securenow 5.10.1 → 5.11.0

package/firewall-iptables.js

@@ -0,0 +1,139 @@
+'use strict';
+
+/**
+ * Layer 3: OS-level firewall via iptables/nftables.
+ * Manages a dedicated SECURENOW_BLOCK chain — never touches customer rules.
+ * Linux only, requires root or CAP_NET_ADMIN. Falls back gracefully otherwise.
+ */
+
+const { execSync } = require('child_process');
+const os = require('os');
+
+const CHAIN_NAME = 'SECURENOW_BLOCK';
+
+let _options = null;
+let _active = false;
+let _useNft = false;
+
+function exec(cmd) {
+  return execSync(cmd, { stdio: 'pipe', timeout: 10000 }).toString().trim();
+}
+
+function canRun(cmd) {
+  try { exec(cmd); return true; } catch { return false; }
+}
+
+function detectBackend() {
+  if (canRun('nft --version')) return 'nft';
+  if (canRun('iptables --version')) return 'iptables';
+  return null;
+}
+
+// ────── iptables backend ──────
+
+function iptablesSetup() {
+  try { exec(`iptables -N ${CHAIN_NAME}`); } catch (_) {} // chain may already exist
+  try { exec(`iptables -C INPUT -j ${CHAIN_NAME}`); } catch (_) {
+    exec(`iptables -I INPUT 1 -j ${CHAIN_NAME}`);
+  }
+}
+
+function iptablesSync(ips) {
+  exec(`iptables -F ${CHAIN_NAME}`);
+  for (const ip of ips) {
+    exec(`iptables -A ${CHAIN_NAME} -s ${ip} -j DROP`);
+  }
+}
+
+function iptablesCleanup() {
+  try { exec(`iptables -D INPUT -j ${CHAIN_NAME}`); } catch (_) {}
+  try { exec(`iptables -F ${CHAIN_NAME}`); } catch (_) {}
+  try { exec(`iptables -X ${CHAIN_NAME}`); } catch (_) {}
+}
+
+// ────── nftables backend ──────
+
+function nftSetup() {
+  try { exec(`nft list chain ip filter ${CHAIN_NAME}`); } catch (_) {
+    exec(`nft add chain ip filter ${CHAIN_NAME}`);
+  }
+  try { exec(`nft insert rule ip filter INPUT jump ${CHAIN_NAME}`); } catch (_) {}
+}
+
+function nftSync(ips) {
+  exec(`nft flush chain ip filter ${CHAIN_NAME}`);
+  for (const ip of ips) {
+    exec(`nft add rule ip filter ${CHAIN_NAME} ip saddr ${ip} drop`);
+  }
+}
+
+function nftCleanup() {
+  try { exec(`nft flush chain ip filter ${CHAIN_NAME}`); } catch (_) {}
+  try { exec(`nft delete chain ip filter ${CHAIN_NAME}`); } catch (_) {}
+}
+
+// ────── Public API ──────
+
+let _syncCallback = null;
+
+function init(options) {
+  _options = options;
+
+  if (os.platform() !== 'linux') {
+    if (_options.log) console.warn('[securenow] Firewall iptables: only supported on Linux, skipping');
+    return;
+  }
+
+  const backend = detectBackend();
+  if (!backend) {
+    if (_options.log) console.warn('[securenow] Firewall iptables: neither iptables nor nft found, skipping');
+    return;
+  }
+
+  _useNft = backend === 'nft';
+  const label = _useNft ? 'nftables' : 'iptables';
+
+  try {
+    if (_useNft) nftSetup(); else iptablesSetup();
+    _active = true;
+    if (_options.log) console.log('[securenow] Firewall iptables: %s chain %s ready', label, CHAIN_NAME);
+  } catch (e) {
+    if (_options.log) console.warn('[securenow] Firewall iptables: setup failed (need root or CAP_NET_ADMIN):', e.message);
+  }
+}
+
+/**
+ * Called by the firewall core after each successful blocklist sync.
+ * @param {string[]} ips - Array of IPs and CIDRs to block
+ */
+function sync(ips) {
+  if (!_active) return;
+
+  const maxRules = (_options && _options.iptablesMax) || 10000;
+  const limited = ips.length > maxRules ? ips.slice(0, maxRules) : ips;
+
+  if (ips.length > maxRules && _options.log) {
+    console.warn('[securenow] Firewall iptables: truncated to %d rules (max %d)', maxRules, maxRules);
+  }
+
+  try {
+    if (_useNft) nftSync(limited); else iptablesSync(limited);
+  } catch (e) {
+    if (_options && _options.log) {
+      console.warn('[securenow] Firewall iptables: sync failed:', e.message);
+    }
+  }
+}
+
+function shutdown() {
+  if (!_active) return;
+  try {
+    if (_useNft) nftCleanup(); else iptablesCleanup();
+    if (_options && _options.log) console.log('[securenow] Firewall iptables: chain %s cleaned up', CHAIN_NAME);
+  } catch (e) {
+    if (_options && _options.log) console.warn('[securenow] Firewall iptables: cleanup failed:', e.message);
+  }
+  _active = false;
+}
+
+module.exports = { init, sync, shutdown };

package/firewall-tcp.js

@@ -0,0 +1,58 @@
+'use strict';
+
+/**
+ * Layer 2: TCP-level blocking via net.Server connection event.
+ * Destroys the socket before HTTP parsing starts. Zero bytes sent back.
+ *
+ * Caveat: only sees socket.remoteAddress (direct connection IP).
+ * If behind a reverse proxy, the proxy IP is seen instead.
+ * Proxy IPs are skipped (let through to Layer 1 for proper header-based resolution).
+ */
+
+const net = require('net');
+const { resolveSocketIp, isFromTrustedProxy } = require('./resolve-ip');
+
+let _getMatcher = null;
+let _options = null;
+let _patched = false;
+const _origListen = net.Server.prototype.listen;
+
+function onConnection(socket) {
+  const matcher = _getMatcher();
+  if (!matcher) return;
+
+  const ip = resolveSocketIp(socket);
+
+  // Skip if the connection is from a trusted proxy — Layer 1 will handle it
+  // with proper X-Forwarded-For resolution
+  if (isFromTrustedProxy(ip) || isFromTrustedProxy('::ffff:' + ip)) return;
+
+  if (matcher.isBlocked(ip)) {
+    if (_options && _options.log) {
+      console.log('[securenow] Firewall: blocked %s via TCP (socket destroyed)', ip);
+    }
+    socket.destroy();
+  }
+}
+
+function init(getMatcher, options) {
+  _getMatcher = getMatcher;
+  _options = options;
+
+  if (_patched) return;
+  _patched = true;
+
+  net.Server.prototype.listen = function(...args) {
+    this.on('connection', onConnection);
+    return _origListen.apply(this, args);
+  };
+}
+
+function shutdown() {
+  if (_patched) {
+    net.Server.prototype.listen = _origListen;
+    _patched = false;
+  }
+}
+
+module.exports = { init, shutdown };

package/firewall.js

@@ -0,0 +1,235 @@
+'use strict';
+
+const http = require('http');
+const https = require('https');
+const { createMatcher } = require('./cidr');
+const { resolveClientIp } = require('./resolve-ip');
+
+let _options = null;
+let _matcher = null;
+let _syncTimer = null;
+let _lastModified = null;
+let _initialized = false;
+let _layers = [];
+let _rawIps = [];
+let _stats = { syncs: 0, blocked: 0, allowed: 0 };
+
+// ────── Blocklist Sync ──────
+
+function buildUrl(apiUrl, path) {
+  return apiUrl.replace(/\/+$/, '') + '/api/v1' + path;
+}
+
+function syncBlocklist(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/blocklist');
+  const mod = url.startsWith('https') ? https : http;
+  const parsed = new URL(url);
+
+  const reqOptions = {
+    hostname: parsed.hostname,
+    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+    path: parsed.pathname + parsed.search,
+    method: 'GET',
+    headers: {
+      'Authorization': `Bearer ${_options.apiKey}`,
+      'User-Agent': 'securenow-firewall-sdk',
+    },
+    timeout: 10000,
+  };
+
+  if (_lastModified) {
+    reqOptions.headers['If-Modified-Since'] = _lastModified;
+  }
+
+  const req = mod.request(reqOptions, (res) => {
+    if (res.statusCode === 304) {
+      callback(null, false);
+      return;
+    }
+
+    let data = '';
+    res.on('data', (chunk) => { data += chunk; });
+    res.on('end', () => {
+      if (res.statusCode !== 200) {
+        callback(new Error(`API returned ${res.statusCode}: ${data.slice(0, 200)}`));
+        return;
+      }
+      try {
+        const body = JSON.parse(data);
+        const ips = body.ips || [];
+        _rawIps = ips;
+        _matcher = createMatcher(ips);
+        _lastModified = res.headers['last-modified'] || null;
+        _stats.syncs++;
+        notifyLayers(ips);
+        callback(null, true, _matcher.stats());
+      } catch (e) {
+        callback(new Error(`Failed to parse blocklist response: ${e.message}`));
+      }
+    });
+  });
+
+  req.on('error', (err) => callback(err));
+  req.on('timeout', () => { req.destroy(); callback(new Error('Sync request timed out')); });
+  req.end();
+}
+
+function notifyLayers(ips) {
+  for (const layer of _layers) {
+    try { if (typeof layer.sync === 'function') layer.sync(ips); } catch (_) {}
+  }
+}
+
+function startSyncLoop() {
+  const intervalMs = (_options.syncInterval || 60) * 1000;
+
+  syncBlocklist((err, changed, stats) => {
+    if (err) {
+      if (_options.log) console.warn('[securenow] Firewall: initial sync failed:', err.message);
+      if (_options.failMode === 'closed') {
+        _matcher = createMatcher([]); // block everything by default via empty matcher
+        _matcher = { isBlocked: () => true, stats: () => ({ exact: 0, cidr: 0, total: 0 }) };
+      }
+    } else if (changed && stats) {
+      if (_options.log) console.log('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', stats.total, stats.exact, stats.cidr);
+    }
+    _initialized = true;
+  });
+
+  _syncTimer = setInterval(() => {
+    syncBlocklist((err, changed, stats) => {
+      if (err) {
+        if (_options.log) console.warn('[securenow] Firewall: sync failed (using stale list):', err.message);
+      } else if (changed && stats && _options.log) {
+        console.log('[securenow] Firewall: re-synced %d blocked IPs', stats.total);
+      }
+    });
+  }, intervalMs);
+
+  if (_syncTimer.unref) _syncTimer.unref();
+}
+
+// ────── Layer 1: HTTP Handler ──────
+
+const _origHttpCreate = http.createServer;
+const _origHttpsCreate = https.createServer;
+let _httpPatched = false;
+
+function wrapListener(originalListener) {
+  return function firewallGuard(req, res) {
+    if (_matcher) {
+      const ip = resolveClientIp(req);
+      if (_matcher.isBlocked(ip)) {
+        _stats.blocked++;
+        if (_options.log) console.log('[securenow] Firewall: blocked %s via HTTP', ip);
+        const code = _options.statusCode || 403;
+        res.writeHead(code, { 'Content-Type': 'application/json' });
+        res.end(JSON.stringify({ error: 'Forbidden' }));
+        return;
+      }
+    }
+    _stats.allowed++;
+    return originalListener.call(this, req, res);
+  };
+}
+
+function patchHttpLayer() {
+  if (_httpPatched) return;
+  _httpPatched = true;
+
+  http.createServer = function(...args) {
+    if (typeof args[args.length - 1] === 'function') {
+      args[args.length - 1] = wrapListener(args[args.length - 1]);
+    }
+    return _origHttpCreate.apply(this, args);
+  };
+  Object.assign(http.createServer, _origHttpCreate);
+
+  https.createServer = function(...args) {
+    if (typeof args[args.length - 1] === 'function') {
+      args[args.length - 1] = wrapListener(args[args.length - 1]);
+    }
+    return _origHttpsCreate.apply(this, args);
+  };
+  Object.assign(https.createServer, _origHttpsCreate);
+}
+
+// ────── Init ──────
+
+function init(options) {
+  _options = options;
+
+  if (_options.log) console.log('[securenow] Firewall: ENABLED');
+
+  // Layer 1: HTTP (always on)
+  patchHttpLayer();
+  if (_options.log) console.log('[securenow] Firewall: Layer 1 (HTTP 403)      active');
+
+  // Layer 2: TCP
+  if (_options.tcp) {
+    try {
+      const tcpLayer = require('./firewall-tcp');
+      tcpLayer.init(() => _matcher, _options);
+      _layers.push(tcpLayer);
+      if (_options.log) console.log('[securenow] Firewall: Layer 2 (TCP drop)       active');
+    } catch (e) {
+      if (_options.log) console.warn('[securenow] Firewall: Layer 2 (TCP drop)       failed:', e.message);
+    }
+  } else {
+    if (_options.log) console.log('[securenow] Firewall: Layer 2 (TCP drop)       disabled (set SECURENOW_FIREWALL_TCP=1)');
+  }
+
+  // Layer 3: iptables
+  if (_options.iptables) {
+    try {
+      const iptablesLayer = require('./firewall-iptables');
+      iptablesLayer.init(_options);
+      _layers.push(iptablesLayer);
+      if (_options.log) console.log('[securenow] Firewall: Layer 3 (iptables)       active');
+    } catch (e) {
+      if (_options.log) console.warn('[securenow] Firewall: Layer 3 (iptables)       failed:', e.message);
+    }
+  } else {
+    if (_options.log) console.log('[securenow] Firewall: Layer 3 (iptables)       disabled (set SECURENOW_FIREWALL_IPTABLES=1)');
+  }
+
+  // Layer 4: Cloud WAF
+  if (_options.cloud) {
+    try {
+      const cloudLayer = require('./firewall-cloud');
+      cloudLayer.init(_options);
+      _layers.push(cloudLayer);
+      if (_options.log) console.log('[securenow] Firewall: Layer 4 (Cloud WAF)      active (%s)', _options.cloud);
+    } catch (e) {
+      if (_options.log) console.warn('[securenow] Firewall: Layer 4 (Cloud WAF)      failed:', e.message);
+    }
+  } else {
+    if (_options.log) console.log('[securenow] Firewall: Layer 4 (Cloud WAF)      disabled (set SECURENOW_FIREWALL_CLOUD=cloudflare|aws|gcp)');
+  }
+
+  startSyncLoop();
+}
+
+function shutdown() {
+  if (_syncTimer) { clearInterval(_syncTimer); _syncTimer = null; }
+
+  for (const layer of _layers) {
+    try { if (typeof layer.shutdown === 'function') layer.shutdown(); } catch (_) {}
+  }
+  _layers = [];
+
+  // Restore original createServer
+  if (_httpPatched) {
+    http.createServer = _origHttpCreate;
+    https.createServer = _origHttpsCreate;
+    _httpPatched = false;
+  }
+}
+
+function getStats() {
+  return { ..._stats, matcher: _matcher ? _matcher.stats() : null, initialized: _initialized };
+}
+
+function getMatcher() { return _matcher; }
+
+module.exports = { init, shutdown, getStats, getMatcher };