invoke-rc.d apache2 force-reload
+RBL (REALTIME BLACKHOLE LIST)
+
+ModSecurity moze provjeravati da li se adresa klijenta koji
+pristupa Vasem web posluzitelju nalazi na RBL (Realtime Blackhole
+List) listi.
+
+RBL posluzitelj koji se koristi za provjeru je:
+
+ xbl.dnsbl-sh.carnet.hr
+
+Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je
+dopusten samo sa CARNetove mreze (161.53.0.0/16, 193.198.0.0/16,
+te 82.132.0.0/17).
+
+
VAZNA NAPOMENA
Kako bi Vas Apache2 web server mogao normalno posluzivati
konfiguracijsku datoteku, osim ako znate sto cinite.
- -- Dragan Dosen <ddosen@ffzg.hr> Sat, 24 Jan 2009 15:28:38 +0100
+ -- Dragan Dosen <ddosen@ffzg.hr> Thu, 28 May 2009 20:26:52 +0200
* Inicijalni paket za Debian lenny.
- -- Dragan Dosen <ddosen@ffzg.hr> Mon, 15 Dec 2008 21:21:42 +0100
+ -- Dragan Dosen <ddosen@ffzg.hr> Thu, 28 May 2009 20:26:52 +0200
Package: mod-security-cn
Architecture: all
Pre-Depends: libapache-mod-security, mod-security-common
-Depends: wget, carnet-tools-cn (>= 2.8.1), ${misc:Depends}
-Suggests: geoip-bin
+Depends: carnet-tools-cn (>= 2.8.1), ${misc:Depends}
Description: Tighten web applications security for Apache (CARNet configuration)
Mod_security is an Apache module whose purpose is to tighten the Web
application security. Effectively, it is an intrusion detection and prevention
--- /dev/null
+etc/apache2/mod-security
+usr/share/mod-security-cn
mod-security-cn.conf usr/share/mod-security-cn
-rules usr/share/mod-security-cn
+rbl_lookup.conf usr/share/mod-security-cn
PKG="mod-security-cn"
A2DIR="/etc/apache2"
CONFDIR="$A2DIR/conf.d"
+CONF="$CONFDIR/apache2.conf"
A2MODEDIR="$A2DIR/mods-enabled"
-MODSECCONF="$CONFDIR/mod-security-cn.conf"
-MODSECCND="/usr/share/mod-security-cn"
-GEOLOOKUPDB_URL="http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
-GEOLOOKUPDB_DIR="/usr/share/GeoIP"
+MODSECDIR="$A2DIR/mod-security"
+MODSECCONF="$MODSECDIR/mod-security-cn.conf"
+MODSECTDIR="/usr/share/mod-security-cn"
temp_files=
need_restart=0
fi
}
-# get_geolookupdb ()
+# install_conf()
#
-# Download GeoLookup database from maxmind.com
-# Return: 0 - OK
-# 1 - ERROR
+# Install specified ModSecurity configuration file.
#
-get_geolookupdb () {
+install_conf () {
- local db db_tmp db_tmp_dir db_error
+ local conftmpl conf
+ conftmpl="$MODSECTDIR/$1"
+ conf="$MODSECDIR/$1"
- db=$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)
- db_tmp_dir=$(mktemp -d /tmp/geolookupdb.tmp.XXXXXX)
- temp_files="${temp_files} ${db_tmp_dir}"
- db_error=0
-
- echo -n "Attempting to download GeoLookup database for ModSecurity: "
-
- if [ ! -d "$GEOLOOKUPDB_DIR" ]; then
- mkdir -p $GEOLOOKUPDB_DIR/
- fi
-
- /usr/bin/wget -o /dev/null -P $db_tmp_dir $GEOLOOKUPDB_URL || db_error=1
-
- if [ $db_error -eq 1 ]; then
- echo "ERROR"
- else
- db_tmp=$(mktemp ${db}.XXXXXX)
- temp_files="${temp_files} ${db_tmp}"
- gunzip -c $db_tmp_dir/$(basename $GEOLOOKUPDB_URL) > $db_tmp
- cp_mv $db_tmp $db
-
- echo "OK"
+ if [ ! -e "$conf" ]; then
+ cp_echo "CN: Creating new configuration file $conf"
+ cp "$conftmpl" "$conf"
need_restart=1
- if [ -f "$db_tmp" ]; then rm -f $db_tmp; fi
+ else
+ if ! cmp -s "$conf" "$conftmpl"; then
+ cp_echo "CN: Updating configuration file $conf"
+ cp "$conftmpl" "$conf"
+ need_restart=1
+ else
+ cp_echo "CN: $conf already exists." 1>&2
+ fi
fi
-
- if [ -d "$db_tmp_dir" ]; then rm -rf $db_tmp_dir; fi
-
- RET=$db_error
}
# Enable ModSecurity and unique_id Apache2 modules.
#
-if [ -e /etc/apache2/apache2.conf ]; then
+if [ -e "$CONF" ]; then
# Enable mod-security.load
if [ ! -e "$A2MODEDIR/mod-security.load" ]; then
# Enable unique_id.load
if [ ! -e "$A2MODEDIR/unique_id.load" ]; then
- a2enmod unique_id >/dev/null || true
cp_echo "CN: Enabling unique_id module for Apache2 web server."
+ a2enmod unique_id >/dev/null || true
need_restart=1
fi
fi
# Create /etc/apache2/conf.d/ directory if missing.
if [ ! -d "$CONFDIR" ]; then
- cp_echo "CN: Creating configuration directory $CONFDIR"
+ cp_echo "CN: Creating configuration directory $CONFDIR/"
mkdir -p $CONFDIR/
fi
- # Enable mod-security-cn.conf
- if [ ! -e "$MODSECCONF" ]; then
- cp_echo "CN: Enabling ModSecurity specific configuration."
- need_restart=1
+ # Create /etc/apache2/mod-security/ directory if missing.
+ if [ ! -d "$MODSECDIR" ]; then
+ cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/"
+ mkdir -p $MODSECDIR/
fi
- out=$(mktemp $MODSECCONF.XXXXXX)
- temp_files="${temp_files} ${out}"
- cp "$MODSECCND/mod-security-cn.conf" "$out"
-
- # GeoLookup database.
- if [ -n "$2" ] || [ ! -e "$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)" ]; then
-
- get_geolookupdb
- if [ $RET -eq 1 ]; then
- db_set mod-security-cn/rbl false || true
- db_fset mod-security-cn/rbl seen true
- fi
- fi
+ install_conf "mod-security-cn.conf"
db_get mod-security-cn/rbl || true
if [ "$RET" = "true" ]; then
+ cp_echo "CN: Enabling ModSecurity RBL lookup in $MODSECCONF"
+
# Add RBL configuration.
- cp_echo "CN: Enabling RBL lookup in $MODSECCONF."
- cat $MODSECCND/rbl_lookup.conf >> $out
- need_restart=1
+ chk_conf_tag "$MODSECDIR/rbl_lookup.conf"
+ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
+ install_conf "rbl_lookup.conf"
+ fi
else
+ cp_echo "CN: Disabling ModSecurity RBL lookup in $MODSECCONF"
+
# Remove RBL configuration.
- cp_echo "CN: Disabling RBL lookup in $MODSECCONF."
+ out=$(mktemp $MODSECCONF.XXXXXX)
+ temp_files="${temp_files} ${out}"
+ sed -r "s/^([[:space:]]*)(Include[[:space:]]+\/etc\/apache2\/mod-security\/rbl_lookup\.conf)$/\1#\2/I" \
+ "$MODSECCONF" > "$out"
+ mv -f "$out" "$MODSECCONF"
+ if [ -f "$out" ]; then rm -f $out; fi
+
+ chk_conf_tag "$MODSECDIR/rbl_lookup.conf"
+ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
+ rm -f "$MODSECDIR/rbl_lookup.conf"
+ fi
+
need_restart=1
fi
- # Update mod-security-cn.conf configuration file.
- if ! cmp -s "$MODSECCONF" "$out"; then
- cp_mv "$out" "$MODSECCONF"
+ # Enable ModSecurity configuration.
+ if [ ! -e "$CONFDIR/mod-security-cn.conf" ]; then
+ cp_echo "CN: Enabling ModSecurity configuration."
+ ln -fs "$MODSECCONF" "$CONFDIR/."
need_restart=1
fi
-
- if [ -f "$out" ]; then rm -f $out; fi
fi
db_stop || true
set -e
+# chk_conf_tag ()
+#
+# Check if configuration file has CARNet package info lines.
+# return: $RET => 0 - tagged
+# 1 - file does not exists
+# 2 - file exists, but it is not tagged
+#
+chk_conf_tag () {
+
+ local conf_file
+ conf_file="$1"
+ RET=1
+
+ if [ -f "$conf_file" ]; then
+ if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then
+ RET=0
+ else
+ RET=2
+ fi
+ fi
+}
+
+
case "$1" in
remove|deconfigure)
. /usr/share/carnet-tools/functions.sh
PKG="mod-security-cn"
- A2DIR="/etc/apache2"
+ A2DIR="/etc/apache2"
CONFDIR="$A2DIR/conf.d"
- MODSECCONF="$CONFDIR/mod-security-cn.conf"
+ MODSECDIR="$A2DIR/mod-security"
+ MODSECCONF="$MODSECDIR/mod-security-cn.conf"
+
need_restart=0
- # Remove configuration file generated by this CARNet package.
- if [ -f "$MODSECCONF" ]; then
- if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$MODSECCONF"; then
- cp_echo "CN: Removing configuration file ${MODSECCONF}."
- rm -f $MODSECCONF
- need_restart=1
+
+ # Disable ModSecurity configuration.
+ chk_conf_tag "$MODSECCONF"
+ if [ $RET -eq 0 ]; then
+ if [ -e "$CONFDIR/mod-security-cn.conf" ]; then
+ cp_echo "CN: Disabling ModSecurity configuration."
+ rm -f "$CONFDIR/mod-security-cn.conf"
+ need_restart=1
+ fi
+ fi
+
+ # Remove configuration files generated by this CARNet package.
+ for file in "$MODSECCONF" "$MODSECDIR/rbl_lookup.conf"; do
+ chk_conf_tag "$file"
+ if [ $RET -eq 0 ]; then
+ cp_echo "CN: Removing configuration file $file"
+ rm -f $file
+ need_restart=1
fi
fi
Template: mod-security-cn/rbl
Type: boolean
+Default: true
Description: Zelite li aktivirati RBL?
ModSecurity moze provjeravati da li se adresa klijenta koji pristupa
Vasem web posluzitelju nalazi na RBL (Realtime Blackhole List)
RBL posluzitelj koji se koristi za provjeru je xbl.dnsbl-sh.carnet.hr.
.
VAZNO: Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je
- dopusten samo sa CARNetove mreze (161.53.0.0/16 i 193.198.0.0/16).
+ dopusten samo sa CARNetove mreze (161.53.0.0/16, 193.198.0.0/16, te
+ 82.132.0.0/17).
#
SecResponseBodyLimit 524288
+ # RBL configuration
+ Include /etc/apache2/mod-security/rbl_lookup.conf
+
</IfModule>
--- /dev/null
+## Begin - Generated by CARNet package mod-security-cn
+#
+# REMOVE this whole block if you DON'T WANT mod-security-cn
+# to edit your configuration file.
+#
+## End - Generated by CARNet package mod-security-cn
+
+<IfModule mod_security2.c>
+
+ # Skip RBL lookup for localhost, 161.53.0.0/16, 193.198.0.0/16 and 82.132.0.0/17.
+ SecRule REMOTE_ADDR "^(127\.0\.0\.1|161\.53\.\d{1,3}\.\d{1,3}|193\.198\.\d{1,3}\.\d{1,3}|82\.132\.(\d{1,2}|10\d{1}|11\d{1}|12[0-7]{1})\.\d{1,3})$" "phase:2,pass,nolog,t:none,skip:1"
+
+ # RBL lookup using xbl.dnsbl-sh.carnet.hr.
+ SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr" "phase:2,deny,log,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:'1'"
+
+</IfModule>
+++ /dev/null
-<IfModule mod_security2.c>
-
- # Defines the path to the geographical database file.
- #
- SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat
- #SecGeoLookupDb /usr/share/GeoIP/GeoLiteCity.dat
-
- # Skip RBL lookup for localhost.
- #
- SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:2,pass,nolog,t:none,skip:2"
-
- # GeoLookup - skip RBL lookup for HR address.
- #
- SecRule REMOTE_ADDR "@geoLookup" "phase:2,chain,pass,nolog,t:none,skip:1"
- SecRule GEO:COUNTRY_CODE "^HR$" "t:none"
-
- # RBL lookup using xbl.dnsbl-sh.carnet.hr.
- #
- SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr" "phase:2,log,deny,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:'1'"
-
-</IfModule>
projects / mod-security-cn.git / commitdiff