securenow 5.17.1 → 6.0.0

package/firewall-iptables.js

@@ -1,139 +0,0 @@
-'use strict';
-
-/**
- * Layer 3: OS-level firewall via iptables/nftables.
- * Manages a dedicated SECURENOW_BLOCK chain — never touches customer rules.
- * Linux only, requires root or CAP_NET_ADMIN. Falls back gracefully otherwise.
- */
-
-const { execSync } = require('child_process');
-const os = require('os');
-
-const CHAIN_NAME = 'SECURENOW_BLOCK';
-
-let _options = null;
-let _active = false;
-let _useNft = false;
-
-function exec(cmd) {
-  return execSync(cmd, { stdio: 'pipe', timeout: 10000 }).toString().trim();
-}
-
-function canRun(cmd) {
-  try { exec(cmd); return true; } catch { return false; }
-}
-
-function detectBackend() {
-  if (canRun('nft --version')) return 'nft';
-  if (canRun('iptables --version')) return 'iptables';
-  return null;
-}
-
-// ────── iptables backend ──────
-
-function iptablesSetup() {
-  try { exec(`iptables -N ${CHAIN_NAME}`); } catch (_) {} // chain may already exist
-  try { exec(`iptables -C INPUT -j ${CHAIN_NAME}`); } catch (_) {
-    exec(`iptables -I INPUT 1 -j ${CHAIN_NAME}`);
-  }
-}
-
-function iptablesSync(ips) {
-  exec(`iptables -F ${CHAIN_NAME}`);
-  for (const ip of ips) {
-    exec(`iptables -A ${CHAIN_NAME} -s ${ip} -j DROP`);
-  }
-}
-
-function iptablesCleanup() {
-  try { exec(`iptables -D INPUT -j ${CHAIN_NAME}`); } catch (_) {}
-  try { exec(`iptables -F ${CHAIN_NAME}`); } catch (_) {}
-  try { exec(`iptables -X ${CHAIN_NAME}`); } catch (_) {}
-}
-
-// ────── nftables backend ──────
-
-function nftSetup() {
-  try { exec(`nft list chain ip filter ${CHAIN_NAME}`); } catch (_) {
-    exec(`nft add chain ip filter ${CHAIN_NAME}`);
-  }
-  try { exec(`nft insert rule ip filter INPUT jump ${CHAIN_NAME}`); } catch (_) {}
-}
-
-function nftSync(ips) {
-  exec(`nft flush chain ip filter ${CHAIN_NAME}`);
-  for (const ip of ips) {
-    exec(`nft add rule ip filter ${CHAIN_NAME} ip saddr ${ip} drop`);
-  }
-}
-
-function nftCleanup() {
-  try { exec(`nft flush chain ip filter ${CHAIN_NAME}`); } catch (_) {}
-  try { exec(`nft delete chain ip filter ${CHAIN_NAME}`); } catch (_) {}
-}
-
-// ────── Public API ──────
-
-let _syncCallback = null;
-
-function init(options) {
-  _options = options;
-
-  if (os.platform() !== 'linux') {
-    if (_options.log) console.warn('[securenow] Firewall iptables: only supported on Linux, skipping');
-    return;
-  }
-
-  const backend = detectBackend();
-  if (!backend) {
-    if (_options.log) console.warn('[securenow] Firewall iptables: neither iptables nor nft found, skipping');
-    return;
-  }
-
-  _useNft = backend === 'nft';
-  const label = _useNft ? 'nftables' : 'iptables';
-
-  try {
-    if (_useNft) nftSetup(); else iptablesSetup();
-    _active = true;
-    if (_options.log) console.log('[securenow] Firewall iptables: %s chain %s ready', label, CHAIN_NAME);
-  } catch (e) {
-    if (_options.log) console.warn('[securenow] Firewall iptables: setup failed (need root or CAP_NET_ADMIN):', e.message);
-  }
-}
-
-/**
- * Called by the firewall core after each successful blocklist sync.
- * @param {string[]} ips - Array of IPs and CIDRs to block
- */
-function sync(ips) {
-  if (!_active) return;
-
-  const maxRules = (_options && _options.iptablesMax) || 10000;
-  const limited = ips.length > maxRules ? ips.slice(0, maxRules) : ips;
-
-  if (ips.length > maxRules && _options.log) {
-    console.warn('[securenow] Firewall iptables: truncated to %d rules (max %d)', maxRules, maxRules);
-  }
-
-  try {
-    if (_useNft) nftSync(limited); else iptablesSync(limited);
-  } catch (e) {
-    if (_options && _options.log) {
-      console.warn('[securenow] Firewall iptables: sync failed:', e.message);
-    }
-  }
-}
-
-function shutdown() {
-  if (!_active) return;
-  try {
-    if (_useNft) nftCleanup(); else iptablesCleanup();
-    if (_options && _options.log) console.log('[securenow] Firewall iptables: chain %s cleaned up', CHAIN_NAME);
-  } catch (e) {
-    if (_options && _options.log) console.warn('[securenow] Firewall iptables: cleanup failed:', e.message);
-  }
-  _active = false;
-}
-
-module.exports = { init, sync, shutdown };

package/firewall-only.js

@@ -1,38 +0,0 @@
-'use strict';
-
-/**
- * Standalone firewall preload — no OpenTelemetry, no tracing.
- *
- * Usage:
- *   node -r securenow/firewall-only app.js
- *   NODE_OPTIONS='-r securenow/firewall-only' next start
- *
- * Reads .env via dotenv (if installed), then initialises the HTTP-level
- * firewall when SECURENOW_API_KEY is present.
- */
-
-try { require('dotenv').config(); } catch (_) {}
-
-const env = (k) =>
-  process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
-
-const firewallApiKey = env('SECURENOW_API_KEY');
-
-if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
-  require('./firewall').init({
-    apiKey: firewallApiKey,
-    apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-    versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
-    syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
-    failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
-    statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
-    log: env('SECURENOW_FIREWALL_LOG') !== '0',
-    tcp: env('SECURENOW_FIREWALL_TCP') === '1',
-    iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
-    cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
-  });
-
-  const shutdown = () => { try { require('./firewall').shutdown(); } catch (_) {} };
-  process.on('SIGINT', shutdown);
-  process.on('SIGTERM', shutdown);
-}

package/firewall-tcp.js

@@ -1,74 +0,0 @@
-'use strict';
-
-/**
- * Layer 2: TCP-level blocking via net.Server connection event.
- * Destroys the socket before HTTP parsing starts. Zero bytes sent back.
- *
- * Caveat: only sees socket.remoteAddress (direct connection IP).
- * If behind a reverse proxy, the proxy IP is seen instead.
- * Proxy IPs are skipped (let through to Layer 1 for proper header-based resolution).
- */
-
-const net = require('net');
-const { resolveSocketIp, isFromTrustedProxy } = require('./resolve-ip');
-
-let _getMatcher = null;
-let _getAllowlistMatcher = null;
-let _options = null;
-let _patched = false;
-const _origListen = net.Server.prototype.listen;
-
-function onConnection(socket) {
-  const ip = resolveSocketIp(socket);
-
-  // Skip if the connection is from a trusted proxy — Layer 1 will handle it
-  // with proper X-Forwarded-For resolution
-  if (isFromTrustedProxy(ip) || isFromTrustedProxy('::ffff:' + ip)) return;
-
-  // Allowlist check: if active, only listed IPs pass
-  const allowlistMatcher = _getAllowlistMatcher ? _getAllowlistMatcher() : null;
-  if (allowlistMatcher && allowlistMatcher.stats().total > 0) {
-    if (!allowlistMatcher.isBlocked(ip)) {
-      if (_options && _options.log) {
-        console.log('[securenow] Firewall: blocked %s via TCP (not in allowlist)', ip);
-      }
-      socket.destroy();
-      return;
-    }
-    return; // on allowlist — allow
-  }
-
-  // Blocklist check
-  const matcher = _getMatcher();
-  if (!matcher) return;
-
-  if (matcher.isBlocked(ip)) {
-    if (_options && _options.log) {
-      console.log('[securenow] Firewall: blocked %s via TCP (socket destroyed)', ip);
-    }
-    socket.destroy();
-  }
-}
-
-function init(getMatcher, options, getAllowlistMatcher) {
-  _getMatcher = getMatcher;
-  _getAllowlistMatcher = getAllowlistMatcher || null;
-  _options = options;
-
-  if (_patched) return;
-  _patched = true;
-
-  net.Server.prototype.listen = function(...args) {
-    this.on('connection', onConnection);
-    return _origListen.apply(this, args);
-  };
-}
-
-function shutdown() {
-  if (_patched) {
-    net.Server.prototype.listen = _origListen;
-    _patched = false;
-  }
-}
-
-module.exports = { init, shutdown };