Added htaccess, robots files, honeypots, Finished the error pages stub, Attempted to fix form security issue

Update .dockerignore, .gitignore, and 14 more files...
2022-02-22 14:43:41 +01:00
parent bb1dfdfbb1
commit 920c923526
16 changed files with 336 additions and 12 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,6 @@
+.git/
+.idea/
+.dockerignore
+.gitignore
+notes.txt
+readme.md
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,7 @@
+# IDE-related folders
 .idea/
-.htaccess
-files/
-content/page/
+
+# Static resources
 resources/Azias/imgs/*.exe
 resources/Azias/imgs/*.url
 resources/ChartJs/
@@ -10,3 +10,7 @@ resources/GoogleFonts/
 resources/HalfMoon/
 resources/Icons8/
 resources/Quantum/
+
+# Other folders
+content/page/
+files/
--- a/.htaccess
+++ b/.htaccess
@@ -0,0 +1,78 @@
+# Prevent access to .htaccess
+<Files ~ "^.*\.([Hh][Tt][Aa]|[Pp][Yy])">
+	Order allow,deny
+	Deny from all
+</Files>
+
+# Redirecting HTTP traffic to HTTPS. (Keep commented on localhost !)
+# This is handled other services, but it should still be enabled in production just to be safe.
+#RewriteEngine On
+#RewriteCond %{SERVER_PORT} 80
+#RewriteRule ^(.*)$ https://nibblepoker.lu/$1 [R,L]
+
+# Correcting some default options for security and language/content redirection.
+# FollowSymlinks is on since it required for "mod_rewrite" and the server is jailed.
+Options -Indexes +FollowSymlinks -ExecCGI
+
+# Custom error pages.
+ErrorDocument 403 /403.php
+ErrorDocument 404 /404.php
+
+# Setting some headers for security.
+# TODO: Implement a proper module check and redirection to clean 503 error page if module is not enabled !
+Header always set X-Detected-Country "NK"
+Header always set X-Frame-Options "deny"
+Header always set Content-Security-Policy "default-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
+Header always set X-XSS-Protection " 1; mode=block"
+Header always set Referrer-Policy "no-referrer"
+Header always set X-Content-Type-Options "nosniff"
+Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+Header always set Cache-Control "max-age=300, public"
+# FIXME: Apparently, the 'Permissions-Policy' header is not properly formatted, IDK why...
+Header always set Permissions-Policy "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()"
+Header always set Access-Control-Allow-Origin "*"
+Header unset X-Powered-By
+Header always set X-Powered-By "Amiga 1200, Kickstart 3.1"
+
+# Handling all other redirections.
+<IfModule mod_rewrite.c>
+	# TODO: Raise error if not available
+	RewriteEngine On
+
+	# Sending a 404 for git and IDEs folders just in case they ever get copied to the web server,
+	#  or if one of the honeypot files is acessed directly.
+	# A 404 is preferred to prevent further scanning of this folder and from raising some flags.
+	RedirectMatch 404 ^.*\.?(git|vs(code)|idea).*
+	RedirectMatch 404 ^.*honeypot.*
+
+	# Languages. (Does not work with a regex)
+	RewriteRule ^en/(.*)$ /$1 [QSA]
+	RewriteRule ^fr/(.*)$ /$1 [QSA]
+	RewriteRule ^lb/(.*)$ /$1 [QSA]
+
+	# Content categories. - Should be removed ?
+	#RewriteRule ^((en|fr|lb)/)?blog/article/(.*)$ /content/page/$1 [QSA]
+	#RewriteRule ^((en|fr|lb)/)?programming/(applications|tutorials|tools)/(.*)$ /content/page/$1 [QSA]
+	##RewriteRule ^((en|fr|lb)/)?electronics/ham/(.*)$ /content/page/$1 [QSA]
+
+	# Content root pages. - Should be removed ?
+	#RewriteRule ^((en|fr|lb)/)?programming/(purebasic|python|others)/(.*)$ /content/$1 [QSA]
+	#RewriteRule ^((en|fr|lb)/)?electronics/(iot|experiments)/(.*)$ /content/$1 [QSA]
+
+	# Content pages. (Old regex are taken care of by the "content/index.php" page)
+	RewriteRule ^((en|fr|lb)/)?(blog|programming|electronics)/(.*)$ /content/$1 [QSA]
+
+	# Internal redirections for scanning and exploit attempts.
+	# These rules are here since they're easier to implement in the .htaccess.
+	#RewriteRule ^.*(install|xmlrpc)\.php.*$ /honeypot/file-php.php [QSA]
+	RewriteRule ^.*\.xml.*$ /honeypot/file-xml.php [QSA]
+	RewriteRule ^.*wlwmanifest\.xml.*$ /honeypot/file-xml-wlwmanifest.php [QSA]
+	RewriteRule ^.*\.env.*$ /honeypot/file-env.php [QSA]
+	#RewriteRule ^.*(ap(i|p.*)|cms|sit[eo]|shop.*|wp.*).*$ /honeypot/folder.php [QSA]
+
+	# Cases left to handle:
+	# * /wp-admin/post.php?id=whatever
+	# * /public /vendor /storage
+
+	# TODO: Implement bee-movie themed tarpit once I have a rate-limiting solution in place !
+</IfModule>
--- a/403.php
+++ b/403.php
@@ -24,6 +24,32 @@
 					</h2>
 					<?php include 'header-lang.php'; ?>
 				</div>
+				<div class="row">
+					<div class="col-12 d-block">
+						<div class="content mb-0">
+							<div class="card p-0 m-0 card-bkgd">
+								<div class="content m-0">
+									<div class="px-card py-10 border-bottom px-20 bg-light-lm bg-very-dark-dm">
+										<div class="container-fluid">
+											<div class="row">
+												<div class="col-1 text-center"><i class="fad fa-exclamation-triangle"></i></div>
+												<div class="col-10 text-center">
+													<h2 class="card-title font-size-18 m-0"><?php print(localize("error.403.title")); ?></h2>
+												</div>
+												<div class="col-1 text-center"><i class="fad fa-exclamation-triangle"></i></div>
+											</div>
+										</div>
+									</div>
+									<div class="content m-20">
+										<h2 class="content-title font-size-20 mb-10"></h2>
+										<p class="ml-lg-10 mt-lg-5 text-center"><?php print(localize("error.403.description")); ?></p>
+									</div>
+								</div>
+							</div>
+						</div>
+					</div>
+				</div>
+				<!-- TODO: Add button to go back !-->
 			</div>
 		</div>
 		<?php include 'footer.php'; ?>
--- a/404.php
+++ b/404.php
@@ -24,6 +24,32 @@
 					</h2>
 					<?php include 'header-lang.php'; ?>
 				</div>
+				<div class="row">
+					<div class="col-12 d-block">
+						<div class="content mb-0">
+							<div class="card p-0 m-0 card-bkgd">
+								<div class="content m-0">
+									<div class="px-card py-10 border-bottom px-20 bg-light-lm bg-very-dark-dm">
+										<div class="container-fluid">
+											<div class="row">
+												<div class="col-1 text-center"><i class="fad fa-exclamation-triangle"></i></div>
+												<div class="col-10 text-center">
+													<h2 class="card-title font-size-18 m-0"><?php print(localize("error.404.title")); ?></h2>
+												</div>
+												<div class="col-1 text-center"><i class="fad fa-exclamation-triangle"></i></div>
+											</div>
+										</div>
+									</div>
+									<div class="content m-20">
+										<h2 class="content-title font-size-20 mb-10"></h2>
+										<p class="ml-lg-10 mt-lg-5 text-center"><?php print(localize("error.404.description")); ?></p>
+									</div>
+								</div>
+							</div>
+						</div>
+					</div>
+				</div>
+				<!-- TODO: Add button to go back !-->
 			</div>
 		</div>
 		<?php include 'footer.php'; ?>
--- a/commons/strings.json
+++ b/commons/strings.json
@@ -48,7 +48,7 @@
    "privacy.complaint.text.1": "Should you wish to report a complaint or if you feel that our privacy policy has not addressed your concern in a satisfactory manner, you may contact your national Data Protection Authority (DPA).",
    "privacy.complaint.text.2": "More information on this procedure can be found on the following websites:",
    "error.common.details.title": "Error details",
-    "error.4xx.title": "HTTP client error",
+    "error.4xx.title": "HTTP Client Error",
    "error.4xx.text": "${error.4xx.text}",
    "error.4xx.button.back": "Go back",
    "error.403.title": "403 Error",
--- a/contact/index.php
+++ b/contact/index.php
@@ -39,7 +39,7 @@
 							</div>
 						</div>
 						<div class="px-card py-20 bg-light-lm bg-very-dark-dm rounded-bottom px-20">
-							<form action="mailto:herwin.bozet@gmail.com?subject=Website%20contact%20form%20message" method="post" class="w-full">
+							<form action="mailto:herwin.bozet@gmail.com?subject=Website%20contact%20form%20message" target="_top" method="post" class="w-full">
 								<div class="form-group">
 									<label for="name">Sender's Name</label>
 									<input type="text" class="form-control" id="name" placeholder="John Smith">
--- a/honeypot/file-env.php
+++ b/honeypot/file-env.php
@@ -0,0 +1,27 @@
+<?php
+echo("# This is a a .env file for use in local development.
+# Duplicate this file as .env in the root of the project
+# and update the environment variables to match your
+# desired config.
+#
+# DO NOT MAKE THIS FILE PUBLICLY ACCESSIBLE !
+
+# PostgreSQL connection string for the DB
+DATABASE_URL=postgres://fib.gov:5432/i_am_dickish_script_kiddy
+
+# Logs' level
+LOG_LEVEL=trace
+
+# The environment to run the application in
+NODE_ENV=development
+
+# The HTTP port to run the application on
+PORT=69
+
+# The secret to encrypt session IDs with
+SESSION_SECRET=R2V0IGZ1Y2tlZCB5b3UgZnVja2luZyB0d2F0ICE=
+
+# The secret to get access to the admin panel
+ADMIN_SECRET=SmV0IGZ1ZWwgY2FuJ3QgbWVsdCBzdGVlbCBiZWFtLCBCdXNoIGRpZCA5LzEx=
+");
+?>
--- a/honeypot/file-php.php
+++ b/honeypot/file-php.php
@@ -0,0 +1,14 @@
+<!doctype html>
+<html lang="en">
+<head>
+	<meta charset="UTF-8">
+	<meta name="viewport"
+	      content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
+	<meta http-equiv="X-UA-Compatible" content="ie=edge">
+	<title>Document</title>
+</head>
+<body>
+	<h1>Title</h1>
+	<p>PHP file jail</p>
+</body>
+</html>
--- a/honeypot/file-xml-wlwmanifest.php
+++ b/honeypot/file-xml-wlwmanifest.php
@@ -0,0 +1,46 @@
+<?php
+header('Content-Type: text/xml; charset=utf-8');
+echo("<?xml version=\"1.0\" encoding=\"utf-8\" ?>
+
+<manifest xmlns=\"http://schemas.microsoft.com/wlw/manifest/weblog\">
+
+  <options>
+    <clientType>WordPress</clientType>
+	<supportsKeywords>Yes</supportsKeywords>
+	<supportsGetTags>Yes</supportsGetTags>
+  </options>
+
+  <weblog>
+    <serviceName>WordPress</serviceName>
+    <imageUrl>images/wlw/wp-icon.png</imageUrl>
+    <watermarkImageUrl>images/wlw/wp-watermark.png</watermarkImageUrl>
+    <homepageLinkText>View site</homepageLinkText>
+    <adminLinkText>Dashboard</adminLinkText>
+    <adminUrl>
+      <![CDATA[
+			{blog-postapi-url}/../wp-admin/
+		]]>
+    </adminUrl>
+    <postEditingUrl>
+      <![CDATA[
+			{blog-postapi-url}/../wp-admin/post.php?action=edit&post={post-id}
+		]]>
+    </postEditingUrl>
+  </weblog>
+
+  <buttons>
+    <button>
+      <id>0</id>
+      <text>Manage Comments</text>
+      <imageUrl>images/wlw/wp-comments.png</imageUrl>
+      <clickUrl>
+        <![CDATA[
+				{blog-postapi-url}/../wp-admin/edit-comments.php
+			]]>
+      </clickUrl>
+    </button>
+
+  </buttons>
+
+</manifest>");
+?>
--- a/honeypot/file-xml.php
+++ b/honeypot/file-xml.php
@@ -0,0 +1,28 @@
+<?php
+header('Content-Type: text/xml; charset=utf-8');
+echo("<?xml version='1.0'?>
+<module>
+	<name>VtigerVulnPlugin</name>
+	<label>VtigerVulnPlugin</label>
+	<parent>Tools</parent>
+	<version>1.01</version>
+	<dependencies>
+		<vtiger_version>7.0.0</vtiger_version>
+		<vtiger_max_version>7.*</vtiger_max_version>
+	</dependencies>
+	<license>
+		<file>LICENSE.txt</file>
+	</license>
+
+	<actions>
+		<action>
+			<name><![CDATA[Import]]></name>
+			<status>enabled</status>
+		</action>
+		<action>
+			<name><![CDATA[Export]]></name>
+			<status>disabled</status>
+		</action>
+	</actions>
+</module>");
+?>
--- a/honeypot/folder.php
+++ b/honeypot/folder.php
@@ -0,0 +1,14 @@
+<!doctype html>
+<html lang="en">
+<head>
+	<meta charset="UTF-8">
+	<meta name="viewport"
+	      content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
+	<meta http-equiv="X-UA-Compatible" content="ie=edge">
+	<title>Document</title>
+</head>
+<body>
+	<h1>Title</h1>
+	<p>Folder jail</p>
+</body>
+</html>
--- a/index.php
+++ b/index.php
@@ -15,7 +15,7 @@
 <body class="with-custom-webkit-scrollbars with-custom-css-scrollbars dark-mode" data-dm-shortcut-enabled="true" data-sidebar-shortcut-enabled="true">
 	<?php include 'body-root.php'; ?>
 	<div class="page-wrapper with-sidebar with-navbar-fixed-bottom">
-        <?php include 'sidebar.php'; ?>
+		<?php include 'sidebar.php'; ?>
 		<div class="content-wrapper">
 			<div class="container-fluid h-full stretch-align-items">
 				<div id="page-title-bar" class="card p-0 pl-20 m-0 square-corners bg-very-dark title-bkgd navbar">
@@ -74,10 +74,9 @@
 										</div>
 									</div>
 									
-									<div class="px-card py-10 px-20">
+									<div class="px-card py-5 px-20">
 									
-										<div class="ml-lg-10">
-											
+										<div class="pl-lg-15 l-lab-app">
 											<p class="mb-0 font-weight-semi-bold">
 												PB-ListComPort
 												<span class="ml-15 text-super-muted">
@@ -88,7 +87,9 @@
 												Cli tool that lists COM ports in different parsable formats.<br>
 												<i class="fad fa-globe"></i>&nbsp;&nbsp;Link
 											</p>
-											
+										</div>
+										<hr>
+										<div class="pl-lg-15 l-lab-web">
 											<p class="mb-0 font-weight-semi-bold">
 												Youtube-Auto-Archiver
 												<span class="ml-15 text-super-muted">
@@ -101,7 +102,9 @@
 												Automatic archival solutions for YouTube livestreams and uploads.<br>
 												<i class="fad fa-globe"></i>&nbsp;&nbsp;Link
 											</p>
-											
+										</div>
+										<hr>
+										<div class="pl-lg-15 l-lab-office">
 											<p class="mb-0 font-weight-semi-bold">
 												Excel-Worksheet-Password-Remover
 												<span class="ml-15 text-super-muted">
@@ -141,7 +144,7 @@
 										</div>
 									</div>
 									
-									<div class="px-card py-10 px-20">
+									<div class="px-card py-5 px-20">
 										<p>
 											1st February 2022<br>
 											Going the self-hosted route.
--- a/readme.md
+++ b/readme.md
@@ -1,2 +1,28 @@
 # Website - NibblePoker.lu
 TODO.
+
+## Warning
+TODO: Remark about folders and files to remove !
+
+## Requirements
+These files are not present in this repo since they 
+would clutter the commits and potentially break some licensing rules.
+
+### Required
+These files are required for the website to work properly !<br>
+
+* Font Awesome Pro v5.15.3
+    * `/resources/FontAwesomePro/`
+* HalfMoon v1.1.1
+    * `/resources/HalfMoon/`
+* Quantum
+    * `/resources/Quantum/`
+
+### Optional
+These files are leftovers from previous projects and might be required somewhere.
+* ChartJS
+    * `/resources/ChartJs/`
+* Material Icons
+    * `/resources/GoogleFonts/MaterialIcons/`
+* Icons8 - Color & Fluent private packs
+    * `/resources/Icons8/`
--- a/resources/Azias/css/nibblepoker.lu.css
+++ b/resources/Azias/css/nibblepoker.lu.css
@@ -91,6 +91,28 @@ div#body-overlay {
 	image-rendering: pixelated;
 }

+hr, hr.dark-mode {
+	background-color: rgba(0, 0, 0, 0) !important;
+	background: rgb(93,95,97);
+	background: radial-gradient(circle, rgba(83,85,87,0.8) 0%, rgba(65,67,69,0.65) 75%, rgba(17,20,23,0) 100%);
+	opacity: 0.75;
+}
+
+@media (min-width: 993px) {
+	.l-lab-web {
+		background: linear-gradient(90deg, rgba(101,144,134,0.3) 0%, rgba(101,144,134,0.2) 1.5px, rgba(101,144,134,0.0) 7px);
+		clip-path: polygon(4px 0%, 100% 0, 100% 100%, 4px 100%, 0 calc(100% - 4px), 0 4px);
+	}
+	.l-lab-office {
+		background: linear-gradient(90deg, rgba(64,84,59,0.5) 0%, rgba(64,84,59,0.3) 2px, rgba(64,84,59,0.0) 7px);
+		clip-path: polygon(4px 0%, 100% 0, 100% 100%, 4px 100%, 0 calc(100% - 4px), 0 4px);
+	}
+	.l-lab-app {
+		background: linear-gradient(90deg, rgba(156,23,34,0.4) 0%, rgba(156,23,34,0.3) 1.5px, rgba(156,23,34,0.0) 7px);
+		clip-path: polygon(4px 0%, 100% 0, 100% 100%, 4px 100%, 0 calc(100% - 4px), 0 4px);
+	}
+}
+
 /* Trash */
 /*.lang-icon {
 	height: var(--base-line-height);
--- a/robots.txt
+++ b/robots.txt
@@ -0,0 +1,4 @@
+User-agent: *
+Allow: /
+
+Sitemap: https://nibblepoker.lu/sitemap.xml