Merge pull request #32 from StrangeRanger/dev

StrangeRanger · web-flow · commit 1ecc804a32a7 · 2026-05-20T08:26:57.000-07:00
Update documentation and refine configuration prompts
diff --git a/hardening/Nginx WAF/CHANGELOG.md b/hardening/Nginx WAF/CHANGELOG.md
@@ -4,22 +4,36 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## v1.0.0-beta.3 - 2026-05-20
 
-## [1.0.0-beta] - 2026-05-17
+### Added
+
+- Added prompt before executing the script.
+- Added manual instructions to enable ModSecurity WAF for a site.
+
+### Fixed
+
+- Added missing `sudo` where needed.
+
+### Removed
+
+- Removed EUID check.
+
+## v1.0.0-beta.2 - 2026-05-17
 
 ### Added
 
-- Added Nginx WAF hardening tool for installing and configuring ModSecurity with Nginx.
 - Added automatic installation of required build dependencies for ModSecurity and Nginx dynamic module compilation.
+
+## v1.0.0-beta - 2026-05-16
+
+Initial beta release of the Nginx WAF hardening script.
+
+### Added
+
+- Added Nginx WAF hardening tool for installing and configuring ModSecurity with Nginx.
 - Added ModSecurity v3 source build and installation workflow.
 - Added ModSecurity-nginx dynamic module build using the installed Nginx version and configure arguments.
 - Added Nginx module loading configuration through `modules-available` and `modules-enabled`.
 - Added OWASP Core Rule Set installation and ModSecurity main configuration generation.
 - Added Nginx configuration validation and restart after setup.
-
-### Fixed
-
-- Added missing build dependencies required by Nginx SSL, XSLT, image filter, Perl, gzip, and ModSecurity modules.
-- Removed redundant or unused dependency entries from the required package list.
-- Limited Nginx module-specific build dependencies to systems whose installed Nginx was built with those modules.
diff --git a/hardening/Nginx WAF/README.md b/hardening/Nginx WAF/README.md
@@ -33,11 +33,16 @@ It may install additional development packages depending on how the installed Ng
 
 ## Usage
 
-Run the script from its directory:
+From the repository root:
 
 ```bash
-cd hardening/Nginx\ WAF/
-sudo ./nginx-waf.bash
+./hardening/Nginx\ WAF/nginx-waf.bash
+```
+
+OR from the script directory:
+
+```bash
+./nginx-waf.bash
 ```
 
 ## Execution Summary
diff --git a/hardening/Nginx WAF/nginx-waf.bash b/hardening/Nginx WAF/nginx-waf.bash
@@ -6,7 +6,7 @@
 # Nginx to load the module, and sets up the OWASP Core Rule Set for basic protection against
 # common web vulnerabilities.
 #
-# Version: v1.0.0-beta
+# Version: v1.0.0-beta.3
 # License: MIT License
 #          Copyright (c) 2026 Hunter T. (StrangeRanger)
 #
@@ -61,17 +61,10 @@ missing_pkgs=()
 ####[Functions]#############################################################################
 
 
-error_exit() {
-    local message="${1:-An unknown error occurred}"
-    local exit_code="${2:-1}"
-
-    echo "${C_ERROR}${message}" >&2
-    exit "$exit_code"
-}
-
 on_err() {
     local exit_code=$?
-    error_exit "Command failed at line ${BASH_LINENO[0]}: ${BASH_COMMAND}" "$exit_code"
+    echo "${C_ERROR}Command failed at line ${BASH_LINENO[0]}: ${BASH_COMMAND}"
+    echo "${C_ERROR}Exit code: $exit_code"
 }
 
 require_non_empty() {
@@ -101,10 +94,6 @@ trap on_err ERR
 ####[ Initial Checks ]######################################################################
 
 
-if (( EUID != 0 )); then
-    error_exit "This script must be run with root privileges"
-fi
-
 if command -v nginx &>/dev/null; then
     C_NGINX_VERSION="$(nginx -V 2>&1 | sed -n 's/^nginx version: nginx\/\([0-9.]\+\).*/\1/p')"
     C_NGINX_CONFIG_ARGS="$(nginx -V 2>&1 | awk -F': ' '/configure arguments/ {print $2}')"
@@ -129,15 +118,15 @@ done
 
 if (( ${#missing_pkgs[@]} > 0 )); then
     echo "${C_INFO}Installing missing packages: ${missing_pkgs[*]}"
-    apt-get update
-    apt-get install -y "${missing_pkgs[@]}"
+    sudo apt get update
+    sudo apt get install -y "${missing_pkgs[@]}"
 fi
 
 
 ####[ Main ]################################################################################
 
 
-echo "${C_INFO}Starting ModSecurity installation and configuration process..."
+read -rp "${C_NOTE}We will now install and configure ModSecurity. Press [Enter] to continue."
 
 ###
 ### [ Clone and build ModSecurity ]
@@ -173,7 +162,7 @@ echo "${C_INFO}Compiling ModSecurity..."
 make -j"$(nproc --ignore=1)"
 
 echo "${C_INFO}Installing ModSecurity..."
-make install
+sudo make install
 popd >/dev/null
 
 ###
@@ -209,7 +198,7 @@ echo "${C_INFO}Compiling ModSecurity Nginx module..."
 make modules
 
 echo "${C_INFO}Installing ModSecurity Nginx module..."
-mkdir -p "$C_MODULES_PATH"
+sudo mkdir -p "$C_MODULES_PATH"
 sudo cp objs/"$C_SO_FILE" "$C_MODULES_PATH"
 sudo chmod 0644 "$C_MODULES_PATH/$C_SO_FILE"
 popd >/dev/null
@@ -279,4 +268,10 @@ sudo nginx -t
 echo "${C_INFO}Restarting Nginx to apply changes..."
 sudo systemctl restart nginx
 
-echo "${C_SUCC}DONE"
+echo "${C_SUCC}Finished installing and configuring ModSecurity WAF for Nginx"
+cat <<EOF
+${C_NOTE}To enable ModSecurity WAF for a site, add these lines to its Nginx server block, for example in '/etc/nginx/sites-enabled/':
+${C_CYAN}## Modsecurity settings
+modsecurity on;
+modsecurity_rules_file /etc/nginx/modsec/main.conf;${C_NC}
+EOF
diff --git a/hardening/SSHD Hardening/README.md b/hardening/SSHD Hardening/README.md
@@ -1,6 +1,6 @@
 # SSHD Hardening
 
-Hardens the OpenSSH server configuration using settings aligned with Lynis recommendations.
+Hardens the OpenSSH server configuration using settings aligned with [Lynis](https://github.com/CISOfy/lynis) recommendations.
 
 > [!CAUTION]
 > This script modifies the system SSH daemon configuration. Treat it as a high-risk change on remote systems because an invalid or overly restrictive SSH configuration can lock you out.
@@ -60,21 +60,13 @@ The script creates two backup types:
 - Permanent backup: `/etc/ssh/sshd_config.bak`
 - Session backup: temporary backup used for automatic restoration if the script is interrupted during configuration changes
 
-If `/etc/ssh/sshd_config.bak` already exists, the script asks whether to overwrite it.
-
 ## Safety Notes
 
 - Keep your current SSH session open while testing a new login.
 - Review whether agent forwarding, TCP forwarding, X11 forwarding, and session limits are compatible with your use case.
 
 ## Verify
 
-Validate the SSH configuration before relying on it:
-
-```bash
-sudo sshd -t
-```
-
 Check the active SSH service status:
 
 ```bash
diff --git a/hardening/UFW Cloudflare/ufw-cloudflare.bash b/hardening/UFW Cloudflare/ufw-cloudflare.bash
@@ -104,6 +104,8 @@ fi
 ####[ Main ]################################################################################
 
 
+read -rp "${C_NOTE}We will now configure Cloudflare UFW rules. Press [Enter] to continue."
+
 ###
 ### [ Initial Setup ]
 ###
