~~~~~~~~~~~~~~~
Ovaj paket sadrzi dodatne CARNetove postavke za ModSecurity.
-Povlaci za sobom instalaciju Debian paketa:
+Povlaci instalaciju Debian paketa:
- + mod-security-common
- + libapache-mod-security
+ + libapache2-mod-security2
MODSECURITY KONFIGURACIJA
konfiguracijsku datoteku ovisno jeste li odlucili koristiti RBL
provjeru ili ne.
-Kako bi konfiguracija bila aktivna, unutar Apache2 direktorija
-/etc/apache2/conf.d/ kreiran je simbolicki link na glavnu
-konfiguracijsku datoteku mod-security-cn.conf.
+Kako bi konfiguracija bila dostupna, unutar Apache2 direktorija
+/etc/apache2/conf-available/ kreiran je simbolicki link na glavnu
+konfiguracijsku datoteku mod-security-cn.conf. Konfiguraciju je
+zatim moguce aktivirati.
RBL (REALTIME BLACKHOLE LIST)
konfiguracijske datoteke, osim ako znate sto cinite.
- -- Dragan Dosen <Dragan.Dosen@CARNet.hr> Fri, 4 May 2012 15:55:20 +0200
+ -- Dragan Dosen <Dragan.Dosen@CARNet.hr> Wed, 25 May 2016 11:14:53 +0200
+mod-security-cn (2.8.0+1) stable; urgency=low
+
+ * Prva inacica paketa za Debian jessie distribuciju.
+ * Azurirane ovisnosti unutar debian/control.
+ * Koristi apache2-maintscript-helper za Apache2 konfiguraciju.
+ * Migracija konfiguracije za Apache2 iz /etc/apache2/conf.d/ direktorija
+ u direktorij /etc/apache2/conf-available/.
+ * Ugasena ModSecurity postavka SecStatusEngine.
+ * Postavljen jedinstveni identifikator za RBL pravila.
+ * Azurirane ostale debian/ datoteke.
+
+ -- Dragan Dosen <Dragan.Dosen@CARNet.hr> Wed, 25 May 2016 11:14:53 +0200
+
mod-security-cn (2.6.6+1) stable; urgency=low
* Prva inacica paketa za Debian wheezy distribuciju.
Section: httpd
Priority: optional
Maintainer: Dragan Dosen <Dragan.Dosen@CARNet.hr>
-Build-Depends: debhelper (>= 8.0.0), po-debconf
-Standards-Version: 3.9.3
+Build-Depends: debhelper (>> 9), po-debconf
+Standards-Version: 3.9.6
+Homepage: http://www.modsecurity.org/
Package: mod-security-cn
Architecture: all
-Pre-Depends: libapache2-modsecurity (>= 2.6.6-6+deb7u1)
-Depends: carnet-tools-cn (>= 3.0.4), ${misc:Depends}
+Pre-Depends: libapache2-mod-security2 (>= 2.8.0-3)
+Depends: carnet-tools-cn (>= 3.1.0), ${misc:Depends}
Description: Tighten web applications security for Apache
Modsecurity is an Apache module whose purpose is to tighten the Web
application security. Effectively, it is an intrusion detection and prevention
system for the web server.
.
This package contains additional CARNet configuration.
-Homepage: http://www.modsecurity.org/
-Copyright 2013 CARNet
+Copyright 2013-2016 CARNet
You are free to distribute this software package under the terms of the
GNU General Public License.
PKG="mod-security-cn"
A2DIR="/etc/apache2"
CONF="$A2DIR/apache2.conf"
-CONFDIR="$A2DIR/conf.d"
-A2MODEDIR="$A2DIR/mods-enabled"
+CONFDIR="$A2DIR/conf-available"
MODSECDIR="$A2DIR/mod-security"
MODSECCONF="$MODSECDIR/mod-security-cn.conf"
MODSECRBL="$MODSECDIR/rbl_lookup.conf"
-MODSECLNK="$CONFDIR/$(basename $MODSECCONF)"
+MODSECLNK="$CONFDIR/security2-cn.conf"
MODSECTPL="/usr/share/mod-security-cn"
temp_files=
-need_restart=0
+if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
+ . /usr/share/apache2/apache2-maintscript-helper
+
+ modsecurity_enable() {
+ cp_echo "CN: Enabling $PKG configuration for Apache2."
+ return 0
+ }
+else
+ cp_echo "CN: Could not load Apache 2.4 maintainer script helper."
+
+ modsecurity_enable() {
+ return 1
+ }
+fi
+
# cleanup()
#
# Cleanup all temp files or directories.
trap cleanup 0 1 2 15
-# Enable ModSecurity and unique_id Apache2 modules.
+# Remove obsolete symbolic link.
#
-if [ -e "$CONF" ]; then
- # Enable mod-security.load
- if [ ! -e "$A2MODEDIR/mod-security.load" ]; then
- cp_echo "CN: Enabling ModSecurity module for Apache2 web server."
- a2enmod mod-security >/dev/null || true
- need_restart=1
- fi
-
- # Enable unique_id.load
- if [ ! -e "$A2MODEDIR/unique_id.load" ]; then
- cp_echo "CN: Enabling unique_id module for Apache2 web server."
- a2enmod unique_id >/dev/null || true
- need_restart=1
- fi
+if [ "`readlink -q -m /etc/apache2/conf.d/$PKG.conf`" = "$MODSECCONF" ]; then
+ rm -f /etc/apache2/conf.d/$PKG.conf
fi
chk_conf_tag "$MODSECCONF"
if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
- # Create /etc/apache2/conf.d/ directory if missing.
+ # Create /etc/apache2/conf-available/ directory if missing.
if [ ! -d "$CONFDIR" ]; then
cp_echo "CN: Creating configuration directory $CONFDIR/"
mkdir -p $CONFDIR/
if [ $RET -eq 1 ]; then
cp_echo "CN: Creating configuration file $MODSECRBL"
cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
- need_restart=1
else
if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then
cp_echo "CN: Updating configuration file $MODSECRBL"
cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
- need_restart=1
fi
fi
fi
cp_echo "CN: Updating configuration file $MODSECCONF"
mv -f "$out" "$MODSECCONF"
cp_echo "CN: Enabled ModSecurity RBL lookup."
- need_restart=1
fi
else
cp_echo "CN: Creating configuration file $MODSECCONF"
mv "$out" "$MODSECCONF"
cp_echo "CN: Enabled ModSecurity RBL lookup."
- need_restart=1
fi
else
cp_echo "CN: Updating configuration file $MODSECCONF"
mv -f "$out" "$MODSECCONF"
cp_echo "CN: Disabled ModSecurity RBL lookup."
- need_restart=1
fi
else
cp_echo "CN: Creating configuration file $MODSECCONF"
mv "$out" "$MODSECCONF"
cp_echo "CN: Disabled ModSecurity RBL lookup."
- need_restart=1
fi
chk_conf_tag "$MODSECRBL"
if [ $RET -eq 0 ]; then
cp_echo "CN: Removing configuration file $MODSECRBL"
rm -f "$MODSECRBL"
- need_restart=1
fi
fi
# Enable ModSecurity configuration.
if [ ! -e "$MODSECLNK" ]; then
- cp_echo "CN: Enabling ModSecurity configuration."
ln -fs "$MODSECCONF" "$MODSECLNK"
- need_restart=1
+ fi
+ if modsecurity_enable; then
+ apache2_invoke enmod security2
+ apache2_invoke enconf security2-cn
fi
fi
db_stop || true
-
-# Restart Apache2 web server if needed.
-#
-if [ $need_restart -eq 1 ]; then
-
- # Check Apache2 web server configuration.
- if apache2ctl configtest 2>/dev/null; then
- invoke-rc.d apache2 force-reload || true
- else
- # Something is broken.
- cp_echo "CN: Your Apache2 configuration is broken."
- cp_echo "CN: Please, check the service after the installation finishes!"
- fi
+if ! apache2ctl configtest >/dev/null 2>&1; then
+ cp_echo "CN: Your Apache2 configuration seems to be broken."
+ cp_echo "CN: Please, check the service after the installation finishes!"
fi
set -e
+# Debconf
+. /usr/share/debconf/confmodule
+
+PKG=mod-security-cn
+
+MODSECLNK=/etc/apache2/conf-available/security2-cn.conf
+
+# chk_conf_tag ()
+#
+# Check if configuration file has CARNet package info lines.
+# return: $RET => 0 - tagged
+# 1 - file does not exists
+# 2 - file exists, but it is not tagged
+#
+chk_conf_tag () {
+ local conf_file
+ conf_file="$1"
+ RET=1
+
+ if [ -f "$conf_file" ]; then
+ if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then
+ RET=0
+ else
+ RET=2
+ fi
+ fi
+}
+
+if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
+ . /usr/share/apache2/apache2-maintscript-helper
+
+ modsecurity_enable() {
+ chk_conf_tag "$MODSECLNK"
+ if [ $RET -ne 2 ]; then
+ echo "CN: Purging $PKG configuration for Apache2."
+ return 0
+ fi
+ return 1
+ }
+else
+ echo "CN: Could not load Apache 2.4 maintainer script helper."
+
+ modsecurity_enable() {
+ return 1
+ }
+fi
+
+if [ "$1" = "purge" ] ; then
+ if modsecurity_enable; then
+ apache2_invoke disconf security2-cn
+ fi
+fi
+
#DEBHELPER#
exit 0
set -e
+PKG=mod-security-cn
+
+MODSECCONF=/etc/apache2/mod-security/$PKG.conf
+MODSECRBL=/etc/apache2/mod-security/rbl_lookup.conf
+MODSECLNK=/etc/apache2/conf-available/security2-cn.conf
+
# chk_conf_tag ()
#
# Check if configuration file has CARNet package info lines.
fi
}
+if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then
+ . /usr/share/apache2/apache2-maintscript-helper
-case "$1" in
- remove|deconfigure)
-
- # Include CARNet functions.
- . /usr/share/carnet-tools/functions.sh
-
- PKG="mod-security-cn"
- A2DIR="/etc/apache2"
- CONFDIR="$A2DIR/conf.d"
- MODSECDIR="$A2DIR/mod-security"
- MODSECCONF="$MODSECDIR/mod-security-cn.conf"
- MODSECRBL="$MODSECDIR/rbl_lookup.conf"
- MODSECLNK="$CONFDIR/$(basename $MODSECCONF)"
-
- need_restart=0
-
-
- # Disable ModSecurity configuration.
- chk_conf_tag "$MODSECCONF"
- if [ $RET -eq 0 ]; then
- if [ -e "$MODSECLNK" ]; then
- cp_echo "CN: Disabling ModSecurity configuration."
- rm -f "$MODSECLNK"
- need_restart=1
- fi
+ modsecurity_enable() {
+ chk_conf_tag "$MODSECLNK"
+ if [ $RET -ne 2 ]; then
+ echo "CN: Disabling $PKG configuration for Apache2."
+ return 0
fi
+ return 1
+ }
+else
+ echo "CN: Could not load Apache 2.4 maintainer script helper."
+
+ modsecurity_enable() {
+ return 1
+ }
+fi
+
+if [ "$1" = "remove" ] || [ "$1" = "deconfigure" ]; then
+ # Disable ModSecurity configuration.
+ if modsecurity_enable; then
+ apache2_invoke disconf security2-cn
+ rm -f "$MODSECLNK"
+ fi
- # Remove configuration files generated by this CARNet package.
- for file in "$MODSECCONF" "$MODSECRBL"; do
- chk_conf_tag "$file"
- if [ $RET -eq 0 ]; then
- cp_echo "CN: Removing configuration file $file"
- rm -f $file
- need_restart=1
- fi
- done
-
- # Restart Apache2 web server.
- if [ $need_restart -eq 1 ]; then
- if apache2ctl configtest 2>/dev/null; then
- invoke-rc.d apache2 force-reload || true
- else
- # Something is broken.
- cp_echo "CN: Your Apache2 configuration seem to be broken."
- cp_echo "CN: Please, check the service configuration!"
- fi
+ # Remove configuration files generated by this CARNet package.
+ for mfile in "$MODSECCONF" "$MODSECRBL"; do
+ chk_conf_tag "$mfile"
+ if [ $RET -eq 0 ]; then
+ echo "CN: Removing configuration file $mfile"
+ rm -f "$mfile"
fi
-
- # Mail root
- cp_mail "$PKG"
-
- echo
- ;;
- upgrade|failed-upgrade)
- ;;
- *)
- echo "prerm called with unknown argument \$1'" >&2
- exit 0
- ;;
-esac
+ done
+fi
#DEBHELPER#
#
SecResponseBodyLimit 524288
+ # Disable Status Reporting functionality
+ #
+ SecStatusEngine Off
+
# RBL lookup configuration
#RBLLOOKUP#
# Skip RBL lookup for localhost, 161.53.0.0/16, 193.198.0.0/16,
# 192.84.91.0/24, 192.84.92.0/24, 192.84.105.0/24, 192.84.106.0/24,
# 31.147.0.0/16, 82.132.0.0/17 and 2001:b68::/32.
- SecRule REMOTE_ADDR "!@rx ^(\:\:1|127\.0\.0\.1|161\.53\.\d{1,3}\.\d{1,3}|193\.198\.\d{1,3}\.\d{1,3}|192\.84\.(91|92|105|106)\.\d{1,3}|31\.147\.\d{1,3}\.\d{1,3}|82\.132\.(\d{1,2}|10\d{1}|11\d{1}|12[0-7]{1})\.\d{1,3}|2001\:b68\:.+)$" "phase:1,deny,log,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:CRITICAL,chain"
+ SecRule REMOTE_ADDR "!@rx ^(\:\:1|127\.0\.0\.1|161\.53\.\d{1,3}\.\d{1,3}|193\.198\.\d{1,3}\.\d{1,3}|192\.84\.(91|92|105|106)\.\d{1,3}|31\.147\.\d{1,3}\.\d{1,3}|82\.132\.(\d{1,2}|10\d{1}|11\d{1}|12[0-7]{1})\.\d{1,3}|2001\:b68\:.+)$" "phase:1,deny,log,id:99999,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:CRITICAL,chain"
# RBL lookup using xbl.dnsbl-sh.carnet.hr
SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr"
projects / mod-security-cn.git / commitdiff