Skip to content

Fine tuning#7

Merged
jsrobinson3 merged 7 commits intomainfrom
fineTuning
Feb 27, 2026
Merged

Fine tuning#7
jsrobinson3 merged 7 commits intomainfrom
fineTuning

Conversation

@jsrobinson3
Copy link
Copy Markdown
Owner

@jsrobinson3 jsrobinson3 commented Feb 27, 2026
edited
Loading

Summary

  • mod_evasive (HTTP flood protection)nssec waf evasive enable/disable/status with standard and strict profiles, RFC 1918 whitelisting, structured logging for Loki/Grafana ingestion, and
    a pre-built Grafana insight dashboard (modEvasive.json)
  • mTLS allowlist managementnssec mtls allowlist show/add/remove to manage IPs in the mTLS RequireAny block; nssec mtls nodeping fetch to sync NodePing monitoring IPs
  • .htaccess IP restrictionsnssec waf restrict init/show/add/remove/reapply to automate IP allowlists on sensitive NetSapiens paths (SiPbx Admin UI, ns-api, NDP, LiCf Recording) per the
    NS "Securing Your System" guide. IP cache at /etc/nssec/restrict-ips.json survives NS package upgrades
  • Bug fixes — Python 3.8/3.9 compat (from __future__ import annotations), mod_evasive decoupled from WAF mode so it can be toggled independently

New CLI commands

Command Description
nssec waf evasive enable [--profile standard|strict] Enable mod_evasive with tuned thresholds
nssec waf evasive disable Disable mod_evasive
nssec waf evasive status Show mod_evasive state and active profile
nssec waf restrict init [--ip IP] Create .htaccess restrictions (interactive or CLI)
nssec waf restrict show Show restriction status per protected path
nssec waf restrict add IP Add IP to all managed .htaccess files
nssec waf restrict remove IP Remove IP from managed .htaccess files
nssec waf restrict reapply Re-deploy from cache after NS upgrades
nssec mtls allowlist show Show mTLS allowlisted IPs
nssec mtls allowlist add IP Add IP to mTLS allowlist
nssec mtls allowlist remove IP Remove IP from mTLS allowlist
nssec mtls nodeping fetch Fetch and update NodePing probe IPs

Test plan

  • 178 unit tests passing
  • nssec waf restrict init on Core, NDP, and Combo servers
  • nssec waf restrict reapply after simulated NS upgrade
  • nssec waf evasive enable --profile standard and verify thresholds in config
  • nssec mtls allowlist add/remove on NDP server
  • Verify mod_evasive Grafana dashboard imports cleanly

jsrobinson3 and others added 7 commits February 27, 2026 20:21
@jsrobinson3 @claude
decouple mod_evasive from WAF mode, add mTLS allowlist management
41933a1 
- mod_evasive now independently enabled/disabled via `waf evasive enable/disable`
  with standard (high threshold) and strict profiles
- Add DOSSystemCommand structured logging for Loki ingestion
- Add Grafana insight dashboard for mod_evasive block events
- Add `mtls allowlist show/add/remove` commands to manage all IPs
  in the mTLS RequireAny block (NodePing-managed IPs are protected)
- Update docs and README with mod_evasive profiles and commands

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jsrobinson3
add .htaccess IP restriction management for sensitive NetSapiens paths
ad9cecc
@jsrobinson3
fix Python 3.8/3.9 compatibility: add future annotations to mtls_comm…
7af4f86 
…ands
@jsrobinson3
fix restrict init to apply merged IPs to all targets, not per-file
847a7ea 
Previously, existing IPs found in one .htaccess (e.g. NDP) were only
merged into that file. SiPbx and LiCf would get just 127.0.0.1.
Now collect_existing_ips() gathers IPs from all targets + cache upfront
so every file gets the same full set.

Also adds future annotations to mtls_commands for Python 3.8/3.9 compat.
@jsrobinson3
fix NameError in waf restrict show: first_managed_ips → first_ips_man…
c1b0317 
…aged
@jsrobinson3
support multi-line IP paste in waf restrict init
5873e93 
Replace single-line click.prompt with a loop that reads one IP per line
until a blank line. Pasting multiple IPs on separate lines now works
instead of spilling into subsequent confirm prompts.
@jsrobinson3
update README
1edaedb
@jsrobinson3 jsrobinson3 merged commit 5e789c4 into main Feb 27, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jsrobinson3