call GoPackage/GoSubMenu) - TITLE+= (source files) - DEPENDS:=$(GO_ARCH_DEPENDS) - PKGARCH:=all -endef - -define Package/crowdsec/Default/description - Crowdsec - An open-source, lightweight agent to detect - and respond to bad behaviours. - It also automatically benefits from a global - community-wide IP reputation database. -endef - -define Package/crowdsec/description -$(call Package/crowdsec/Default/description) - - This package contains the main program. -endef - -define Package/golang-crowdsec-dev/description -$(call Package/crowdsec/Default/description) - - This package provides the source files for the program. -endef - -ifneq ($(CONFIG_USE_MUSL),) - TARGET_CFLAGS += -D_LARGEFILE64_SOURCE -endif - -define Package/crowdsec/install - $(call GoPackage/Package/Install/Bin,$(1)) - - $(INSTALL_DIR) $(1)/etc/crowdsec - $(INSTALL_DIR) $(1)/etc/crowdsec/scenarios - $(INSTALL_DIR) $(1)/etc/crowdsec/postoverflows - $(INSTALL_DIR) $(1)/etc/crowdsec/collections - $(INSTALL_DIR) $(1)/etc/crowdsec/patterns - $(INSTALL_DIR) $(1)/etc/crowdsec/hub - - $(INSTALL_DATA) \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/config.yaml \ - $(1)/etc/crowdsec/ - $(INSTALL_DATA) \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/dev.yaml \ - $(1)/etc/crowdsec/ - $(INSTALL_DATA) \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/user.yaml \ - $(1)/etc/crowdsec/ - $(INSTALL_DATA) \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/acquis.yaml \ - $(1)/etc/crowdsec/ - $(INSTALL_DATA) \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/profiles.yaml \ - $(1)/etc/crowdsec/ - $(INSTALL_DATA) \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/simulation.yaml \ - $(1)/etc/crowdsec/ - $(INSTALL_DATA) \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/local_api_credentials.yaml \ - $(1)/etc/crowdsec/ - $(INSTALL_DATA) \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/online_api_credentials.yaml \ - $(1)/etc/crowdsec/ - - $(CP) \ - $(GO_PKG_BUILD_DIR)/src/$(GO_PKG)/config/patterns/* \ - $(1)/etc/crowdsec/patterns - - # Install acquisition configuration directory and templates - $(INSTALL_DIR) $(1)/etc/crowdsec/acquis.d - $(INSTALL_DATA) \ - ./files/acquis.d/openwrt-syslog.yaml \ - $(1)/etc/crowdsec/acquis.d/ - $(INSTALL_DATA) \ - ./files/acquis.d/openwrt-dropbear.yaml \ - $(1)/etc/crowdsec/acquis.d/ - $(INSTALL_DATA) \ - ./files/acquis.d/openwrt-firewall.yaml \ - $(1)/etc/crowdsec/acquis.d/ - $(INSTALL_DATA) \ - ./files/acquis.d/openwrt-uhttpd.yaml \ - $(1)/etc/crowdsec/acquis.d/ - - $(INSTALL_DIR) $(1)/srv/crowdsec/data/ - - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) \ - ./files/crowdsec.initd \ - $(1)/etc/init.d/crowdsec - - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_CONF) \ - ./files/crowdsec.config \ - $(1)/etc/config/crowdsec - - $(LN) /usr/bin/crowdsec-cli $(1)/usr/bin/cscli - - $(INSTALL_DIR) $(1)/etc/uci-defaults - $(INSTALL_BIN) \ - ./files/crowdsec.defaults \ - $(1)/etc/uci-defaults/99_crowdsec -endef - -define Package/crowdsec/conffiles -/etc/crowdsec/ -/etc/crowdsec/acquis.d/ -/etc/config/crowdsec -endef - -$(eval $(call GoBinPackage,crowdsec)) -$(eval $(call BuildPackage,crowdsec)) diff --git a/package/secubox/secubox-app-crowdsec/README.md b/package/secubox/secubox-app-crowdsec/README.md deleted file mode 100644 index d6787b0..0000000 --- a/package/secubox/secubox-app-crowdsec/README.md +++ /dev/null @@ -1,236 +0,0 @@ -# SecuBox App - CrowdSec - -## Version -- **Package**: secubox-app-crowdsec -- **CrowdSec Core**: v1.7.4 -- **Release**: 3 -- **Last Updated**: January 2025 - -## Description -CrowdSec is an open-source, lightweight security engine that detects and responds to malicious behaviors. This SecuBox package provides CrowdSec for OpenWrt routers with automatic log acquisition configuration. - -## Key Features (v1.7.4) -- WAF capability with DropRequest helper for request blocking -- Refactored syslog acquisition using RestartableStreamer -- Optional pure-go SQLite driver for better compatibility -- Enhanced logging configuration with syslog media support -- Configurable usage metrics export (api.server.disable_usage_metrics_export) -- Fixed LAPI metrics cardinality issues with Prometheus -- Data race prevention in Docker acquisition -- Database query optimization for decision streams -- **Automatic OpenWrt log acquisition configuration** -- **UCI-based acquisition management** - -## Package Contents -- **Makefile**: OpenWrt package definition for CrowdSec v1.7.4 -- **files/**: Configuration and init scripts - - `crowdsec.initd`: Init script for service management - - `crowdsec.config`: UCI configuration (with acquisition settings) - - `crowdsec.defaults`: Default configuration with auto-detection - - `acquis.d/`: Acquisition configuration templates - - `openwrt-syslog.yaml`: System syslog logs - - `openwrt-dropbear.yaml`: SSH/Dropbear logs - - `openwrt-firewall.yaml`: iptables/nftables firewall logs - - `openwrt-uhttpd.yaml`: uHTTPd web server logs - -## Installation -```bash -# From SecuBox build environment -cd /home/reepost/CyberMindStudio/_files/secubox-openwrt -make package/secubox/secubox-app-crowdsec/compile V=s - -# Install on router -opkg install crowdsec_1.7.4-3_*.ipk -``` - -## Configuration - -### UCI Configuration -CrowdSec uses UCI for configuration in `/etc/config/crowdsec`: - -```bash -# View current configuration -uci show crowdsec - -# Main settings -uci set crowdsec.crowdsec.data_dir='/srv/crowdsec/data' -uci set crowdsec.crowdsec.db_path='/srv/crowdsec/data/crowdsec.db' - -# Acquisition settings -uci set crowdsec.acquisition.syslog_enabled='1' -uci set crowdsec.acquisition.firewall_enabled='1' -uci set crowdsec.acquisition.ssh_enabled='1' -uci set crowdsec.acquisition.http_enabled='0' -uci set crowdsec.acquisition.syslog_path='/var/log/messages' - -# Hub settings -uci set crowdsec.hub.auto_install='1' -uci set crowdsec.hub.collections='crowdsecurity/linux crowdsecurity/iptables' -uci set crowdsec.hub.update_interval='7' - -uci commit crowdsec -``` - -### File Locations -- Main config: `/etc/crowdsec/config.yaml` -- Acquisition directory: `/etc/crowdsec/acquis.d/` -- Legacy acquisition: `/etc/crowdsec/acquis.yaml` -- Profiles: `/etc/crowdsec/profiles.yaml` -- Local API: `/etc/crowdsec/local_api_credentials.yaml` -- Data directory: `/srv/crowdsec/data/` - -## Log Acquisition Configuration - -### Automatic Detection -On first boot, the defaults script automatically: -1. Detects OpenWrt log file configuration -2. Identifies installed services (Dropbear, firewall) -3. Generates appropriate acquisition configs -4. Installs recommended Hub collections - -### Supported Log Sources -| Log Source | Default | Collection Required | -|------------|---------|---------------------| -| System Syslog | Enabled | crowdsecurity/linux | -| SSH/Dropbear | Enabled | crowdsecurity/linux | -| Firewall (iptables/nftables) | Enabled | crowdsecurity/iptables | -| HTTP (uHTTPd/nginx) | Disabled | crowdsecurity/http-cve | - -### Custom Acquisition -Add custom acquisition configs to `/etc/crowdsec/acquis.d/`: - -```yaml -# /etc/crowdsec/acquis.d/custom.yaml -filenames: - - /var/log/custom-app/*.log -labels: - type: syslog -``` - -### Syslog Service Mode -To run CrowdSec as a syslog server (receive logs from other devices): - -```bash -uci set crowdsec.acquisition.syslog_listen_addr='0.0.0.0' -uci set crowdsec.acquisition.syslog_listen_port='514' -uci commit crowdsec -/etc/init.d/crowdsec restart -``` - -## Service Management -```bash -# Start CrowdSec -/etc/init.d/crowdsec start - -# Stop CrowdSec -/etc/init.d/crowdsec stop - -# Restart CrowdSec -/etc/init.d/crowdsec restart - -# Check status -/etc/init.d/crowdsec status -``` - -## CLI Usage -CrowdSec CLI is available via `cscli`: -```bash -# Check version -cscli version - -# Check acquisition status -cscli metrics show acquisition - -# List decisions -cscli decisions list - -# View alerts -cscli alerts list - -# Manage collections -cscli collections list -cscli collections install crowdsecurity/nginx - -# Manage Hub -cscli hub update -cscli hub upgrade - -# Manage bouncers -cscli bouncers list -cscli bouncers add firewall-bouncer -``` - -## Hub Collections for OpenWrt - -### Recommended Collections -```bash -# Core Linux detection (SSH brute-force, etc.) -cscli collections install crowdsecurity/linux - -# Firewall log analysis (port scan detection) -cscli collections install crowdsecurity/iptables - -# Syslog parsing -cscli parsers install crowdsecurity/syslog-logs - -# Whitelists for reducing false positives -cscli parsers install crowdsecurity/whitelists -``` - -### Optional Collections -```bash -# HTTP attack detection -cscli collections install crowdsecurity/http-cve - -# nginx logs -cscli collections install crowdsecurity/nginx - -# Smb/Samba -cscli collections install crowdsecurity/smb -``` - -## Integration with SecuBox -This package integrates with: -- **luci-app-crowdsec-dashboard** v0.5.0+ -- **secubox-app-crowdsec-bouncer** - Firewall bouncer -- **SecuBox Theme System** -- **SecuBox Logging** (`secubox-log`) - -## Dependencies -- Go compiler (build-time) -- SQLite3 -- OpenWrt base system - -## References -- Upstream: https://github.com/crowdsecurity/crowdsec -- Documentation: https://docs.crowdsec.net/ -- Hub: https://hub.crowdsec.net/ -- Acquisition Docs: https://docs.crowdsec.net/docs/next/log_processor/data_sources/intro/ -- SecuBox Project: https://cybermind.fr - -## Changelog - -### v1.7.4-3 (2025-01) -- Added automatic log acquisition configuration -- Added UCI-based acquisition management -- Added acquis.d directory with OpenWrt-specific templates -- Improved Hub collection auto-installation -- Added acquisition for syslog, SSH/Dropbear, firewall, HTTP -- Enhanced defaults script with detection logic - -### v1.7.4-2 (2024-12) -- Updated from v1.6.2 to v1.7.4 -- Added WAF/AppSec support -- Improved syslog acquisition -- Enhanced metrics export configuration -- Fixed Prometheus cardinality issues - -### v1.6.2-1 (Previous) -- Initial SecuBox integration -- Basic OpenWrt compatibility patches - -## License -MIT License - -## Maintainer -CyberMind.fr - Gandalf diff --git a/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-dropbear.yaml b/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-dropbear.yaml deleted file mode 100644 index e9246fe..0000000 --- a/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-dropbear.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# OpenWrt Dropbear SSH Acquisition -# This configuration monitors SSH authentication logs from Dropbear -# -# Dropbear logs are typically sent to syslog and can be found in: -# - /var/log/messages (if syslog is configured to write to file) -# - Via logread command (OpenWrt default) -# -# Required collections: -# cscli collections install crowdsecurity/linux -# cscli parsers install crowdsecurity/syslog-logs -# -# The crowdsecurity/linux collection includes SSH brute-force detection -# scenarios that work with Dropbear authentication logs. -# -# Example Dropbear log entries that will be parsed: -# dropbear[1234]: Bad password attempt for 'root' from 192.168.1.100:54321 -# dropbear[1234]: Login attempt for nonexistent user 'admin' from 192.168.1.100:54321 -# dropbear[1234]: Pubkey auth succeeded for 'root' with ssh-ed25519 key -# dropbear[1234]: Exit (root) from <192.168.1.100:54321>: Disconnect received -# -# Note: Since Dropbear logs go to syslog, the openwrt-syslog.yaml -# acquisition config will capture these logs. This file serves as -# documentation for Dropbear-specific detection. - -# If using a dedicated auth log file: -# filenames: -# - /var/log/auth.log -# labels: -# type: syslog diff --git a/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-firewall.yaml b/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-firewall.yaml deleted file mode 100644 index 0d4b249..0000000 --- a/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-firewall.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# OpenWrt Firewall Logs Acquisition -# This configuration monitors iptables/nftables firewall logs -# -# Required collections: -# cscli collections install crowdsecurity/iptables -# -# The crowdsecurity/iptables collection provides: -# - crowdsecurity/iptables-logs parser (for -j LOG entries) -# - crowdsecurity/iptables-scan-multi_ports scenario (port scan detection) -# -# To enable firewall logging in OpenWrt, add LOG rules to your firewall config: -# -# For nftables (OpenWrt 22.03+): -# nft add rule inet fw4 input counter log prefix "fw4-INPUT: " drop -# -# For iptables (legacy): -# iptables -A INPUT -j LOG --log-prefix "iptables-INPUT: " -# -# Or via /etc/config/firewall: -# config rule -# option name 'Log-Dropped' -# option src 'wan' -# option dest '*' -# option proto 'all' -# option target 'LOG' -# option log_prefix 'fw-DROP: ' -# -# Firewall logs are typically written to kernel log (kern.log) -# or syslog depending on system configuration. - -# Kernel/firewall log file acquisition -filenames: - - /var/log/kern.log - - /var/log/firewall.log -labels: - type: syslog ---- -# Alternative: If firewall logs go to main syslog -# The openwrt-syslog.yaml acquisition will capture them -# as long as the iptables collection parser is installed diff --git a/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-syslog.yaml b/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-syslog.yaml deleted file mode 100644 index 0a6eb1f..0000000 --- a/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-syslog.yaml +++ /dev/null @@ -1,28 +0,0 @@ -# OpenWrt System Syslog Acquisition -# This configuration monitors OpenWrt system logs via syslog -# For local log files or syslog forwarding scenarios -# -# Note: OpenWrt uses logd by default which doesn't write to files. -# Enable syslog-ng or configure log_file in /etc/config/system -# to enable file-based log acquisition. -# -# Required collections: -# cscli collections install crowdsecurity/linux -# cscli parsers install crowdsecurity/syslog-logs - -# File-based acquisition for syslog (if log_file is configured) -filenames: - - /var/log/messages - - /var/log/syslog -labels: - type: syslog ---- -# Alternative: Syslog service acquisition -# Uncomment this section if using remote syslog forwarding -# or if CrowdSec should act as a syslog server -# -# source: syslog -# listen_addr: 127.0.0.1 -# listen_port: 10514 -# labels: -# type: syslog diff --git a/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-uhttpd.yaml b/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-uhttpd.yaml deleted file mode 100644 index 3a4ac96..0000000 --- a/package/secubox/secubox-app-crowdsec/files/acquis.d/openwrt-uhttpd.yaml +++ /dev/null @@ -1,29 +0,0 @@ -# OpenWrt uHTTPd Web Server Acquisition -# This configuration monitors uHTTPd access/error logs -# -# By default, uHTTPd logs to syslog. To enable file-based logging, -# configure uHTTPd in /etc/config/uhttpd: -# -# config uhttpd 'main' -# option access_log '/var/log/uhttpd/access.log' -# option error_log '/var/log/uhttpd/error.log' -# -# Required parsers: -# cscli parsers install crowdsecurity/syslog-logs -# -# For HTTP-based attacks, consider installing: -# cscli collections install crowdsecurity/http-cve -# cscli scenarios install crowdsecurity/http-probing -# cscli scenarios install crowdsecurity/http-bad-user-agent - -# uHTTPd access logs -# filenames: -# - /var/log/uhttpd/access.log -# labels: -# type: syslog ---- -# uHTTPd error logs -# filenames: -# - /var/log/uhttpd/error.log -# labels: -# type: syslog diff --git a/package/secubox/secubox-app-crowdsec/files/crowdsec.config b/package/secubox/secubox-app-crowdsec/files/crowdsec.config deleted file mode 100644 index 4dddf27..0000000 --- a/package/secubox/secubox-app-crowdsec/files/crowdsec.config +++ /dev/null @@ -1,30 +0,0 @@ -config crowdsec 'crowdsec' - option data_dir '/srv/crowdsec/data' - option db_path '/srv/crowdsec/data/crowdsec.db' - -# Acquisition configuration -config acquisition 'acquisition' - # Enable/disable specific log sources - option syslog_enabled '1' - option firewall_enabled '1' - option ssh_enabled '1' - option http_enabled '0' - # Syslog service settings (if using CrowdSec as syslog server) - option syslog_listen_addr '127.0.0.1' - option syslog_listen_port '10514' - # Log file paths (OpenWrt-specific) - option syslog_path '/var/log/messages' - option auth_log_path '/var/log/auth.log' - option kernel_log_path '/var/log/kern.log' - -# Hub configuration -config hub 'hub' - # Auto-install recommended collections on first boot - option auto_install '1' - # Collections to install (space-separated) - option collections 'crowdsecurity/linux crowdsecurity/iptables' - # Additional parsers - option parsers 'crowdsecurity/syslog-logs crowdsecurity/whitelists' - # Hub update interval in days (0 to disable auto-update) - option update_interval '7' - diff --git a/package/secubox/secubox-app-crowdsec/files/crowdsec.defaults b/package/secubox/secubox-app-crowdsec/files/crowdsec.defaults deleted file mode 100644 index 13a3a21..0000000 --- a/package/secubox/secubox-app-crowdsec/files/crowdsec.defaults +++ /dev/null @@ -1,317 +0,0 @@ -#!/bin/sh -# -# CrowdSec UCI Defaults Script -# Configures CrowdSec on first install with automatic acquisition setup -# - -CONFIG=/etc/crowdsec/config.yaml -ACQUIS_DIR=/etc/crowdsec/acquis.d -UCI_CONFIG=/etc/config/crowdsec - -# Load UCI functions -. /lib/functions.sh - -# Get UCI values with defaults -get_uci_value() { - local section="$1" - local option="$2" - local default="$3" - local value - value=$(uci -q get "crowdsec.${section}.${option}") - echo "${value:-$default}" -} - -# Configure data paths -setup_paths() { - local data_dir - local db_path - - data_dir=$(get_uci_value "crowdsec" "data_dir" "/srv/crowdsec/data") - db_path=$(get_uci_value "crowdsec" "db_path" "/srv/crowdsec/data/crowdsec.db") - - sed -i "s,^\(\s*data_dir\s*:\s*\).*\$,\1$data_dir," $CONFIG - sed -i "s,^\(\s*db_path\s*:\s*\).*\$,\1$db_path," $CONFIG - - # Create data dir & permissions if needed - if [ ! -d "${data_dir}" ]; then - mkdir -m 0755 -p "${data_dir}" - fi -} - -# Create machine-id if not exists -setup_machine_id() { - if [ ! -f /etc/machine-id ]; then - cat /proc/sys/kernel/random/uuid | tr -d "-" > /etc/machine-id - echo "Created machine-id" - fi -} - -# Register local API machine -register_lapi() { - if grep -q "login:" /etc/crowdsec/local_api_credentials.yaml 2>/dev/null; then - echo "Local API already registered" - else - echo "Registering local API machine..." - cscli -c /etc/crowdsec/config.yaml machines add -a -f /etc/crowdsec/local_api_credentials.yaml - fi -} - -# Register with Central API (CAPI) for threat intelligence sharing -register_capi() { - if ! grep -q "login:" /etc/crowdsec/online_api_credentials.yaml 2>/dev/null; then - echo "Registering with Central API (CAPI)..." - if cscli capi register 2>/dev/null; then - echo "Successfully registered with Central API" - else - echo "WARNING: CAPI registration failed - will run in local-only mode" - # Create minimal credentials file to prevent errors - echo "url: https://api.crowdsec.net/" > /etc/crowdsec/online_api_credentials.yaml - fi - else - echo "Central API already registered" - fi -} - -# Update hub index -update_hub() { - local update_interval - update_interval=$(get_uci_value "hub" "update_interval" "7") - - if [ "$update_interval" = "0" ]; then - echo "Hub auto-update disabled" - return 0 - fi - - if [ ! -f /etc/crowdsec/hub/.index.json ] || \ - [ $(find /etc/crowdsec/hub/.index.json -mtime +${update_interval} 2>/dev/null | wc -l) -gt 0 ]; then - echo "Updating hub index..." - cscli hub update 2>/dev/null || true - fi -} - -# Install collections and parsers from Hub -install_hub_items() { - local auto_install - local collections - local parsers - - auto_install=$(get_uci_value "hub" "auto_install" "1") - - if [ "$auto_install" != "1" ]; then - echo "Hub auto-install disabled" - return 0 - fi - - # Install collections - collections=$(get_uci_value "hub" "collections" "crowdsecurity/linux crowdsecurity/iptables") - for collection in $collections; do - echo "Installing collection: $collection" - cscli collections install "$collection" 2>/dev/null || true - done - - # Install additional parsers - parsers=$(get_uci_value "hub" "parsers" "crowdsecurity/syslog-logs crowdsecurity/whitelists") - for parser in $parsers; do - echo "Installing parser: $parser" - cscli parsers install "$parser" 2>/dev/null || true - done - - # Upgrade all hub items - cscli hub upgrade 2>/dev/null || true -} - -# Generate dynamic acquisition configuration -generate_acquisition_config() { - local syslog_enabled - local firewall_enabled - local ssh_enabled - local http_enabled - local syslog_path - local kernel_log_path - local auth_log_path - - # Ensure acquis.d directory exists - mkdir -p "$ACQUIS_DIR" - - # Get acquisition settings from UCI - syslog_enabled=$(get_uci_value "acquisition" "syslog_enabled" "1") - firewall_enabled=$(get_uci_value "acquisition" "firewall_enabled" "1") - ssh_enabled=$(get_uci_value "acquisition" "ssh_enabled" "1") - http_enabled=$(get_uci_value "acquisition" "http_enabled" "0") - syslog_path=$(get_uci_value "acquisition" "syslog_path" "/var/log/messages") - kernel_log_path=$(get_uci_value "acquisition" "kernel_log_path" "/var/log/kern.log") - auth_log_path=$(get_uci_value "acquisition" "auth_log_path" "/var/log/auth.log") - - # Generate syslog acquisition config - if [ "$syslog_enabled" = "1" ]; then - echo "Configuring syslog acquisition..." - cat > "$ACQUIS_DIR/openwrt-syslog.yaml" << EOF -# OpenWrt System Syslog Acquisition -# Auto-generated by crowdsec.defaults -# Monitors system logs for security events - -filenames: - - ${syslog_path} - - /var/log/syslog -labels: - type: syslog -EOF - else - rm -f "$ACQUIS_DIR/openwrt-syslog.yaml" - fi - - # Generate firewall acquisition config - if [ "$firewall_enabled" = "1" ]; then - echo "Configuring firewall log acquisition..." - cat > "$ACQUIS_DIR/openwrt-firewall.yaml" << EOF -# OpenWrt Firewall Logs Acquisition -# Auto-generated by crowdsec.defaults -# Monitors iptables/nftables firewall logs for port scans - -filenames: - - ${kernel_log_path} - - /var/log/firewall.log -labels: - type: syslog -EOF - # Ensure iptables collection is installed - cscli collections install crowdsecurity/iptables 2>/dev/null || true - else - rm -f "$ACQUIS_DIR/openwrt-firewall.yaml" - fi - - # Generate SSH/auth acquisition config - if [ "$ssh_enabled" = "1" ]; then - echo "Configuring SSH/auth log acquisition..." - # SSH logs typically go to syslog on OpenWrt - # The syslog acquisition will capture them - # Just ensure the linux collection is installed for SSH scenarios - cscli collections install crowdsecurity/linux 2>/dev/null || true - fi - - # Generate HTTP acquisition config (disabled by default) - if [ "$http_enabled" = "1" ]; then - echo "Configuring HTTP log acquisition..." - cat > "$ACQUIS_DIR/openwrt-http.yaml" << EOF -# OpenWrt HTTP Server Logs Acquisition -# Auto-generated by crowdsec.defaults - -filenames: - - /var/log/uhttpd/access.log - - /var/log/nginx/access.log -labels: - type: syslog -EOF - else - rm -f "$ACQUIS_DIR/openwrt-http.yaml" - fi -} - -# Configure syslog service acquisition (if CrowdSec acts as syslog server) -configure_syslog_service() { - local listen_addr - local listen_port - - listen_addr=$(get_uci_value "acquisition" "syslog_listen_addr" "127.0.0.1") - listen_port=$(get_uci_value "acquisition" "syslog_listen_port" "10514") - - # Only create syslog service config if non-default port is configured - if [ "$listen_port" != "10514" ] || [ "$listen_addr" != "127.0.0.1" ]; then - echo "Configuring syslog service acquisition..." - cat > "$ACQUIS_DIR/syslog-service.yaml" << EOF -# Syslog Service Acquisition -# Auto-generated by crowdsec.defaults -# CrowdSec acts as a syslog server to receive logs - -source: syslog -listen_addr: ${listen_addr} -listen_port: ${listen_port} -labels: - type: syslog -EOF - fi -} - -# Detect and configure OpenWrt-specific log sources -detect_openwrt_logs() { - echo "Detecting OpenWrt log sources..." - - # Check if syslog-ng is installed and configured - if [ -f /etc/syslog-ng.conf ]; then - echo "syslog-ng detected" - fi - - # Check if rsyslog is configured - if [ -f /etc/rsyslog.conf ]; then - echo "rsyslog detected" - fi - - # Check if log_file is configured in OpenWrt system config - local log_file - log_file=$(uci -q get system.@system[0].log_file) - if [ -n "$log_file" ]; then - echo "OpenWrt log_file configured: $log_file" - # Update syslog path in UCI - uci set crowdsec.acquisition.syslog_path="$log_file" - uci commit crowdsec - fi - - # Check for Dropbear (SSH server) - if [ -f /etc/init.d/dropbear ]; then - echo "Dropbear SSH server detected" - fi - - # Check for firewall (fw3 or fw4) - if [ -f /etc/init.d/firewall ]; then - echo "OpenWrt firewall detected" - fi -} - -# Main execution -main() { - echo "==========================================" - echo "CrowdSec Configuration - First Boot Setup" - echo "==========================================" - - # Setup paths and directories - setup_paths - - # Create machine-id - setup_machine_id - - # Register with LAPI - register_lapi - - # Register with CAPI - register_capi - - # Update Hub index - update_hub - - # Install Hub collections and parsers - install_hub_items - - # Detect OpenWrt log sources - detect_openwrt_logs - - # Generate acquisition configuration - generate_acquisition_config - - # Configure syslog service if needed - configure_syslog_service - - echo "==========================================" - echo "CrowdSec configuration complete!" - echo "==========================================" - echo "" - echo "Next steps:" - echo " 1. Enable and start CrowdSec: /etc/init.d/crowdsec enable && /etc/init.d/crowdsec start" - echo " 2. Check acquisition status: cscli metrics show acquisition" - echo " 3. View decisions: cscli decisions list" - echo "" -} - -# Run main function -main - -exit 0 diff --git a/package/secubox/secubox-app-crowdsec/files/crowdsec.initd b/package/secubox/secubox-app-crowdsec/files/crowdsec.initd deleted file mode 100755 index 9896275..0000000 --- a/package/secubox/secubox-app-crowdsec/files/crowdsec.initd +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/sh /etc/rc.common -# Copyright (C) 2021-2022 Gerald Kerma - -START=99 -USE_PROCD=1 -NAME=crowdsec -PROG=/usr/bin/crowdsec -CONFIG=/etc/crowdsec/config.yaml -RUNCONFDIR=/srv/crowdsec/data -VARCONFIGDIR=/var/etc/crowdsec -VARCONFIG=/var/etc/crowdsec/config.yaml - -service_triggers() { - procd_add_reload_trigger crowdsec -} - -init_config() { - config_load crowdsec - config_get data_dir crowdsec data_dir "${RUNCONFDIR}" - config_get db_path crowdsec db_path "${RUNCONFDIR}/crowdsec.db" - - # Create tmp dir & permissions if needed - if [ ! -d "${VARCONFIGDIR}" ]; then - mkdir -m 0755 -p "${VARCONFIGDIR}" - fi; - - cp $CONFIG $VARCONFIG - - sed -i "s,^\(\s*data_dir\s*:\s*\).*\$,\1$data_dir," $VARCONFIG - sed -i "s,^\(\s*db_path\s*:\s*\).*\$,\1$db_path," $VARCONFIG - - # Create data dir & permissions if needed - if [ ! -d "${RUNCONFDIR}" ]; then - mkdir -m 0755 -p "${RUNCONFDIR}" - fi; -} - -start_service() { - init_config - - procd_open_instance - procd_set_param command "$PROG" -c "$VARCONFIG" - procd_close_instance -} diff --git a/package/secubox/secubox-app-crowdsec/patches/001-fix_config_data_dir.patch b/package/secubox/secubox-app-crowdsec/patches/001-fix_config_data_dir.patch deleted file mode 100644 index 4b1118d..0000000 --- a/package/secubox/secubox-app-crowdsec/patches/001-fix_config_data_dir.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- a/config/config.yaml -+++ b/config/config.yaml -@@ -8,7 +8,7 @@ common: - log_max_files: 10 - config_paths: - config_dir: /etc/crowdsec/ -- data_dir: /var/lib/crowdsec/data/ -+ data_dir: /srv/crowdsec/data/ - simulation_path: /etc/crowdsec/simulation.yaml - hub_dir: /etc/crowdsec/hub/ - index_path: /etc/crowdsec/hub/.index.json -@@ -25,7 +25,7 @@ cscli: - db_config: - log_level: info - type: sqlite -- db_path: /var/lib/crowdsec/data/crowdsec.db -+ db_path: /srv/crowdsec/data/crowdsec.db - #max_open_conns: 100 - #user: - #password: diff --git a/package/secubox/secubox-app-crowdsec/patches/002-use-vendored-go-cs-lib.patch b/package/secubox/secubox-app-crowdsec/patches/002-use-vendored-go-cs-lib.patch deleted file mode 100644 index 12f2b08..0000000 --- a/package/secubox/secubox-app-crowdsec/patches/002-use-vendored-go-cs-lib.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- a/go.mod -+++ b/go.mod -@@ -257,3 +257,13 @@ replace golang.org/x/time => github.com/crowdsecurity/time v0.13.0-crowdsec.2025 --replace golang.org/x/time => github.com/crowdsecurity/time v0.13.0-crowdsec.20250912 -- --replace github.com/corazawaf/coraza/v3 => github.com/crowdsecurity/coraza/v3 v3.3.3-crowdsec.20251113 -+replace golang.org/x/time => ./secubox-vendor/github.com/crowdsecurity/time -+ -+replace github.com/corazawaf/coraza/v3 => github.com/crowdsecurity/coraza/v3 v3.3.3-crowdsec.20251113 -+replace github.com/crowdsecurity/go-cs-lib => ./secubox-vendor/github.com/crowdsecurity/go-cs-lib -+replace github.com/moby/moby/api => ./secubox-vendor/github.com/moby/moby/api -+replace github.com/moby/moby/client => ./secubox-vendor/github.com/moby/moby/client -+replace golang.org/x/crypto => ./secubox-vendor/golang.org/x/crypto -+replace golang.org/x/mod => ./secubox-vendor/golang.org/x/mod -+replace golang.org/x/net => ./secubox-vendor/golang.org/x/net -+replace golang.org/x/sync => ./secubox-vendor/golang.org/x/sync -+replace golang.org/x/sys => ./secubox-vendor/golang.org/x/sys -+replace golang.org/x/term => ./secubox-vendor/golang.org/x/term -+replace golang.org/x/text => ./secubox-vendor/golang.org/x/text diff --git a/package/secubox/secubox-app-crowdsec/patches/003-add-x-tools-replace.patch b/package/secubox/secubox-app-crowdsec/patches/003-add-x-tools-replace.patch deleted file mode 100644 index fa4aee6..0000000 --- a/package/secubox/secubox-app-crowdsec/patches/003-add-x-tools-replace.patch +++ /dev/null @@ -1,6 +0,0 @@ ---- a/go.mod -+++ b/go.mod -@@ -269,1 +269,3 @@ - replace golang.org/x/text => ./secubox-vendor/golang.org/x/text -+replace golang.org/x/tools => ./secubox-vendor/golang.org/x/tools -+replace golang.org/x/telemetry => ./secubox-vendor/golang.org/x/telemetry diff --git a/package/secubox/secubox-app-netifyd/BUILD-INSTRUCTIONS.md b/package/secubox/secubox-app-netifyd/BUILD-INSTRUCTIONS.md deleted file mode 100644 index 4512f73..0000000 --- a/package/secubox/secubox-app-netifyd/BUILD-INSTRUCTIONS.md +++ /dev/null @@ -1,439 +0,0 @@ -# Netifyd 5.2.1 Build Instructions for SecuBox OpenWrt - -## Overview - -Complete build instructions for integrating official Netifyd 5.2.1 into SecuBox OpenWrt solution. - -## Package Structure - -``` -package/secubox/secubox-app-netifyd/ -├── Makefile # OpenWrt package Makefile -├── Config.in # Package configuration options -├── README.md # Package documentation -├── INTEGRATION.md # Integration guide -├── BUILD-INSTRUCTIONS.md # This file -├── test-build.sh # Automated build test script -├── files/ -│ ├── netifyd.init # Init script (procd) -│ ├── netifyd.config # UCI configuration -│ └── functions.sh # Helper functions -└── patches/ # Patches (if needed) -``` - -## Prerequisites - -### System Requirements - -- **Build System:** x86_64 Linux (Ubuntu 20.04+ or Debian 11+ recommended) -- **Disk Space:** ~10 GB free -- **RAM:** 4 GB minimum, 8 GB recommended -- **Time:** ~30-60 minutes for full build - -### Required Build Tools - -```bash -# Ubuntu/Debian -sudo apt-get update -sudo apt-get install -y \ - build-essential \ - clang \ - flex \ - bison \ - g++ \ - gawk \ - gcc-multilib \ - gettext \ - git \ - libncurses5-dev \ - libssl-dev \ - python3-distutils \ - rsync \ - unzip \ - zlib1g-dev \ - file \ - wget \ - curl \ - subversion \ - time \ - libelf-dev -``` - -## Quick Start - -### Option 1: Automated Build Test - -```bash -cd /path/to/secubox-openwrt/package/secubox/secubox-app-netifyd -./test-build.sh -``` - -This script will: -1. Check dependencies -2. Update feeds -3. Download source -4. Build package -5. Verify package contents - -### Option 2: Manual Build - -```bash -# 1. Navigate to OpenWrt root -cd /path/to/secubox-openwrt - -# 2. Update feeds -./scripts/feeds update -a -./scripts/feeds install -a - -# 3. Configure build -make menuconfig -# Navigate to: Network > netifyd -# Select: <*> netifyd - -# Also select SecuBox components: -# SecuBox > <*> luci-app-secubox-netifyd - -# 4. Download source -make package/secubox/secubox-app-netifyd/download V=s - -# 5. Build package -make package/secubox/secubox-app-netifyd/compile V=s - -# 6. Build LuCI app -make package/secubox/luci-app-secubox-netifyd/compile V=s -``` - -## Detailed Build Process - -### Step 1: Prepare Build Environment - -```bash -# Clone SecuBox OpenWrt (if not already done) -git clone https://github.com/your-repo/secubox-openwrt.git -cd secubox-openwrt - -# Initialize and update feeds -./scripts/feeds update -a -./scripts/feeds install -a -``` - -### Step 2: Configure Package - -```bash -# Run menuconfig -make menuconfig - -# Navigate through menus: -# 1. Target System: (select your hardware) -# 2. Subtarget: (select your hardware variant) -# 3. Target Profile: (select your device) -# -# 4. Network > -# <*> netifyd -# [ ] Enable local flow export (optional) -# [ ] Enable plugin support (optional) -# [*] Auto-start on boot (recommended) -# -# 5. SecuBox > -# <*> secubox-core -# <*> luci-app-secubox-netifyd -# -# 6. Save and exit -``` - -### Step 3: Build - -```bash -# Download all sources -make download V=s - -# Build toolchain (first time only, takes ~30 minutes) -make toolchain/compile V=s - -# Build netifyd package -make package/secubox/secubox-app-netifyd/compile V=s - -# Build LuCI app -make package/secubox/luci-app-secubox-netifyd/compile V=s - -# Or build everything at once -make V=s j=$(nproc) -``` - -### Step 4: Locate Built Packages - -```bash -# Packages will be in: -find bin/packages -name "netifyd*.ipk" -find bin/packages -name "luci-app-secubox-netifyd*.ipk" - -# Example output: -# bin/packages/aarch64_cortex-a53/secubox/netifyd_5.2.1-1_aarch64_cortex-a53.ipk -# bin/packages/aarch64_cortex-a53/secubox/luci-app-secubox-netifyd_1.0.1-1_all.ipk -``` - -## Installation on Device - -### Transfer Packages - -```bash -# Find device IP (usually 192.168.1.1 or 192.168.8.1) -DEVICE_IP="192.168.1.1" - -# Copy packages -scp bin/packages/*/secubox/netifyd_*.ipk root@$DEVICE_IP:/tmp/ -scp bin/packages/*/secubox/luci-app-secubox-netifyd_*.ipk root@$DEVICE_IP:/tmp/ -``` - -### Install on Device - -```bash -# SSH to device -ssh root@$DEVICE_IP - -# On device: -# Update package list -opkg update - -# Install netifyd (will install dependencies automatically) -opkg install /tmp/netifyd_*.ipk - -# Install LuCI app -opkg install /tmp/luci-app-secubox-netifyd_*.ipk - -# Start services -/etc/init.d/netifyd start -/etc/init.d/netifyd enable -/etc/init.d/rpcd reload - -# Verify -netifyd -s -``` - -## Verification - -### 1. Check Service Status - -```bash -# On device: -/etc/init.d/netifyd status -ps | grep netifyd -netifyd -s -``` - -Expected output: -``` -Netify Agent/5.2.1 (openwrt; aarch64; conntrack; netlink; ...) -✓ agent is running. -• agent timestamp: [current date/time] -• agent uptime: 0d 00:XX:XX -✓ active flows: XX -... -``` - -### 2. Check Data Files - -```bash -# Status file should exist -cat /var/run/netifyd/status.json | jq . - -# Socket should exist -ls -la /var/run/netifyd/netifyd.sock - -# Should show: srwxr-xr-x 1 root root 0 ... netifyd.sock -``` - -### 3. Test RPCD Backend - -```bash -# List available methods -ubus list | grep netifyd - -# Test a call -ubus call luci.secubox-netifyd get_service_status - -# Should return JSON with status information -``` - -### 4. Access Web Interface - -```bash -# Open browser to: -http://[device-ip]/cgi-bin/luci/admin/secubox/netifyd/dashboard - -# Navigate to: Services > Netifyd Dashboard - -# Should see: -# - Service status (running/stopped) -# - Active flows count -# - Detected devices -# - Network statistics -``` - -## Troubleshooting Build Issues - -### Issue: Download Fails - -```bash -# Check download URL -curl -I https://download.netify.ai/source/netifyd-5.2.1.tar.gz - -# If fails, update PKG_SOURCE_URL in Makefile -# Or download manually: -cd dl/ -wget https://download.netify.ai/source/netifyd-5.2.1.tar.gz -cd .. -``` - -### Issue: Compilation Errors - -```bash -# Clean and retry -make package/secubox/secubox-app-netifyd/clean -make package/secubox/secubox-app-netifyd/compile V=s 2>&1 | tee build.log - -# Check build.log for errors - -# Common fixes: -# 1. Missing dependencies - install via package manager -# 2. Toolchain issues - rebuild toolchain -# 3. Patch failures - check patches/ directory -``` - -### Issue: Missing Dependencies on Device - -```bash -# On device, check what's missing: -opkg install /tmp/netifyd_*.ipk - -# If dependencies missing, install them: -opkg update -opkg install libcurl libmnl libnetfilter-conntrack libpcap zlib libpthread - -# Then retry netifyd install -``` - -## Build Customization - -### Minimal Build (Smallest Size) - -Edit `Makefile` CONFIGURE_ARGS: -```makefile -CONFIGURE_ARGS += \ - --enable-lean-and-mean \ - --disable-plugins \ - --disable-sink-plugins \ - --disable-libtcmalloc \ - --disable-jemalloc -``` - -### Debug Build - -Edit `Makefile` CONFIGURE_ARGS: -```makefile -CONFIGURE_ARGS += \ - --enable-debug \ - --enable-debug-ether-type \ - --enable-debug-ndpi - -TARGET_CFLAGS += -g -O0 -``` - -### Custom Features - -In `make menuconfig`: -``` -Network > netifyd > - [*] Enable local flow export - [*] Enable plugin support - [*] Enable sink plugins - [ ] Enable debug output -``` - -## Build for Multiple Architectures - -```bash -# Build for different targets -TARGET_ARCHS="aarch64_cortex-a53 arm_cortex-a9 x86_64" - -for arch in $TARGET_ARCHS; do - echo "Building for $arch..." - make clean - # Set target in menuconfig first - make package/secubox/secubox-app-netifyd/compile V=s - mkdir -p releases/$arch - cp bin/packages/*/secubox/netifyd_*.ipk releases/$arch/ -done -``` - -## Creating Release Packages - -```bash -# Build all packages -make package/secubox/secubox-app-netifyd/compile V=s -make package/secubox/luci-app-secubox-netifyd/compile V=s - -# Create release directory -mkdir -p releases/v5.2.1/ - -# Copy packages -cp bin/packages/*/secubox/netifyd_*.ipk releases/v5.2.1/ -cp bin/packages/*/secubox/luci-app-secubox-netifyd_*.ipk releases/v5.2.1/ - -# Create checksums -cd releases/v5.2.1/ -sha256sum *.ipk > SHA256SUMS -cd ../.. - -# Create tarball -tar czf secubox-netifyd-5.2.1-release.tar.gz releases/v5.2.1/ -``` - -## Continuous Integration - -Example GitHub Actions workflow: - -```yaml -name: Build Netifyd Package - -on: [push, pull_request] - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Install dependencies - run: | - sudo apt-get update - sudo apt-get install -y build-essential ... - - name: Build package - run: | - cd package/secubox/secubox-app-netifyd - ./test-build.sh - - name: Upload artifacts - uses: actions/upload-artifact@v3 - with: - name: netifyd-packages - path: bin/packages/*/secubox/*.ipk -``` - -## Next Steps - -After successful build and installation: - -1. **Configuration:** Follow [README.md](README.md) for configuration options -2. **Integration:** See [INTEGRATION.md](INTEGRATION.md) for SecuBox integration -3. **Testing:** Run tests from [test-build.sh](test-build.sh) -4. **Documentation:** Read [README-FLOW-DATA.md](../luci-app-secubox-netifyd/README-FLOW-DATA.md) for flow data setup - -## Support - -- **Build Issues:** Check `build.log` and OpenWrt forums -- **Package Issues:** https://github.com/your-repo/issues -- **Netifyd Issues:** https://github.com/eglooca/netifyd/issues -- **OpenWrt Docs:** https://openwrt.org/docs/ - -## License - -GPL-3.0-or-later (same as upstream netifyd) diff --git a/package/secubox/secubox-app-netifyd/BUILDROOT-BUILD.md b/package/secubox/secubox-app-netifyd/BUILDROOT-BUILD.md deleted file mode 100644 index 1d993b0..0000000 --- a/package/secubox/secubox-app-netifyd/BUILDROOT-BUILD.md +++ /dev/null @@ -1,114 +0,0 @@ -# Building Netifyd with OpenWrt Buildroot - -## Overview - -Netifyd **requires full OpenWrt buildroot** for building because it needs system libraries that are not available in the SDK. - -## Automatic Build (Recommended) - -The local-build.sh script automatically detects netifyd and uses OpenWrt buildroot: - -```bash -./secubox-tools/local-build.sh build netifyd -``` - -This will: -1. Download OpenWrt 24.10.5 source (~500 MB) -2. Setup feeds -3. Copy SecuBox packages -4. Install netifyd from SecuBox feed -5. Configure and build netifyd - -**Build time:** -- First build: 15-30 minutes (downloads toolchain, builds dependencies) -- Subsequent builds: 2-5 minutes (incremental) - -## What Gets Built - -The buildroot provides all required dependencies: -- `libmnl` - Minimal Netlink library -- `libnetfilter-conntrack` - Connection tracking -- `libpcap` - Packet capture -- `libjson-c` - JSON parsing -- `libcurl` - HTTP client -- Kernel modules: nf_conntrack, nfnetlink, etc. - -## Output - -After successful build: -```bash -# Package location -./build/x86-64/netifyd_5.2.1-1_x86_64.ipk - -# Also findable at -./openwrt/bin/packages/x86_64/secubox/netifyd_5.2.1-1_x86_64.ipk -``` - -## Manual Build - -If you prefer manual control: - -```bash -cd openwrt/ - -# Configure -make menuconfig -# Select: Network > netifyd - -# Build -make package/netifyd/compile V=s -``` - -## Why Not SDK? - -The SDK cannot build netifyd because: -- SDK only includes application-level library stubs -- Netifyd needs kernel-level libraries (libmnl, libnetfilter-conntrack) -- These libraries must be compiled against the target system -- Only full buildroot provides the complete dependency chain - -## Troubleshooting - -### Issue: Build fails with "libmnl not found" - -**Cause:** Using SDK instead of buildroot - -**Fix:** The script should auto-detect and use buildroot. If not: -```bash -# Ensure you're using the build command, not compiling directly in SDK -./secubox-tools/local-build.sh build netifyd -``` - -### Issue: Build takes too long - -**Normal:** First build downloads toolchain and compiles base libraries (15-30 min) - -**Speed up:** Use faster machine or pre-compiled SDK for dependencies - -### Issue: Out of disk space - -**Cause:** OpenWrt buildroot needs ~10 GB - -**Fix:** Free up space or use different build directory: -```bash -OPENWRT_DIR=/path/to/large/disk/openwrt ./secubox-tools/local-build.sh build netifyd -``` - -## Comparison: SDK vs Buildroot - -| Feature | SDK | Buildroot | -|---------|-----|-----------| -| Size | ~300 MB | ~2 GB | -| Build time | Fast (2-5 min) | Slow first time (15-30 min) | -| Can build apps | ✅ Yes | ✅ Yes | -| Can build system daemons | ❌ No | ✅ Yes | -| Kernel libraries | ❌ No | ✅ Yes | -| Full dependency tree | ❌ No | ✅ Yes | - -Netifyd needs: **Buildroot** ✅ - -## See Also - -- [BUILD-INSTRUCTIONS.md](BUILD-INSTRUCTIONS.md) - Detailed build instructions -- [SDK-LIMITATION.md](SDK-LIMITATION.md) - Why SDK doesn't work -- [INTEGRATION.md](INTEGRATION.md) - Integration with SecuBox diff --git a/package/secubox/secubox-app-netifyd/Config.in b/package/secubox/secubox-app-netifyd/Config.in deleted file mode 100644 index 1c87dd1..0000000 --- a/package/secubox/secubox-app-netifyd/Config.in +++ /dev/null @@ -1,42 +0,0 @@ -menu "Configuration" - depends on PACKAGE_netifyd - -config NETIFYD_WITH_LOCAL_EXPORT - bool "Enable local flow export" - default n - help - Enable local JSON export of flow data. - This allows the Netify Agent to write flow data to a local file - for consumption by other applications like luci-app-secubox-netifyd. - -config NETIFYD_WITH_PLUGINS - bool "Enable plugin support" - default n - help - Enable plugin support for extending Netify Agent functionality. - Plugins allow custom processing of flow data and integration - with external systems. - -config NETIFYD_SINK_PLUGINS - bool "Enable sink plugins" - depends on NETIFYD_WITH_PLUGINS - default n - help - Enable sink plugin support for custom data export backends. - Allows writing flow data to databases, message queues, etc. - -config NETIFYD_WITH_DEBUG - bool "Enable debug output" - default n - help - Enable verbose debug logging. Useful for troubleshooting - but increases log verbosity significantly. - -config NETIFYD_AUTOSTART - bool "Auto-start on boot" - default y - help - Automatically start Netify Agent when the system boots. - Can be disabled if you want manual control. - -endmenu diff --git a/package/secubox/secubox-app-netifyd/INTEGRATION.md b/package/secubox/secubox-app-netifyd/INTEGRATION.md deleted file mode 100644 index b6f57cf..0000000 --- a/package/secubox/secubox-app-netifyd/INTEGRATION.md +++ /dev/null @@ -1,342 +0,0 @@ -# Netifyd 5.2.1 SecuBox Integration Guide - -## Quick Integration Steps - -### 1. Build Both Packages - -```bash -# From SecuBox OpenWrt root -cd /path/to/secubox-openwrt - -# Build netifyd -make package/secubox/secubox-app-netifyd/compile V=s - -# Build LuCI app -make package/secubox/luci-app-secubox-netifyd/compile V=s -``` - -### 2. Install on Device - -```bash -# Copy packages to device -scp bin/packages/*/secubox/netifyd_5.2.1-*.ipk root@192.168.1.1:/tmp/ -scp bin/packages/*/secubox/luci-app-secubox-netifyd_*.ipk root@192.168.1.1:/tmp/ - -# On device -opkg update -opkg install /tmp/netifyd_5.2.1-*.ipk -opkg install /tmp/luci-app-secubox-netifyd_*.ipk -``` - -### 3. Configure and Start - -```bash -# On device -# Start netifyd -/etc/init.d/netifyd start -/etc/init.d/netifyd enable - -# Reload LuCI RPCD -/etc/init.d/rpcd reload - -# Clear browser cache and access web interface -# Navigate to: Services > Netifyd Dashboard -``` - -## Integration Points - -### 1. LuCI App Integration - -The `luci-app-secubox-netifyd` package integrates with netifyd through: - -- **RPCD Backend:** `/usr/libexec/rpcd/luci.secubox-netifyd` - - Reads from `/var/run/netifyd/status.json` - - Provides API for dashboard data - -- **Web Interface:** `/usr/share/luci/menu.d/` - - Dashboard, flows, devices, applications views - - Real-time statistics - - Service control - -### 2. Data Flow - -``` -netifyd service - ↓ -/var/run/netifyd/status.json (status data) -/var/run/netifyd/netifyd.sock (Unix socket) - ↓ -RPCD Backend (luci.secubox-netifyd) - ↓ -LuCI Web Interface - ↓ -User Browser -``` - -### 3. Configuration Files - -**Netifyd:** -- `/etc/config/netifyd` - UCI configuration -- `/etc/netifyd.conf` - Netifyd native config -- `/etc/netify.d/` - Persistent data directory - -**LuCI App:** -- `/etc/config/secubox-netifyd` - Dashboard settings -- Socket configuration (TCP/Unix) -- Analytics settings - -## Dependencies - -### Required by netifyd - -``` -+libcurl +libmnl +libnetfilter-conntrack +libpcap -+zlib +libpthread +libstdcpp +libjson-c +ca-bundle -``` - -### Required by luci-app-secubox-netifyd - -``` -+luci-base +rpcd +netifyd +jq +secubox-core -``` - -## Testing Integration - -### 1. Verify Netifyd is Running - -```bash -# Check service status -/etc/init.d/netifyd status - -# Check netifyd process -ps | grep netifyd - -# View netifyd status -netifyd -s -``` - -### 2. Verify Data Files - -```bash -# Check status file -cat /var/run/netifyd/status.json | jq . - -# Check socket -ls -la /var/run/netifyd/netifyd.sock - -# Check PID file -cat /var/run/netifyd/netifyd.pid -``` - -### 3. Test RPCD Backend - -```bash -# Test RPC calls -ubus list | grep netifyd - -# Get service status -ubus call luci.secubox-netifyd get_service_status - -# Get dashboard data -ubus call luci.secubox-netifyd get_dashboard - -# Get detected devices -ubus call luci.secubox-netifyd get_detected_devices -``` - -### 4. Test Web Interface - -```bash -# Access LuCI -http://192.168.1.1/cgi-bin/luci/admin/secubox/netifyd/dashboard - -# Check for JavaScript errors in browser console -# Verify data is loading -``` - -## Troubleshooting Integration - -### Issue: LuCI Dashboard Shows No Data - -**Cause:** Netifyd not running or no status file - -**Solution:** -```bash -# Start netifyd -/etc/init.d/netifyd start - -# Wait a few seconds -sleep 5 - -# Check status file -cat /var/run/netifyd/status.json - -# Reload page -``` - -### Issue: RPCD Calls Fail - -**Cause:** ACL permissions not set - -**Solution:** -```bash -# Reload RPCD -/etc/init.d/rpcd reload - -# Check ACL file -cat /usr/share/rpcd/acl.d/luci-app-secubox-netifyd.json - -# Clear browser cache -``` - -### Issue: Service Won't Start - -**Cause:** Interface configuration issues - -**Solution:** -```bash -# Enable auto-detection -uci set netifyd.default.autoconfig='1' -uci commit netifyd - -# Or configure manually -uci add_list netifyd.default.internal_if='br-lan' -uci add_list netifyd.default.external_if='br-wan' -uci commit netifyd - -# Restart -/etc/init.d/netifyd restart -``` - -## Advanced Integration - -### Custom Data Export - -To export flow data for custom processing: - -```bash -# Enable local JSON export in netifyd -uci add_list netifyd.default.options='-j /tmp/netifyd-flows.json' -uci commit netifyd -/etc/init.d/netifyd restart - -# Configure LuCI app to read from file -uci set secubox-netifyd.settings.flow_export='/tmp/netifyd-flows.json' -uci commit secubox-netifyd -``` - -### Cloud Integration - -```bash -# Enable cloud sink -netifyd --enable-sink - -# Check sink status -netifyd -s | grep sink - -# Agent UUID (for cloud dashboard) -netifyd -p -``` - -### API Integration - -Example: Read data from RPCD backend in custom script: - -```bash -#!/bin/sh -# Get dashboard data -DATA=$(ubus call luci.secubox-netifyd get_dashboard) - -# Parse with jq -FLOWS=$(echo "$DATA" | jq -r '.stats.active_flows') -DEVICES=$(echo "$DATA" | jq -r '.stats.unique_devices') - -echo "Active Flows: $FLOWS" -echo "Devices: $DEVICES" -``` - -## Upgrade Path - -### Upgrading Netifyd - -```bash -# Build new version -make package/secubox/secubox-app-netifyd/clean -make package/secubox/secubox-app-netifyd/compile V=s - -# Install on device -opkg remove netifyd -opkg install /tmp/netifyd_*.ipk - -# Configuration is preserved -/etc/init.d/netifyd start -``` - -### Upgrading LuCI App - -```bash -# Build new version -make package/secubox/luci-app-secubox-netifyd/clean -make package/secubox/luci-app-secubox-netifyd/compile V=s - -# Install on device -opkg upgrade /tmp/luci-app-secubox-netifyd_*.ipk - -# Reload services -/etc/init.d/rpcd reload -/etc/init.d/uhttpd reload -``` - -## Performance Considerations - -### Resource Usage - -Typical resource usage on embedded device: - -- **CPU:** 0.5-2% (idle), 5-10% (active traffic) -- **Memory:** 20-40 MB RSS -- **Disk:** < 1 MB for package, ~2-5 MB for runtime data - -### Tuning for Low-End Devices - -```bash -# Reduce threads -uci add_list netifyd.default.options='--thread-detection-cores=1' -uci add_list netifyd.default.options='-t' - -# Lower limits in /etc/netifyd.conf: -# flow-max = 5000 -# flow-expiry = 60 -``` - -### Tuning for High-Traffic Networks - -```bash -# Increase threads -uci add_list netifyd.default.options='--thread-detection-cores=4' - -# Higher limits in /etc/netifyd.conf: -# flow-max = 65536 -# flow-expiry = 300 -``` - -## Security Considerations - -1. **Packet Capture:** Netifyd requires root privileges for packet capture -2. **Data Privacy:** Flow metadata includes IP addresses, ports, protocols -3. **Cloud Sync:** Optional - can be disabled if data privacy is a concern -4. **Local Access:** Unix socket is accessible by root only -5. **Web Interface:** Protected by LuCI authentication - -## Support and Documentation - -- **Package Issues:** https://github.com/your-repo/issues -- **Netifyd Upstream:** https://github.com/eglooca/netifyd -- **Netify.ai Docs:** https://www.netify.ai/resources -- **OpenWrt Wiki:** https://openwrt.org/ - -## License - -- Netifyd: GPL-3.0-or-later -- LuCI App: MIT -- Integration Code: MIT diff --git a/package/secubox/secubox-app-netifyd/Makefile b/package/secubox/secubox-app-netifyd/Makefile deleted file mode 100644 index 2d8395e..0000000 --- a/package/secubox/secubox-app-netifyd/Makefile +++ /dev/null @@ -1,143 +0,0 @@ -# -# Copyright (C) 2016-2025 eGloo Incorporated -# Copyright (C) 2025 CyberMind.fr (SecuBox Integration) -# -# This is free software, licensed under the GNU General Public License v2. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=netifyd -PKG_VERSION:=5.2.1 -PKG_RELEASE:=1 - -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://download.netify.ai/source/ -PKG_HASH:=a353e957be5ef2bd18a2e65b7b3a4d9d8c1728db5d78d4dae69ec8fea486a0a7 - -PKG_MAINTAINER:=CyberMind -PKG_LICENSE:=GPL-3.0-or-later -PKG_LICENSE_FILES:=LICENSE -PKG_CPE_ID:=cpe:/a:netify:netifyd - -PKG_FIXUP:=autoreconf -PKG_BUILD_PARALLEL:=1 -PKG_INSTALL:=1 - -PKG_BUILD_DEPENDS:=libpcap - -include $(INCLUDE_DIR)/package.mk - -define Package/netifyd - SECTION:=net - CATEGORY:=Network - TITLE:=Netify Agent - Deep Packet Inspection - URL:=https://www.netify.ai/ - DEPENDS:=+ca-bundle +libcurl +libmnl +libnetfilter-conntrack +libnetfilter-queue +libpcap +zlib +libpthread +libstdcpp +libjson-c +libatomic - # Optional: +ipt-conntrack-extra +libnl-tiny -endef - -define Package/netifyd/description - The Netify Agent is a deep-packet inspection server which detects network - protocols and applications. These detections can be saved locally, served over - a UNIX or TCP socket, and/or "pushed" (via HTTP POSTs) to a remote third-party - server. Flow metadata, network statistics, and detection classifications are - JSON encoded for easy consumption by third-party applications. -endef - -define Package/netifyd/conffiles -/etc/netifyd.conf -/etc/config/netifyd -endef - -TARGET_CFLAGS += -ffunction-sections -fdata-sections -fno-caller-saves -TARGET_LDFLAGS += -Wl,--gc-sections,--as-needed - -CONFIGURE_ARGS += \ - --enable-lean-and-mean \ - --disable-libtcmalloc \ - --disable-jemalloc \ - --without-systemdsystemunitdir \ - --without-tmpfilesdir \ - --with-persistentstatedir=/etc/netify.d \ - --with-volatilestatedir=/var/run/netifyd - -# Netifyd feature configuration -CONFIGURE_ARGS += \ - --enable-conntrack \ - --enable-netlink \ - --enable-inotify \ - $(if $(CONFIG_LIBCURL_ZLIB),--with-libcurl-zlib) \ - $(if $(CONFIG_LIBCURL_MBEDTLS),--with-libcurl-mbedtls) \ - $(if $(CONFIG_LIBCURL_OPENSSL),--with-libcurl-openssl) \ - $(if $(CONFIG_LIBCURL_WOLFSSL),--with-libcurl-wolfssl) - -# Optional features (disable for minimal build) -CONFIGURE_ARGS += \ - --disable-plugins \ - --disable-sink-plugins - -# Enable for debugging -# CONFIGURE_ARGS += --enable-debug --enable-debug-ether-type --enable-debug-ndpi - -define Build/InstallDev - $(INSTALL_DIR) $(1)/usr/include/netifyd - $(CP) $(PKG_INSTALL_DIR)/usr/include/netifyd/*.h $(1)/usr/include/netifyd/ - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnetifyd.{a,so*} $(1)/usr/lib/ - $(INSTALL_DIR) $(1)/usr/lib/pkgconfig - $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libnetifyd.pc $(1)/usr/lib/pkgconfig/ -endef - -define Package/netifyd/install - $(INSTALL_DIR) $(1)/etc - $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/netifyd.conf $(1)/etc - - $(INSTALL_DIR) $(1)/etc/netifyd.d - $(INSTALL_CONF) $(PKG_INSTALL_DIR)/etc/netifyd.d/*.json $(1)/etc/netifyd.d/ 2>/dev/null || true - - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_CONF) ./files/netifyd.config $(1)/etc/config/netifyd - - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/netifyd.init $(1)/etc/init.d/netifyd - - $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/netifyd $(1)/usr/sbin/ - - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnetifyd.so.* $(1)/usr/lib/ - - $(INSTALL_DIR) $(1)/usr/share/netifyd - $(INSTALL_BIN) ./files/functions.sh $(1)/usr/share/netifyd/ - - $(INSTALL_DIR) $(1)/etc/netify.d - - # Install plugins if they exist - if [ -d "$(PKG_INSTALL_DIR)/usr/lib/netifyd" ]; then \ - $(INSTALL_DIR) $(1)/usr/lib/netifyd; \ - $(CP) $(PKG_INSTALL_DIR)/usr/lib/netifyd/*.so* $(1)/usr/lib/netifyd/ 2>/dev/null || true; \ - fi -endef - -define Package/netifyd/postinst -#!/bin/sh -[ -n "$${IPKG_INSTROOT}" ] || { - /etc/init.d/netifyd enable - mkdir -p /var/run/netifyd - # Don't auto-start, let user configure first - echo "Netifyd installed. Configure /etc/config/netifyd and start with: /etc/init.d/netifyd start" -} -exit 0 -endef - -define Package/netifyd/prerm -#!/bin/sh -[ -n "$${IPKG_INSTROOT}" ] || { - /etc/init.d/netifyd stop - /etc/init.d/netifyd disable -} -exit 0 -endef - -$(eval $(call BuildPackage,netifyd)) diff --git a/package/secubox/secubox-app-netifyd/README.md b/package/secubox/secubox-app-netifyd/README.md deleted file mode 100644 index de2ade7..0000000 --- a/package/secubox/secubox-app-netifyd/README.md +++ /dev/null @@ -1,435 +0,0 @@ -# Netifyd 5.2.1 for OpenWrt / SecuBox - -Complete OpenWrt package for Netify Agent (netifyd) version 5.2.1 - Deep Packet Inspection engine. - -## Overview - -This package provides the latest official Netify Agent compiled for OpenWrt/SecuBox with full integration support. - -### Features - -- **Deep Packet Inspection (DPI)** - Detects 300+ protocols and applications -- **Flow Classification** - Real-time network flow analysis -- **Protocol Detection** - Identifies HTTP, HTTPS, SSH, DNS, BitTorrent, etc. -- **Application Detection** - Recognizes specific applications (YouTube, Netflix, WhatsApp, etc.) -- **Device Tracking** - Monitors all devices on the network -- **Cloud Integration** - Optional upload to Netify.ai cloud for analytics -- **Local Export** - Can export data locally for custom processing -- **Low Resource Usage** - Optimized "lean and mean" build for embedded systems - -### Version Information - -- **Netifyd Version:** 5.2.1 (Latest Official Release) -- **Source:** https://download.netify.ai/source/netifyd-5.2.1.tar.gz -- **License:** GPL-3.0-or-later -- **Maintainer:** CyberMind - -## Installation - -### Prerequisites - -Required dependencies are automatically installed: -- libcurl -- libmnl -- libnetfilter-conntrack -- libpcap -- zlib -- libpthread -- libstdcpp -- libjson-c -- ca-bundle - -### Building from Source - -```bash -# From OpenWrt buildroot -cd /path/to/secubox-openwrt - -# Select package -make menuconfig -# Navigate to: Network > netifyd -# Select: or <*> - -# Build package -make package/secubox/secubox-app-netifyd/compile V=s - -# Package will be in: bin/packages/*/secubox/netifyd_5.2.1-1_*.ipk -``` - -### Installing on Device - -```bash -# Copy package to device -scp netifyd_5.2.1-1_*.ipk root@192.168.1.1:/tmp/ - -# On device -opkg install /tmp/netifyd_5.2.1-1_*.ipk -``` - -## Configuration - -### Quick Start - -```bash -# Edit configuration -vi /etc/config/netifyd - -# Enable auto-configuration (recommended) -uci set netifyd.default.enabled='1' -uci set netifyd.default.autoconfig='1' -uci commit netifyd - -# Start service -/etc/init.d/netifyd start -/etc/init.d/netifyd enable - -# Check status -netifyd -s -``` - -### Manual Interface Configuration - -If auto-detection doesn't work, configure interfaces manually: - -```bash -# Configure internal (LAN) interface -uci add_list netifyd.default.internal_if='br-lan' - -# Configure external (WAN) interface -uci add_list netifyd.default.external_if='br-wan' - -# Commit and restart -uci commit netifyd -/etc/init.d/netifyd restart -``` - -### Advanced Configuration - -Edit `/etc/netifyd.conf` for advanced settings: - -```ini -[netifyd] -# Enable/disable features -enable-conntrack = yes -enable-netlink = yes - -# Socket configuration -socket-host = 127.0.0.1 -socket-port = 7150 - -# Flow settings -flow-expiry = 180 -flow-max = 65536 - -# Sink configuration (cloud upload) -sink-url = https://sink.netify.ai/ -``` - -### Configuration Options - -In `/etc/config/netifyd`: - -``` -config netifyd 'default' - option enabled '1' - option autoconfig '1' - - # Additional options: - list options '-t' # Disable conntrack thread - list options '--thread-detection-cores=2' # Set DPI cores - list options '-j /tmp/netifyd-flows.json' # Local JSON export - list options '-v' # Verbose logging - - # Manual interfaces: - list internal_if 'br-lan' - list external_if 'br-wan' -``` - -## Usage - -### Command Line - -```bash -# Show version and features -netifyd -V - -# Show running status -netifyd -s - -# Show agent UUID -netifyd -p - -# Test configuration -netifyd -t - -# Enable cloud sink -netifyd --enable-sink - -# Disable cloud sink -netifyd --disable-sink -``` - -### Service Control - -```bash -# Start service -/etc/init.d/netifyd start - -# Stop service -/etc/init.d/netifyd stop - -# Restart service -/etc/init.d/netifyd restart - -# Check status -/etc/init.d/netifyd status - -# Enable auto-start -/etc/init.d/netifyd enable - -# Disable auto-start -/etc/init.d/netifyd disable -``` - -### Monitoring - -```bash -# View status JSON -cat /var/run/netifyd/status.json | jq . - -# Check running process -ps | grep netifyd - -# View logs -logread | grep netifyd - -# Check socket -ls -la /var/run/netifyd/ -``` - -## Integration with SecuBox - -This package integrates seamlessly with `luci-app-secubox-netifyd`: - -```bash -# Install both packages -opkg install netifyd luci-app-secubox-netifyd - -# Access web interface -# Navigate to: Services > Netifyd Dashboard -``` - -## Data Export - -### Cloud Export (Netify.ai) - -```bash -# Enable cloud sink -netifyd --enable-sink - -# Check sink status -netifyd -s | grep sink - -# View data at: https://dashboard.netify.ai -``` - -### Local Export - -```bash -# Configure local JSON export -uci add_list netifyd.default.options='-j /tmp/netifyd-flows.json' -uci commit netifyd -/etc/init.d/netifyd restart - -# View local data -cat /tmp/netifyd-flows.json | jq . -``` - -### Socket Export - -```bash -# Connect to Unix socket -socat - UNIX-CONNECT:/var/run/netifyd/netifyd.sock - -# Or TCP socket (if enabled) -nc localhost 7150 -``` - -## Troubleshooting - -### Service Won't Start - -```bash -# Check configuration -netifyd -t - -# Check interfaces -ip link show - -# Check kernel modules -lsmod | grep nf_conntrack - -# View detailed logs -logread -f | grep netifyd & -/etc/init.d/netifyd start -``` - -### No Flow Data - -```bash -# Verify netifyd is running -ps | grep netifyd - -# Check status -netifyd -s - -# Verify interfaces are up -ifconfig - -# Check conntrack -cat /proc/net/nf_conntrack | wc -l -``` - -### High CPU/Memory Usage - -```bash -# Reduce detection threads -uci add_list netifyd.default.options='--thread-detection-cores=1' - -# Disable conntrack thread -uci add_list netifyd.default.options='-t' - -# Limit max flows -# Edit /etc/netifyd.conf: -# flow-max = 10000 - -# Restart service -uci commit netifyd -/etc/init.d/netifyd restart -``` - -### Permission Issues - -```bash -# Check directories -ls -la /var/run/netifyd/ -ls -la /etc/netify.d/ - -# Fix permissions -chmod 755 /var/run/netifyd -chmod 755 /etc/netify.d - -# Recreate directories if needed -rm -rf /var/run/netifyd -/etc/init.d/netifyd start -``` - -## Performance Tuning - -### For Low-End Devices (< 256MB RAM) - -```bash -# Minimal configuration -uci set netifyd.default.options='-t' -uci add_list netifyd.default.options='--thread-detection-cores=1' - -# Edit /etc/netifyd.conf: -flow-max = 5000 -flow-expiry = 60 -``` - -### For High-End Devices (> 512MB RAM) - -```bash -# Maximum performance -uci add_list netifyd.default.options='--thread-detection-cores=4' - -# Edit /etc/netifyd.conf: -flow-max = 65536 -flow-expiry = 300 -``` - -## File Locations - -- **Binary:** `/usr/sbin/netifyd` -- **Configuration:** `/etc/netifyd.conf` -- **UCI Config:** `/etc/config/netifyd` -- **Init Script:** `/etc/init.d/netifyd` -- **Runtime Data:** `/var/run/netifyd/` -- **Persistent Data:** `/etc/netify.d/` -- **Status File:** `/var/run/netifyd/status.json` -- **Socket:** `/var/run/netifyd/netifyd.sock` - -## Build Options - -### Compile-Time Options - -In `make menuconfig`, configure: - -``` -Network > netifyd - [*] Enable local flow export - [ ] Enable plugin support - [ ] Enable sink plugins - [ ] Enable debug output - [*] Auto-start on boot -``` - -### Minimal Build - -For smallest size, disable optional features: - -```bash -# Edit Makefile CONFIGURE_ARGS: ---disable-plugins ---disable-sink-plugins ---enable-lean-and-mean -``` - -## Security Considerations - -- Netifyd requires raw packet capture capabilities -- Runs as root by default (required for packet capture) -- Cloud sink transmits flow metadata to Netify.ai -- Local Unix socket has 755 permissions by default -- Consider firewall rules if exposing TCP socket - -## Updates - -To update to a newer version: - -```bash -# Edit Makefile -PKG_VERSION:=5.x.x -PKG_HASH:= - -# Rebuild -make package/secubox/secubox-app-netifyd/{clean,compile} -``` - -## Support - -- **Netify.ai:** https://www.netify.ai/ -- **Documentation:** https://www.netify.ai/resources -- **GitHub:** https://github.com/eglooca/netifyd -- **SecuBox Issues:** [Your repository] - -## License - -This package is licensed under GPL-3.0-or-later, same as upstream netifyd. - -## Credits - -- **Upstream:** eGloo Incorporated (Netify.ai) -- **OpenWrt Package:** CyberMind.fr (SecuBox Integration) -- **Original OpenWrt Package:** OpenWrt Packages Team - -## Changelog - -### 5.2.1-1 (2025-01-05) -- Updated to official netifyd 5.2.1 -- Complete repackage for SecuBox integration -- Enhanced init script with auto-detection -- Improved configuration helpers -- Added comprehensive documentation -- Optimized for embedded systems diff --git a/package/secubox/secubox-app-netifyd/SDK-LIMITATION.md b/package/secubox/secubox-app-netifyd/SDK-LIMITATION.md deleted file mode 100644 index e9f60ae..0000000 --- a/package/secubox/secubox-app-netifyd/SDK-LIMITATION.md +++ /dev/null @@ -1,78 +0,0 @@ -# SDK Build Limitation for Netifyd - -## Issue - -Netifyd **cannot be built using the OpenWrt SDK** because it requires base system libraries that are not available in the SDK environment: - -- `libmnl` (Minimal Netlink library) -- `libnetfilter-conntrack` -- `libpcap` -- `libjson-c` -- Various kernel modules - -## Why This Happens - -The OpenWrt SDK is designed for building **application packages** that depend on already-compiled system libraries. Net - -ifyd is a **system-level daemon** with deep integration into the kernel networking stack, requiring libraries that must be compiled as part of the base system. - -## Solution - -### Build netifyd as part of firmware - -```bash -# Build full SecuBox firmware with netifyd included -./secubox-tools/local-build.sh build-firmware mochabin -``` - -Netifyd will be automatically included in firmware builds as it's configured in the firmware package list. - -### Alternative: Use Pre-Built Packages - -If you need standalone `.ipk` files, build them from a full firmware build: - -```bash -# After firmware build completes -find openwrt/bin/packages -name "netifyd*.ipk" -find openwrt/bin/packages -name "luci-app-secubox-netifyd*.ipk" -``` - -## Why SDK Builds Fail - -When you try `./secubox-tools/local-build.sh build netifyd`, it fails with: - -``` -configure: error: Package requirements (libmnl >= 1.0.3) were not met -``` - -This is because: -1. SDK doesn't include kernel-level libraries -2. SDK can't compile these libraries (they require full buildroot) -3. Netifyd's configure script can't find the required dependencies - -## Recommended Workflow - -**For Development:** -- Build firmware with netifyd: `./secubox-tools/local-build.sh build-firmware x86-64` -- Extract netifyd IPK from `openwrt/bin/packages` -- Install on device for testing - -**For Production:** -- Always include netifyd in firmware images -- Distributed as part of complete SecuBox firmware - -## Technical Details - -Netifyd requires these system components: -- **Kernel modules:** nf_conntrack, nfnetlink, etc. -- **System libraries:** Built against specific libc (musl/glibc) -- **Headers:** Kernel headers for netlink/conntrack -- **Build tools:** Full autotools, pkg-config with system library paths - -The SDK provides none of these - it only provides a cross-compilation toolchain and application-level library stubs. - -## See Also - -- [BUILD-INSTRUCTIONS.md](BUILD-INSTRUCTIONS.md) - Full build instructions -- [INTEGRATION.md](INTEGRATION.md) - Integration with SecuBox -- OpenWrt docs on SDK limitations: https://openwrt.org/docs/guide-developer/toolchain/using_the_sdk diff --git a/package/secubox/secubox-app-netifyd/files/functions.sh b/package/secubox/secubox-app-netifyd/files/functions.sh deleted file mode 100755 index 520876d..0000000 --- a/package/secubox/secubox-app-netifyd/files/functions.sh +++ /dev/null @@ -1,150 +0,0 @@ -#!/bin/sh -# -# Netifyd Helper Functions -# Copyright (C) 2016-2025 eGloo Incorporated -# Copyright (C) 2025 CyberMind.fr (SecuBox Integration) -# - -# Load required kernel modules -load_modules() { - # Netfilter connection tracking - [ -d /sys/module/nf_conntrack ] || { - modprobe nf_conntrack 2>/dev/null || { - # Try older module name - modprobe ip_conntrack 2>/dev/null - } - } - - # IPv6 connection tracking - [ -d /sys/module/nf_conntrack_ipv6 ] || { - modprobe nf_conntrack_ipv6 2>/dev/null - } - - # Netfilter netlink - [ -d /sys/module/nfnetlink ] || { - modprobe nfnetlink 2>/dev/null - } - - # Connection tracking netlink - [ -d /sys/module/nf_conntrack_netlink ] || { - modprobe nf_conntrack_netlink 2>/dev/null - } - - return 0 -} - -# Check if netifyd is running -is_running() { - pidof netifyd >/dev/null 2>&1 - return $? -} - -# Get netifyd PID -get_pid() { - pidof netifyd -} - -# Get netifyd version -get_version() { - netifyd -V 2>/dev/null | head -n1 | awk '{print $NF}' -} - -# Get netifyd UUID -get_uuid() { - netifyd -p 2>/dev/null | tr -d '\n' -} - -# Test network interface -test_interface() { - local iface="$1" - [ -z "$iface" ] && return 1 - [ -d "/sys/class/net/$iface" ] && return 0 - return 1 -} - -# Get interface list -get_interfaces() { - ls -1 /sys/class/net/ 2>/dev/null | grep -v "^lo$" -} - -# Detect LAN interfaces -detect_lan_interfaces() { - local ifaces="" - - # Common LAN interface names - for iface in br-lan eth0 lan0 eth0.1; do - test_interface "$iface" && { - ifaces="$ifaces $iface" - break - } - done - - echo "$ifaces" -} - -# Detect WAN interfaces -detect_wan_interfaces() { - local ifaces="" - - # Common WAN interface names - for iface in br-wan eth1 wan eth0.2 ppp0 pppoe-wan; do - test_interface "$iface" && { - ifaces="$ifaces $iface" - break - } - done - - echo "$ifaces" -} - -# Auto-detect interfaces and build command line options -auto_detect_options() { - local options="" - - # Detect LAN - local lan_ifaces=$(detect_lan_interfaces) - for iface in $lan_ifaces; do - options="$options -I $iface" - done - - # Detect WAN - local wan_ifaces=$(detect_wan_interfaces) - for iface in $wan_ifaces; do - options="$options -E $iface" - done - - echo "$options" -} - -# Check if netifyd configuration is valid -check_config() { - local config_file="/etc/netifyd.conf" - - [ ! -f "$config_file" ] && { - echo "Error: Configuration file not found: $config_file" - return 1 - } - - # Basic syntax check - grep -q "^\[" "$config_file" && return 0 - - echo "Warning: Configuration file may be invalid" - return 1 -} - -# Get interface statistics -get_interface_stats() { - local iface="$1" - - [ -z "$iface" ] && return 1 - [ ! -d "/sys/class/net/$iface" ] && return 1 - - local rx_bytes=$(cat "/sys/class/net/$iface/statistics/rx_bytes" 2>/dev/null || echo 0) - local tx_bytes=$(cat "/sys/class/net/$iface/statistics/tx_bytes" 2>/dev/null || echo 0) - local rx_packets=$(cat "/sys/class/net/$iface/statistics/rx_packets" 2>/dev/null || echo 0) - local tx_packets=$(cat "/sys/class/net/$iface/statistics/tx_packets" 2>/dev/null || echo 0) - - echo "Interface: $iface" - echo " RX: $rx_bytes bytes ($rx_packets packets)" - echo " TX: $tx_bytes bytes ($tx_packets packets)" -} diff --git a/package/secubox/secubox-app-netifyd/files/netifyd.config b/package/secubox/secubox-app-netifyd/files/netifyd.config deleted file mode 100644 index d1f03cb..0000000 --- a/package/secubox/secubox-app-netifyd/files/netifyd.config +++ /dev/null @@ -1,28 +0,0 @@ - -config netifyd 'default' - option enabled '1' - - # Enable auto-configuration for interfaces (internal/external) - # Disable this if you want manual control - option autoconfig '1' - - # Supplementary options (examples): - # Disable connection tracking thread: -t - # Set detection cores: --thread-detection-cores=2 - # Enable verbose logging: -v - # Export to local JSON: -j /tmp/netifyd-flows.json - #list options '-t' - #list options '--thread-detection-cores=2' - #list options '-j /tmp/netifyd-flows.json' - - # Manual configuration of internal interfaces (LAN) - # Format: interface_name [options] - # Example: Filter out SSDP traffic - #list internal_if 'br-lan -F "not (udp and dst 239.255.255.250 and dst port 1900)"' - #list internal_if 'eth0 -A 192.168.1.0/24' - - # Manual configuration of external interfaces (WAN) - # Format: interface_name [options] - #list external_if 'br-wan' - #list external_if 'eth1' - #list external_if 'ppp0 -N eth2' diff --git a/package/secubox/secubox-app-netifyd/files/netifyd.init b/package/secubox/secubox-app-netifyd/files/netifyd.init deleted file mode 100755 index 0554c8d..0000000 --- a/package/secubox/secubox-app-netifyd/files/netifyd.init +++ /dev/null @@ -1,152 +0,0 @@ -#!/bin/sh /etc/rc.common -# -# Copyright (C) 2016-2025 eGloo Incorporated -# Copyright (C) 2025 CyberMind.fr (SecuBox Integration) -# -# This is free software, licensed under the GNU General Public License v2. - -START=50 -STOP=50 - -USE_PROCD=1 -PROG=/usr/sbin/netifyd - -function append_params() { - procd_append_param command "$@" -} - -function append_ifopts() { - local filter=0 - local filter_expr= - - for a in $1; do - case $a in - -F|--device-filter) - filter=1 - procd_append_param command "$a" - ;; - -*) - if [ $filter -gt 0 ]; then - procd_append_param command "${filter_expr#\ }" - filter=0; filter_expr= - fi - procd_append_param command "$a" - ;; - *) - if [ $filter -gt 0 ]; then - a=${a#\"}; a=${a%\"}; a=${a#\'}; a=${a%\'} - filter_expr="$filter_expr $a" - else - procd_append_param command "$a" - fi - esac - done - - if [ $filter -gt 0 ]; then - procd_append_param command "${filter_expr#\ }" - fi -} - -function append_internal_if() { - append_ifopts "-I $@" -} - -function append_external_if() { - append_ifopts "-E $@" -} - -start_netifyd() { - local autoconfig enabled instance options - - instance="$1" - config_get_bool enabled "$instance" enabled 0 - [ "$enabled" -eq 0 ] && return 0 - - # Load kernel modules if needed - [ -f /usr/share/netifyd/functions.sh ] && { - . /usr/share/netifyd/functions.sh - load_modules - } - - procd_open_instance - procd_set_param file /etc/netifyd.conf - procd_set_param term_timeout 30 - procd_set_param respawn 3600 15 0 - procd_set_param command $PROG -R - procd_set_param stdout 1 - procd_set_param stderr 1 - - # Add custom options - config_list_foreach "$instance" options append_params - - # Auto-detect interfaces if enabled - config_get_bool autoconfig "$instance" autoconfig 1 - - if [ "$autoconfig" -gt 0 ]; then - NETIFYD_AUTODETECT=yes - options="$(auto_detect_options)" - [ -n "$options" ] && procd_append_param command $options - fi - - # Manual interface configuration - config_list_foreach "$instance" internal_if append_internal_if - config_list_foreach "$instance" external_if append_external_if - - procd_close_instance -} - -start_service() { - # Ensure directories exist - [ ! -d /var/run/netifyd ] && mkdir -p /var/run/netifyd - [ ! -d /etc/netify.d ] && mkdir -p /etc/netify.d - - # Set permissions - chmod 755 /var/run/netifyd - chmod 755 /etc/netify.d - - # Load configuration - config_load netifyd - config_foreach start_netifyd netifyd -} - -stop_service() { - # Cleanup - rm -f /var/run/netifyd/*.pid 2>/dev/null -} - -reload_service() { - procd_send_signal netifyd -} - -service_triggers() { - procd_add_reload_trigger "netifyd" -} - -# Auto-detect internal/external interfaces -auto_detect_options() { - local options="" - local internal="" - local external="" - - # Try to detect LAN interface (br-lan or eth0) - if [ -d "/sys/class/net/br-lan" ]; then - internal="br-lan" - elif [ -d "/sys/class/net/eth0" ]; then - internal="eth0" - fi - - # Try to detect WAN interface - if [ -d "/sys/class/net/br-wan" ]; then - external="br-wan" - elif [ -d "/sys/class/net/eth1" ]; then - external="eth1" - elif [ -d "/sys/class/net/wan" ]; then - external="wan" - fi - - # Build options - [ -n "$internal" ] && options="$options -I $internal" - [ -n "$external" ] && options="$options -E $external" - - echo "$options" -} diff --git a/package/secubox/secubox-app-netifyd/patches/001-fix-inline-static-maps.patch b/package/secubox/secubox-app-netifyd/patches/001-fix-inline-static-maps.patch deleted file mode 100644 index 9de9fd9..0000000 --- a/package/secubox/secubox-app-netifyd/patches/001-fix-inline-static-maps.patch +++ /dev/null @@ -1,49 +0,0 @@ ---- a/include/nd-risks.hpp -+++ b/include/nd-risks.hpp -@@ -97,7 +97,7 @@ enum class Id : uint32_t { - TODO = 0xffffffff - }; - --const std::unordered_map Tags = { -+inline const std::unordered_map Tags = { - { Id::NONE, "None" }, - - { Id::ANONYMOUS_SUBSCRIBER, "Anonymous Subscriber" }, -@@ -174,7 +174,7 @@ inline Id GetId(const std::string &name - - namespace nDPI { - --const std::unordered_map Risks = { -+inline const std::unordered_map Risks = { - { NDPI_ANONYMOUS_SUBSCRIBER, Id::ANONYMOUS_SUBSCRIBER }, - { NDPI_BINARY_APPLICATION_TRANSFER, Id::BINARY_APPLICATION_TRANSFER }, - { NDPI_BINARY_DATA_TRANSFER, Id::BINARY_DATA_TRANSFER }, ---- a/include/nd-protos.hpp -+++ b/include/nd-protos.hpp -@@ -469,7 +469,7 @@ enum class Id : uint16_t { - CUSTOM_1024 = 1024, - }; - --const std::unordered_map Tags = { -+inline const std::unordered_map Tags = { - { Id::AFP, "AFP" }, - { Id::AJP, "AJP" }, - { Id::ALICLOUD, "Alibaba/Cloud" }, -@@ -773,7 +773,7 @@ const std::unordered_map Twins = { -+inline const std::unordered_map Twins = { - { Id::APPLE_PUSH, "netify.apple-push" }, - { Id::AVAST, "netify.avast" }, - { Id::BITCOIN, "netify.bitcoin" }, -@@ -819,7 +819,7 @@ const std::unordered_map>, ndEnumHasher> PortMap = { -+inline const std::unordered_map>, ndEnumHasher> PortMap = { - { Id::TLS, - { - { 53, Id::DOT }, diff --git a/package/secubox/secubox-app-netifyd/patches/002-fix-ndpi-example-linking.patch b/package/secubox/secubox-app-netifyd/patches/002-fix-ndpi-example-linking.patch deleted file mode 100644 index 00dd451..0000000 --- a/package/secubox/secubox-app-netifyd/patches/002-fix-ndpi-example-linking.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- a/libs/ndpi/example/Makefile.in -+++ b/libs/ndpi/example/Makefile.in -@@ -48,6 +48,8 @@ - - CFLAGS+=-pthread - -+LIBS_NO_NDPI := $(filter-out $(LIBNDPI),$(LIBS)) -+ - all: ndpiReader$(EXE_SUFFIX) @DPDK_TARGET@ - - EXECUTABLE_SOURCES := ndpiReader.c ndpiSimpleIntegration.c -@@ -57,7 +59,7 @@ - $(AR) rsv libndpiReader.a $(COMMON_SOURCES:%.c=%.o) - - ndpiReader$(EXE_SUFFIX): libndpiReader.a $(LIBNDPI) ndpiReader.o -- $(CC) $(CFLAGS) $(LDFLAGS) ndpiReader.o libndpiReader.a $(LIBS) -o $@ -+ $(CC) $(CFLAGS) $(LDFLAGS) ndpiReader.o -Wl,--start-group libndpiReader.a $(LIBNDPI) -Wl,--end-group $(LIBS_NO_NDPI) -o $@ - - ndpiSimpleIntegration$(EXE_SUFFIX): ndpiSimpleIntegration.o - $(CC) $(CFLAGS) $(LDFLAGS) $< $(LIBS) -o $@ diff --git a/package/secubox/secubox-app-netifyd/test-build.sh b/package/secubox/secubox-app-netifyd/test-build.sh deleted file mode 100755 index a3c5ac9..0000000 --- a/package/secubox/secubox-app-netifyd/test-build.sh +++ /dev/null @@ -1,157 +0,0 @@ -#!/bin/bash -# -# Netifyd Build Test Script -# Tests the netifyd package build process -# - -set -e - -SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -OPENWRT_ROOT="$(cd "$SCRIPT_DIR/../../.." && pwd)" - -echo "================================" -echo "Netifyd 5.2.1 Build Test" -echo "================================" -echo "" -echo "OpenWrt Root: $OPENWRT_ROOT" -echo "Package Dir: $SCRIPT_DIR" -echo "" - -# Check if we're in OpenWrt buildroot -if [ ! -f "$OPENWRT_ROOT/rules.mk" ]; then - echo "ERROR: Not in OpenWrt buildroot" - echo "Please run this script from the OpenWrt tree" - exit 1 -fi - -cd "$OPENWRT_ROOT" - -echo "Step 1: Checking dependencies..." -echo "================================" - -# Check for required tools -for tool in make gcc g++ wget tar patch; do - if ! command -v $tool &> /dev/null; then - echo "ERROR: Required tool not found: $tool" - exit 1 - fi - echo " ✓ $tool" -done - -echo "" -echo "Step 2: Updating feeds..." -echo "================================" -./scripts/feeds update -a || true -./scripts/feeds install -a || true - -echo "" -echo "Step 3: Checking package configuration..." -echo "================================" - -if [ ! -f "$SCRIPT_DIR/Makefile" ]; then - echo "ERROR: Makefile not found" - exit 1 -fi -echo " ✓ Makefile exists" - -if [ ! -f "$SCRIPT_DIR/files/netifyd.init" ]; then - echo "ERROR: Init script not found" - exit 1 -fi -echo " ✓ Init script exists" - -if [ ! -f "$SCRIPT_DIR/files/netifyd.config" ]; then - echo "ERROR: Config file not found" - exit 1 -fi -echo " ✓ Config file exists" - -echo "" -echo "Step 4: Preparing build..." -echo "================================" - -# Ensure menuconfig has been run -if [ ! -f ".config" ]; then - echo "WARNING: .config not found, running defconfig..." - make defconfig -fi - -echo "" -echo "Step 5: Downloading source..." -echo "================================" -make package/secubox/secubox-app-netifyd/download V=s - -echo "" -echo "Step 6: Checking source..." -echo "================================" -if [ -f "dl/netifyd-5.2.1.tar.gz" ]; then - echo " ✓ Source downloaded successfully" - ls -lh dl/netifyd-5.2.1.tar.gz -else - echo "ERROR: Source not downloaded" - exit 1 -fi - -echo "" -echo "Step 7: Cleaning previous build..." -echo "================================" -make package/secubox/secubox-app-netifyd/clean V=s - -echo "" -echo "Step 8: Building package..." -echo "================================" -echo "This may take several minutes..." -echo "" - -if make package/secubox/secubox-app-netifyd/compile V=s; then - echo "" - echo "================================" - echo "BUILD SUCCESSFUL!" - echo "================================" - echo "" - - # Find built package - PKG_FILE=$(find bin/packages -name "netifyd_5.2.1-*.ipk" 2>/dev/null | head -1) - - if [ -n "$PKG_FILE" ]; then - echo "Package built successfully:" - ls -lh "$PKG_FILE" - echo "" - echo "Install with:" - echo " scp $PKG_FILE root@router:/tmp/" - echo " ssh root@router 'opkg install /tmp/$(basename $PKG_FILE)'" - else - echo "WARNING: Package file not found in bin/packages" - fi - -else - echo "" - echo "================================" - echo "BUILD FAILED!" - echo "================================" - echo "" - echo "Check the build log above for errors" - exit 1 -fi - -echo "" -echo "Step 9: Verifying package contents..." -echo "================================" - -if [ -n "$PKG_FILE" ]; then - echo "Package contents:" - tar -tzf "$PKG_FILE" 2>/dev/null | head -20 - echo " ... (showing first 20 files)" -fi - -echo "" -echo "================================" -echo "Build test completed successfully!" -echo "================================" -echo "" -echo "Next steps:" -echo "1. Install package on target device" -echo "2. Run: /etc/init.d/netifyd start" -echo "3. Check status: netifyd -s" -echo "4. View dashboard: luci-app-secubox-netifyd" -echo "" diff --git a/package/secubox/secubox-crowdsec-setup/Makefile b/package/secubox/secubox-crowdsec-setup/Makefile index e002502..d959674 100644 --- a/package/secubox/secubox-crowdsec-setup/Makefile +++ b/package/secubox/secubox-crowdsec-setup/Makefile @@ -20,13 +20,13 @@ define Package/secubox-crowdsec-setup CATEGORY:=SecuBox SUBMENU:=Security TITLE:=SecuBox CrowdSec Setup Utility - DEPENDS:=+crowdsec +crowdsec-firewall-bouncer-nftables +syslog-ng4 + DEPENDS:=+crowdsec +crowdsec-firewall-bouncer +syslog-ng PKGARCH:=all endef define Package/secubox-crowdsec-setup/description Script d'installation automatisee de CrowdSec pour SecuBox. - Configure syslog-ng4 pour le forwarding des logs vers CrowdSec, + Configure syslog-ng pour le forwarding des logs vers CrowdSec, installe les collections de securite, et configure le bouncer nftables pour fw4. endef diff --git a/secubox-tools/local-build.sh b/secubox-tools/local-build.sh index 2dd1ba6..05e554b 100755 --- a/secubox-tools/local-build.sh +++ b/secubox-tools/local-build.sh @@ -44,7 +44,7 @@ SDK_PATH="mvebu/cortexa72" declare -A DEVICE_PROFILES=( ["espressobin-v7"]="mvebu:cortexa53:globalscale_espressobin:ESPRESSObin V7 (1-2GB DDR4)" ["espressobin-ultra"]="mvebu:cortexa53:globalscale_espressobin-ultra:ESPRESSObin Ultra (PoE, WiFi)" - ["sheeva64"]="mvebu:cortexa53:globalscale_sheeva64:Sheeva64 (Plug computer)" + # ["sheeva64"]="mvebu:cortexa53:globalscale_sheeva64:Sheeva64 (Plug computer)" # Disabled ["mochabin"]="mvebu:cortexa72:globalscale_mochabin:MOCHAbin (Quad-core A72, 10G)" ["x86-64"]="x86:64:generic:x86_64 Generic PC" ) @@ -1468,7 +1468,7 @@ CONFIG_PACKAGE_kmod-sfp=y CONFIG_PACKAGE_kmod-phy-marvell-10g=y EOF ;; - espressobin-ultra|sheeva64) + espressobin-ultra) cat >> .config << EOF # WiFi support @@ -1862,7 +1862,6 @@ ARCHITECTURES (for package building): DEVICES (for firmware building): espressobin-v7 ESPRESSObin V7 (1-2GB DDR4) espressobin-ultra ESPRESSObin Ultra (PoE, WiFi) - sheeva64 Sheeva64 (Plug computer) mochabin MOCHAbin (Quad-core A72, 10G) x86-64 x86_64 Generic PC