From d6d471ca8237b76920e6c78385214ffe26ce6dc6 Mon Sep 17 00:00:00 2001 From: Dragan Dosen Date: Wed, 25 May 2016 16:08:21 +0200 Subject: [PATCH] Prva inacica paketa za Debian jessie distribuciju. --- README.CARNet | 14 ++++---- debian/changelog | 13 +++++++ debian/compat | 2 +- debian/control | 10 +++--- debian/copyright | 2 +- debian/postinst | 70 +++++++++++++++---------------------- debian/postrm | 53 ++++++++++++++++++++++++++++ debian/prerm | 94 ++++++++++++++++++++------------------------------ mod-security-cn.conf | 4 +++ rbl_lookup.conf | 2 +- 10 files changed, 150 insertions(+), 114 deletions(-) diff --git a/README.CARNet b/README.CARNet index 4550414..cbbdab7 100644 --- a/README.CARNet +++ b/README.CARNet @@ -2,10 +2,9 @@ mod-security-cn ~~~~~~~~~~~~~~~ Ovaj paket sadrzi dodatne CARNetove postavke za ModSecurity. -Povlaci za sobom instalaciju Debian paketa: +Povlaci instalaciju Debian paketa: - + mod-security-common - + libapache-mod-security + + libapache2-mod-security2 MODSECURITY KONFIGURACIJA @@ -22,9 +21,10 @@ specificnu za RBL. RBL konfiguracija bit ce ukljucena kroz glavnu konfiguracijsku datoteku ovisno jeste li odlucili koristiti RBL provjeru ili ne. -Kako bi konfiguracija bila aktivna, unutar Apache2 direktorija -/etc/apache2/conf.d/ kreiran je simbolicki link na glavnu -konfiguracijsku datoteku mod-security-cn.conf. +Kako bi konfiguracija bila dostupna, unutar Apache2 direktorija +/etc/apache2/conf-available/ kreiran je simbolicki link na glavnu +konfiguracijsku datoteku mod-security-cn.conf. Konfiguraciju je +zatim moguce aktivirati. RBL (REALTIME BLACKHOLE LIST) @@ -55,4 +55,4 @@ preporuca se da NE brisete i da ne uredjujete navedene konfiguracijske datoteke, osim ako znate sto cinite. - -- Dragan Dosen Fri, 4 May 2012 15:55:20 +0200 + -- Dragan Dosen Wed, 25 May 2016 11:14:53 +0200 diff --git a/debian/changelog b/debian/changelog index a10bc45..c449fc9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +mod-security-cn (2.8.0+1) stable; urgency=low + + * Prva inacica paketa za Debian jessie distribuciju. + * Azurirane ovisnosti unutar debian/control. + * Koristi apache2-maintscript-helper za Apache2 konfiguraciju. + * Migracija konfiguracije za Apache2 iz /etc/apache2/conf.d/ direktorija + u direktorij /etc/apache2/conf-available/. + * Ugasena ModSecurity postavka SecStatusEngine. + * Postavljen jedinstveni identifikator za RBL pravila. + * Azurirane ostale debian/ datoteke. + + -- Dragan Dosen Wed, 25 May 2016 11:14:53 +0200 + mod-security-cn (2.6.6+1) stable; urgency=low * Prva inacica paketa za Debian wheezy distribuciju. diff --git a/debian/compat b/debian/compat index 45a4fb7..ec63514 100644 --- a/debian/compat +++ b/debian/compat @@ -1 +1 @@ -8 +9 diff --git a/debian/control b/debian/control index 1afe6b2..e06b296 100644 --- a/debian/control +++ b/debian/control @@ -2,17 +2,17 @@ Source: mod-security-cn Section: httpd Priority: optional Maintainer: Dragan Dosen -Build-Depends: debhelper (>= 8.0.0), po-debconf -Standards-Version: 3.9.3 +Build-Depends: debhelper (>> 9), po-debconf +Standards-Version: 3.9.6 +Homepage: http://www.modsecurity.org/ Package: mod-security-cn Architecture: all -Pre-Depends: libapache2-modsecurity (>= 2.6.6-6+deb7u1) -Depends: carnet-tools-cn (>= 3.0.4), ${misc:Depends} +Pre-Depends: libapache2-mod-security2 (>= 2.8.0-3) +Depends: carnet-tools-cn (>= 3.1.0), ${misc:Depends} Description: Tighten web applications security for Apache Modsecurity is an Apache module whose purpose is to tighten the Web application security. Effectively, it is an intrusion detection and prevention system for the web server. . This package contains additional CARNet configuration. -Homepage: http://www.modsecurity.org/ diff --git a/debian/copyright b/debian/copyright index dd9254d..235dba3 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,4 +1,4 @@ -Copyright 2013 CARNet +Copyright 2013-2016 CARNet You are free to distribute this software package under the terms of the GNU General Public License. diff --git a/debian/postinst b/debian/postinst index 02d680d..2f61213 100644 --- a/debian/postinst +++ b/debian/postinst @@ -29,18 +29,31 @@ esac PKG="mod-security-cn" A2DIR="/etc/apache2" CONF="$A2DIR/apache2.conf" -CONFDIR="$A2DIR/conf.d" -A2MODEDIR="$A2DIR/mods-enabled" +CONFDIR="$A2DIR/conf-available" MODSECDIR="$A2DIR/mod-security" MODSECCONF="$MODSECDIR/mod-security-cn.conf" MODSECRBL="$MODSECDIR/rbl_lookup.conf" -MODSECLNK="$CONFDIR/$(basename $MODSECCONF)" +MODSECLNK="$CONFDIR/security2-cn.conf" MODSECTPL="/usr/share/mod-security-cn" temp_files= -need_restart=0 +if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then + . /usr/share/apache2/apache2-maintscript-helper + + modsecurity_enable() { + cp_echo "CN: Enabling $PKG configuration for Apache2." + return 0 + } +else + cp_echo "CN: Could not load Apache 2.4 maintainer script helper." + + modsecurity_enable() { + return 1 + } +fi + # cleanup() # # Cleanup all temp files or directories. @@ -84,22 +97,10 @@ chk_conf_tag () { trap cleanup 0 1 2 15 -# Enable ModSecurity and unique_id Apache2 modules. +# Remove obsolete symbolic link. # -if [ -e "$CONF" ]; then - # Enable mod-security.load - if [ ! -e "$A2MODEDIR/mod-security.load" ]; then - cp_echo "CN: Enabling ModSecurity module for Apache2 web server." - a2enmod mod-security >/dev/null || true - need_restart=1 - fi - - # Enable unique_id.load - if [ ! -e "$A2MODEDIR/unique_id.load" ]; then - cp_echo "CN: Enabling unique_id module for Apache2 web server." - a2enmod unique_id >/dev/null || true - need_restart=1 - fi +if [ "`readlink -q -m /etc/apache2/conf.d/$PKG.conf`" = "$MODSECCONF" ]; then + rm -f /etc/apache2/conf.d/$PKG.conf fi @@ -109,7 +110,7 @@ fi chk_conf_tag "$MODSECCONF" if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then - # Create /etc/apache2/conf.d/ directory if missing. + # Create /etc/apache2/conf-available/ directory if missing. if [ ! -d "$CONFDIR" ]; then cp_echo "CN: Creating configuration directory $CONFDIR/" mkdir -p $CONFDIR/ @@ -134,12 +135,10 @@ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then if [ $RET -eq 1 ]; then cp_echo "CN: Creating configuration file $MODSECRBL" cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL" - need_restart=1 else if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then cp_echo "CN: Updating configuration file $MODSECRBL" cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL" - need_restart=1 fi fi fi @@ -152,13 +151,11 @@ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then cp_echo "CN: Updating configuration file $MODSECCONF" mv -f "$out" "$MODSECCONF" cp_echo "CN: Enabled ModSecurity RBL lookup." - need_restart=1 fi else cp_echo "CN: Creating configuration file $MODSECCONF" mv "$out" "$MODSECCONF" cp_echo "CN: Enabled ModSecurity RBL lookup." - need_restart=1 fi else @@ -171,20 +168,17 @@ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then cp_echo "CN: Updating configuration file $MODSECCONF" mv -f "$out" "$MODSECCONF" cp_echo "CN: Disabled ModSecurity RBL lookup." - need_restart=1 fi else cp_echo "CN: Creating configuration file $MODSECCONF" mv "$out" "$MODSECCONF" cp_echo "CN: Disabled ModSecurity RBL lookup." - need_restart=1 fi chk_conf_tag "$MODSECRBL" if [ $RET -eq 0 ]; then cp_echo "CN: Removing configuration file $MODSECRBL" rm -f "$MODSECRBL" - need_restart=1 fi fi @@ -192,27 +186,19 @@ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then # Enable ModSecurity configuration. if [ ! -e "$MODSECLNK" ]; then - cp_echo "CN: Enabling ModSecurity configuration." ln -fs "$MODSECCONF" "$MODSECLNK" - need_restart=1 + fi + if modsecurity_enable; then + apache2_invoke enmod security2 + apache2_invoke enconf security2-cn fi fi db_stop || true - -# Restart Apache2 web server if needed. -# -if [ $need_restart -eq 1 ]; then - - # Check Apache2 web server configuration. - if apache2ctl configtest 2>/dev/null; then - invoke-rc.d apache2 force-reload || true - else - # Something is broken. - cp_echo "CN: Your Apache2 configuration is broken." - cp_echo "CN: Please, check the service after the installation finishes!" - fi +if ! apache2ctl configtest >/dev/null 2>&1; then + cp_echo "CN: Your Apache2 configuration seems to be broken." + cp_echo "CN: Please, check the service after the installation finishes!" fi diff --git a/debian/postrm b/debian/postrm index b7ec504..122c128 100644 --- a/debian/postrm +++ b/debian/postrm @@ -2,6 +2,59 @@ set -e +# Debconf +. /usr/share/debconf/confmodule + +PKG=mod-security-cn + +MODSECLNK=/etc/apache2/conf-available/security2-cn.conf + +# chk_conf_tag () +# +# Check if configuration file has CARNet package info lines. +# return: $RET => 0 - tagged +# 1 - file does not exists +# 2 - file exists, but it is not tagged +# +chk_conf_tag () { + local conf_file + conf_file="$1" + RET=1 + + if [ -f "$conf_file" ]; then + if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then + RET=0 + else + RET=2 + fi + fi +} + +if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then + . /usr/share/apache2/apache2-maintscript-helper + + modsecurity_enable() { + chk_conf_tag "$MODSECLNK" + if [ $RET -ne 2 ]; then + echo "CN: Purging $PKG configuration for Apache2." + return 0 + fi + return 1 + } +else + echo "CN: Could not load Apache 2.4 maintainer script helper." + + modsecurity_enable() { + return 1 + } +fi + +if [ "$1" = "purge" ] ; then + if modsecurity_enable; then + apache2_invoke disconf security2-cn + fi +fi + #DEBHELPER# exit 0 diff --git a/debian/prerm b/debian/prerm index bd99613..379b383 100644 --- a/debian/prerm +++ b/debian/prerm @@ -2,6 +2,12 @@ set -e +PKG=mod-security-cn + +MODSECCONF=/etc/apache2/mod-security/$PKG.conf +MODSECRBL=/etc/apache2/mod-security/rbl_lookup.conf +MODSECLNK=/etc/apache2/conf-available/security2-cn.conf + # chk_conf_tag () # # Check if configuration file has CARNet package info lines. @@ -23,67 +29,41 @@ chk_conf_tag () { fi } +if [ -e /usr/share/apache2/apache2-maintscript-helper ]; then + . /usr/share/apache2/apache2-maintscript-helper -case "$1" in - remove|deconfigure) - - # Include CARNet functions. - . /usr/share/carnet-tools/functions.sh - - PKG="mod-security-cn" - A2DIR="/etc/apache2" - CONFDIR="$A2DIR/conf.d" - MODSECDIR="$A2DIR/mod-security" - MODSECCONF="$MODSECDIR/mod-security-cn.conf" - MODSECRBL="$MODSECDIR/rbl_lookup.conf" - MODSECLNK="$CONFDIR/$(basename $MODSECCONF)" - - need_restart=0 - - - # Disable ModSecurity configuration. - chk_conf_tag "$MODSECCONF" - if [ $RET -eq 0 ]; then - if [ -e "$MODSECLNK" ]; then - cp_echo "CN: Disabling ModSecurity configuration." - rm -f "$MODSECLNK" - need_restart=1 - fi + modsecurity_enable() { + chk_conf_tag "$MODSECLNK" + if [ $RET -ne 2 ]; then + echo "CN: Disabling $PKG configuration for Apache2." + return 0 fi + return 1 + } +else + echo "CN: Could not load Apache 2.4 maintainer script helper." + + modsecurity_enable() { + return 1 + } +fi + +if [ "$1" = "remove" ] || [ "$1" = "deconfigure" ]; then + # Disable ModSecurity configuration. + if modsecurity_enable; then + apache2_invoke disconf security2-cn + rm -f "$MODSECLNK" + fi - # Remove configuration files generated by this CARNet package. - for file in "$MODSECCONF" "$MODSECRBL"; do - chk_conf_tag "$file" - if [ $RET -eq 0 ]; then - cp_echo "CN: Removing configuration file $file" - rm -f $file - need_restart=1 - fi - done - - # Restart Apache2 web server. - if [ $need_restart -eq 1 ]; then - if apache2ctl configtest 2>/dev/null; then - invoke-rc.d apache2 force-reload || true - else - # Something is broken. - cp_echo "CN: Your Apache2 configuration seem to be broken." - cp_echo "CN: Please, check the service configuration!" - fi + # Remove configuration files generated by this CARNet package. + for mfile in "$MODSECCONF" "$MODSECRBL"; do + chk_conf_tag "$mfile" + if [ $RET -eq 0 ]; then + echo "CN: Removing configuration file $mfile" + rm -f "$mfile" fi - - # Mail root - cp_mail "$PKG" - - echo - ;; - upgrade|failed-upgrade) - ;; - *) - echo "prerm called with unknown argument \$1'" >&2 - exit 0 - ;; -esac + done +fi #DEBHELPER# diff --git a/mod-security-cn.conf b/mod-security-cn.conf index 9481df6..9d2aa0d 100644 --- a/mod-security-cn.conf +++ b/mod-security-cn.conf @@ -44,6 +44,10 @@ # SecResponseBodyLimit 524288 + # Disable Status Reporting functionality + # + SecStatusEngine Off + # RBL lookup configuration #RBLLOOKUP# diff --git a/rbl_lookup.conf b/rbl_lookup.conf index a6d3080..c72016e 100644 --- a/rbl_lookup.conf +++ b/rbl_lookup.conf @@ -10,7 +10,7 @@ # Skip RBL lookup for localhost, 161.53.0.0/16, 193.198.0.0/16, # 192.84.91.0/24, 192.84.92.0/24, 192.84.105.0/24, 192.84.106.0/24, # 31.147.0.0/16, 82.132.0.0/17 and 2001:b68::/32. - SecRule REMOTE_ADDR "!@rx ^(\:\:1|127\.0\.0\.1|161\.53\.\d{1,3}\.\d{1,3}|193\.198\.\d{1,3}\.\d{1,3}|192\.84\.(91|92|105|106)\.\d{1,3}|31\.147\.\d{1,3}\.\d{1,3}|82\.132\.(\d{1,2}|10\d{1}|11\d{1}|12[0-7]{1})\.\d{1,3}|2001\:b68\:.+)$" "phase:1,deny,log,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:CRITICAL,chain" + SecRule REMOTE_ADDR "!@rx ^(\:\:1|127\.0\.0\.1|161\.53\.\d{1,3}\.\d{1,3}|193\.198\.\d{1,3}\.\d{1,3}|192\.84\.(91|92|105|106)\.\d{1,3}|31\.147\.\d{1,3}\.\d{1,3}|82\.132\.(\d{1,2}|10\d{1}|11\d{1}|12[0-7]{1})\.\d{1,3}|2001\:b68\:.+)$" "phase:1,deny,log,id:99999,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:CRITICAL,chain" # RBL lookup using xbl.dnsbl-sh.carnet.hr SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr" -- 1.7.10.4