klevze/UploadShied
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rename project to UploadShield: update runtime, configs, docs, and provisioning; run lint/tests

Browse Source
This commit is contained in:
Gregor Klevže
2026-02-12 14:48:07 +01:00
parent d1310e0844
commit 7c8bccc911
20 changed files with 95 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
INTEGRATION.md
View File

@@ -2,7 +2,7 @@
This document complements the installation steps in [docs/INSTALLATION.md](docs/INSTALLATION.md) by focusing on detector tuning, allowlists, and advanced integrations (log forwarding, Fail2Ban, etc.).
Example `upload-logger.json` (simplified) for UploadShield:
Example `uploadshield.json` (simplified) for UploadShield:
```json
{
@@ -50,7 +50,7 @@ Notes:
### Content detector tuning
- The `ContentDetector` performs a fast head-scan to detect PHP open-tags and common webshell indicators (e.g., `passthru`, `system`, `exec`, `base64_decode`, `eval`, `assert`).
- Tuning options (in `upload-logger.json`):
- Tuning options (in `uploadshield.json`):
- `limits.sniff_max_bytes` (default 8192) — how many bytes to scan from the file head.
- `limits.sniff_max_filesize` (default 2097152) — only scan files up to this size.
- `detectors.content.allow_xml_eval` — relax `eval()` detection for XML/SVG when appropriate.
@@ -110,14 +110,14 @@ filebeat.inputs:
json.keys_under_root: true
json.add_error_key: true
fields:
source: php-upload-logger
source: php-uploadshield
output.logstash:
hosts: ["logserver:5044"]
```
## Logrotate & SELinux notes
Per-site `logrotate` snippets are included in `examples/logrotate.d/upload-logger`. Use `copytruncate` or reload PHP-FPM after rotation.
Per-site `logrotate` snippets are included in `examples/logrotate.d/uploadshield`. Use `copytruncate` or reload PHP-FPM after rotation.
If SELinux is enabled, the provisioning script attempts to register fcontexts and run `restorecon`. Verify contexts manually as needed.
@@ -125,6 +125,6 @@ If SELinux is enabled, the provisioning script attempts to register fcontexts an
- Use observe mode (`ops.block_suspicious: false`) while tuning.
- After tuning, enable blocking in a controlled rollout (canary hosts first).
- Keep `upload-logger.php` and `.security` owned by `root` and ensure logs and quarantine are not web-accessible.
- Keep `uploadshield.php` and `.security` owned by `root` and ensure logs and quarantine are not web-accessible.
For installation steps and per-site configuration, see `docs/INSTALLATION.md`.