Skip to content

V3 to v4 crs #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jsrobinson3 merged 4 commits into from
Mar 5, 2026
Merged

V3 to v4 crs #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9fc1c23
Resolve older crs v3 issues
jsrobinson3 Mar 4, 2026
aa52378
Add SSH Login iNSight dashboard and fix CRS exclusion load order
jsrobinson3 Mar 5, 2026
a4156e3
Remove static CRS v3 rule files, refactor WAF modules, fix ruff lint
jsrobinson3 Mar 5, 2026
ceaedc7
Merge branch 'main' into v3-to-v4-crs
jsrobinson3 Mar 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 11 additions & 12 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ pip install -e .
|----|-------------------|--------|
| Ubuntu 24.04 LTS | v44.x | Tested |
| Ubuntu 22.04 LTS | v44.x | Tested |
| Ubuntu 20.04 LTS | v44.x | Binary/.deb only |
| Ubuntu 20.04 LTS | v44.x | Source Only |

Other Debian-based distributions may work but are untested. Contributions and test reports for additional platforms are welcome.

Expand Down Expand Up @@ -97,9 +97,11 @@ sudo nssec waf enable

The WAF module includes:
- OWASP CRS v4 with paranoia level 1 (low false positive rate)
- NetSapiens exclusion rules for admin UI, ns-api, SiPbx, NqsProxy, and iNSight health checks
- NetSapiens exclusion rules for admin UI, ns-api, SiPbx, NqsProxy, portal login, phone provisioning, iNSight health checks, and localhost traffic
- CRS tuning for allowed HTTP methods and content types used by NetSapiens

WAF rule templates (exclusions and CRS setup overrides) are defined in `src/nssec/modules/waf/config.py` and deployed to `/etc/modsecurity/` by `nssec waf init`.

### Path Restrictions (.htaccess)

Restrict access to sensitive NetSapiens paths (admin UI, API, NDP, recording) using `.htaccess` IP allowlists:
Expand Down Expand Up @@ -167,24 +169,21 @@ Start with `standard` and review the Apache API Usage dashboard and mod_evasive

| Component | Core | NDP | Recording | QoS |
|-----------|:----:|:---:|:---------:|:---:|
| WAF — Admin UI | Yes | — | — | — |
| WAF — Endpoints | — | Yes | — | — |
| WAF — Large Upload | — | — | Yes | — |
| WAF | Yes | Yes | Yes | Yes |
| mTLS Provisioning | — | Yes | — | — |
| MySQL Hardening | Yes | — | — | — |

## Grafana Dashboards & Insight Templates
| MySQL Hardening | Yes | Yes | Yes | Yes |

Pre-built dashboards are available for import into your Grafana/iNSight instance:
## iNSight Templates

**Dashboards** (`dashboards/`):
- `security/apacheHttpServerLogs.json` — Apache error and access logs with HTTP status breakdown
Pre-built dashboards for import into your iNSight/Grafana instance (`insight/`):

**Insight Templates** (`insight/`):
- `api.json` — API v1/v2 request rate monitoring (Prometheus)
- `apacheApiUsage.json` — Apache access log analysis by IP and path (Loki)
- `modsecurityWaf.json` — ModSecurity WAF event analysis: severity, attacking IPs, triggered rules, targeted URIs (Loki)
- `modEvasive.json` — mod_evasive HTTP flood protection: blocked IPs, block rate, repeat offenders (Loki)
- `sshLogin.json` — SSH login monitor: failed/successful logins, brute-force source IPs, targeted usernames (Loki)

![WAF iNSight Dashboard](docs/img/waf-insight.png)

## Related Projects

Expand Down
Binary file added docs/img/waf-insight.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading