From d898c4a3e286e07ee0f5d379dcdb055795209add Mon Sep 17 00:00:00 2001 From: Dragan Dosen Date: Tue, 21 Apr 2009 19:00:33 +0200 Subject: [PATCH] Inicijalna verzija paketa. --- debian/README.CARNet | 30 ++++++ debian/changelog | 5 + debian/changelog.CARNet | 1 + debian/compat | 1 + debian/config | 60 ++++++++++++ debian/control | 18 ++++ debian/docs | 2 + debian/install | 2 + debian/postinst | 234 +++++++++++++++++++++++++++++++++++++++++++++++ debian/postrm | 10 ++ debian/prerm | 58 ++++++++++++ debian/rules | 68 ++++++++++++++ debian/templates | 14 +++ mod-security-cn.conf | 47 ++++++++++ rules/rbl_lookup.conf | 21 +++++ 15 files changed, 571 insertions(+) create mode 100644 debian/README.CARNet create mode 100644 debian/changelog create mode 120000 debian/changelog.CARNet create mode 100644 debian/compat create mode 100644 debian/config create mode 100644 debian/control create mode 100644 debian/docs create mode 100644 debian/install create mode 100644 debian/postinst create mode 100644 debian/postrm create mode 100644 debian/prerm create mode 100644 debian/rules create mode 100644 debian/templates create mode 100644 mod-security-cn.conf create mode 100644 rules/rbl_lookup.conf diff --git a/debian/README.CARNet b/debian/README.CARNet new file mode 100644 index 0000000..a928cf2 --- /dev/null +++ b/debian/README.CARNet @@ -0,0 +1,30 @@ +mod-security-cn +--------------- + +Ovaj paket sadrzi dodatne CARNetove postavke za ModSecurity +pakete. Povlaci za sobom instalaciju Debian paketa: + + + mod-security-common + + libapache-mod-security + + +MODSECURITY KONFIGURACIJA + +ModSecurity konfiguracija nalazi se unutar datoteke: + + /etc/apache2/conf.d/mod-security-cn.conf + +Nakon sto prepravite ModSecurity konfiguraciju, potrebno je +obaviti restart Apache2 web servera: + + invoke-rc.d apache2 force-reload + + +VAZNA NAPOMENA + +Kako bi Vas Apache2 web server mogao normalno posluzivati +sadrzaj, preporuca se da NE brisete i da ne uredjujete navedenu +konfiguracijsku datoteku, osim ako znate sto cinite. + + + -- Dragan Dosen Sat, 24 Jan 2009 15:28:38 +0100 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..068014e --- /dev/null +++ b/debian/changelog @@ -0,0 +1,5 @@ +mod-security-cn (2.5.9-1) stable; urgency=low + + * Inicijalni paket za Debian lenny. + + -- Dragan Dosen Mon, 15 Dec 2008 21:21:42 +0100 diff --git a/debian/changelog.CARNet b/debian/changelog.CARNet new file mode 120000 index 0000000..194579e --- /dev/null +++ b/debian/changelog.CARNet @@ -0,0 +1 @@ +changelog.Debian \ No newline at end of file diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..b8626c4 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +4 diff --git a/debian/config b/debian/config new file mode 100644 index 0000000..7782e4a --- /dev/null +++ b/debian/config @@ -0,0 +1,60 @@ +#!/bin/sh + +set -e + +# Load debconf +. /usr/share/debconf/confmodule + +if [ "$1" != reconfigure ]; then + db_fget mod-security-cn/rbl seen + if [ "$RET" = "true" ]; then + exit 0 + fi +fi + +A2DIR="/etc/apache2" +CONFDIR="$A2DIR/conf.d" +MODSECCONF="$CONFDIR/mod-security-cn.conf" + + +# chk_conf_tag () +# +# Check if configuration file has CARNet package info lines. +# return: $RET => 0 - tagged +# 1 - file does not exists +# 2 - file exists, but it is not tagged +# +chk_conf_tag () { + + local conf_file + conf_file="$1" + RET=1 + + if [ -f "$conf_file" ]; then + if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then + RET=0 + else + RET=2 + fi + fi +} + + +# Check for CARNet ModSecurity configuration file. +# +chk_conf_tag "$MODSECCONF" +if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then + + # Configuration file is tagged or does not exist - ask user + # for RBL. + db_title mod-security-cn - konfiguracija + db_input critical mod-security-cn/rbl || true + db_go || true +else + + # Configuration file is not tagged - skip question. + db_set mod-security-cn/rbl false || true + db_fset mod-security-cn/rbl seen true +fi + +exit 0 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..6d55d4f --- /dev/null +++ b/debian/control @@ -0,0 +1,18 @@ +Source: mod-security-cn +Section: web +Priority: optional +Maintainer: Dragan Dosen +Build-Depends: debhelper (>= 4.0.0) +Standards-Version: 3.7.2 + +Package: mod-security-cn +Architecture: all +Pre-Depends: libapache-mod-security, mod-security-common +Depends: wget, carnet-tools-cn (>= 2.8.1), ${misc:Depends} +Suggests: geoip-bin +Description: Tighten web applications security for Apache (CARNet configuration) + Mod_security is an Apache module whose purpose is to tighten the Web + application security. Effectively, it is an intrusion detection and prevention + system for the web server. + . + This package contains additional CARNet configuration. diff --git a/debian/docs b/debian/docs new file mode 100644 index 0000000..24d27ef --- /dev/null +++ b/debian/docs @@ -0,0 +1,2 @@ +debian/README.CARNet +debian/changelog.CARNet diff --git a/debian/install b/debian/install new file mode 100644 index 0000000..16ace88 --- /dev/null +++ b/debian/install @@ -0,0 +1,2 @@ +mod-security-cn.conf usr/share/mod-security-cn +rules usr/share/mod-security-cn diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..2a84610 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,234 @@ +#!/bin/sh + +set -e + +[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx + +case "$1" in + configure) + # continue below + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + exit 0 + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + + +# Load debconf +. /usr/share/debconf/confmodule + +# Include CARNet functions +. /usr/share/carnet-tools/functions.sh + +PKG="mod-security-cn" +A2DIR="/etc/apache2" +CONFDIR="$A2DIR/conf.d" +A2MODEDIR="$A2DIR/mods-enabled" +MODSECCONF="$CONFDIR/mod-security-cn.conf" +MODSECCND="/usr/share/mod-security-cn" +GEOLOOKUPDB_URL="http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" +GEOLOOKUPDB_DIR="/usr/share/GeoIP" + +temp_files= +need_restart=0 + + +# cleanup() +# +# Cleanup all temp files or directories. +# +cleanup () { + + local item + + if [ -n "$temp_files" ]; then + for item in $temp_files; do + if [ -e "$item" ]; then + rm -rf $item + fi + done + fi +} + +# chk_conf_tag () +# +# Check if configuration file has CARNet package info lines. +# return: $RET => 0 - tagged +# 1 - file does not exists +# 2 - file exists, but it is not tagged +# +chk_conf_tag () { + + local conf_file + conf_file="$1" + RET=1 + + if [ -f "$conf_file" ]; then + if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then + RET=0 + else + RET=2 + fi + fi +} + +# get_geolookupdb () +# +# Download GeoLookup database from maxmind.com +# Return: 0 - OK +# 1 - ERROR +# +get_geolookupdb () { + + local db db_tmp db_tmp_dir db_error + + db=$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz) + db_tmp_dir=$(mktemp -d /tmp/geolookupdb.tmp.XXXXXX) + temp_files="${temp_files} ${db_tmp_dir}" + db_error=0 + + echo -n "Attempting to download GeoLookup database for ModSecurity: " + + if [ ! -d "$GEOLOOKUPDB_DIR" ]; then + mkdir -p $GEOLOOKUPDB_DIR/ + fi + + /usr/bin/wget -o /dev/null -P $db_tmp_dir $GEOLOOKUPDB_URL || db_error=1 + + if [ $db_error -eq 1 ]; then + echo "ERROR" + else + db_tmp=$(mktemp ${db}.XXXXXX) + temp_files="${temp_files} ${db_tmp}" + gunzip -c $db_tmp_dir/$(basename $GEOLOOKUPDB_URL) > $db_tmp + cp_mv $db_tmp $db + + echo "OK" + need_restart=1 + if [ -f "$db_tmp" ]; then rm -f $db_tmp; fi + fi + + if [ -d "$db_tmp_dir" ]; then rm -rf $db_tmp_dir; fi + + RET=$db_error +} + + +# Set trap for deleting all temp files. +# +trap cleanup 0 1 2 15 + + +# Enable ModSecurity and unique_id Apache2 modules. +# +if [ -e /etc/apache2/apache2.conf ]; then + + # Enable mod-security.load + if [ ! -e "$A2MODEDIR/mod-security.load" ]; then + cp_echo "CN: Enabling ModSecurity module for Apache2 web server." + a2enmod mod-security >/dev/null || true + need_restart=1 + fi + + # Enable unique_id.load + if [ ! -e "$A2MODEDIR/unique_id.load" ]; then + a2enmod unique_id >/dev/null || true + cp_echo "CN: Enabling unique_id module for Apache2 web server." + need_restart=1 + fi +fi + + +# Generate ModSecurity configuration file and activate RBL lookup +# for ModSecurity if needed. +# +chk_conf_tag "$MODSECCONF" +if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then + + # Create /etc/apache2/conf.d/ directory if missing. + if [ ! -d "$CONFDIR" ]; then + cp_echo "CN: Creating configuration directory $CONFDIR" + mkdir -p $CONFDIR/ + fi + + # Enable mod-security-cn.conf + if [ ! -e "$MODSECCONF" ]; then + cp_echo "CN: Enabling ModSecurity specific configuration." + need_restart=1 + fi + + out=$(mktemp $MODSECCONF.XXXXXX) + temp_files="${temp_files} ${out}" + cp "$MODSECCND/mod-security-cn.conf" "$out" + + # GeoLookup database. + if [ -n "$2" ] || [ ! -e "$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)" ]; then + + get_geolookupdb + if [ $RET -eq 1 ]; then + db_set mod-security-cn/rbl false || true + db_fset mod-security-cn/rbl seen true + fi + fi + + db_get mod-security-cn/rbl || true + if [ "$RET" = "true" ]; then + + # Add RBL configuration. + cp_echo "CN: Enabling RBL lookup in $MODSECCONF." + cat $MODSECCND/rbl_lookup.conf >> $out + need_restart=1 + else + + # Remove RBL configuration. + cp_echo "CN: Disabling RBL lookup in $MODSECCONF." + need_restart=1 + fi + + # Update mod-security-cn.conf configuration file. + if ! cmp -s "$MODSECCONF" "$out"; then + cp_mv "$out" "$MODSECCONF" + need_restart=1 + fi + + if [ -f "$out" ]; then rm -f $out; fi +fi + +db_stop || true + + +# Restart Apache2 web server if needed. +# +if [ $need_restart -eq 1 ]; then + + # Check Apache2 web server configuration. + if /usr/sbin/apache2ctl configtest 2>/dev/null; then + + # Restart Apache2 web server. + if [ -x "/etc/init.d/apache2" ]; then + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + invoke-rc.d apache2 restart || true + else + /etc/init.d/apache2 restart || true + fi + fi + else + + # Something is broken. + cp_echo "CN: Your Apache2 configuration is broken." + cp_echo "CN: Please, check the service after the installation finishes!" + fi +fi + + +# Mail root +# +cp_mail "$PKG" + +exit 0 diff --git a/debian/postrm b/debian/postrm new file mode 100644 index 0000000..6da000b --- /dev/null +++ b/debian/postrm @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then + . /usr/share/debconf/confmodule + db_purge +fi + +exit 0 diff --git a/debian/prerm b/debian/prerm new file mode 100644 index 0000000..aeef7d6 --- /dev/null +++ b/debian/prerm @@ -0,0 +1,58 @@ +#!/bin/sh + +set -e + +case "$1" in + remove|deconfigure) + + # Include CARNet functions. + . /usr/share/carnet-tools/functions.sh + + PKG="mod-security-cn" + A2DIR="/etc/apache2" + CONFDIR="$A2DIR/conf.d" + MODSECCONF="$CONFDIR/mod-security-cn.conf" + need_restart=0 + + # Remove configuration file generated by this CARNet package. + if [ -f "$MODSECCONF" ]; then + if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$MODSECCONF"; then + cp_echo "CN: Removing configuration file ${MODSECCONF}." + rm -f $MODSECCONF + need_restart=1 + fi + fi + + # Restart Apache2 web server. + if [ $need_restart -eq 1 ]; then + if apache2ctl configtest 2>/dev/null; then + + # Restart Apache2 web server. + if [ -x "/etc/init.d/apache2" ]; then + if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then + invoke-rc.d apache2 restart || true + else + /etc/init.d/apache2 restart || true + fi + fi + else + # Something is broken. + cp_echo "CN: Your Apache2 configuration seem to be broken." + cp_echo "CN: Please, check the service configuration!" + fi + fi + + # Mail root + cp_mail "$PKG" + + echo + ;; + upgrade|failed-upgrade) + ;; + *) + echo "prerm called with unknown argument \$1'" >&2 + exit 0 + ;; +esac + +exit 0 diff --git a/debian/rules b/debian/rules new file mode 100644 index 0000000..e7f422a --- /dev/null +++ b/debian/rules @@ -0,0 +1,68 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# This file was originally written by Joey Hess and Craig Small. +# As a special exception, when this file is copied by dh-make into a +# dh-make output file, you may use that output file without restriction. +# This special exception was added by Craig Small in version 0.37 of dh-make. + +#export DH_VERBOSE=1 + +configure: configure-stamp +configure-stamp: + dh_testdir + touch configure-stamp + +build: build-stamp + +build-stamp: configure-stamp + dh_testdir + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + +binary-indep: build install + +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_install -X.svn +# dh_installexamples +# dh_install +# dh_installmenu + dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_installinit +# dh_installcron +# dh_installinfo + dh_installman + dh_link +# dh_strip + dh_compress + dh_fixperms +# dh_perl +# dh_python +# dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure diff --git a/debian/templates b/debian/templates new file mode 100644 index 0000000..4c1e6f7 --- /dev/null +++ b/debian/templates @@ -0,0 +1,14 @@ +Template: mod-security-cn/rbl +Type: boolean +Description: Zelite li aktivirati RBL? + ModSecurity moze provjeravati da li se adresa klijenta koji pristupa + Vasem web posluzitelju nalazi na RBL (Realtime Blackhole List) + listi. U slucaju da se adresa nalazi na RBL listi, sa doticne adrese + nece se moci pristupiti Vasem web posluzitelju. RBL provjera se + preskace za adrese koje su iz HR domene. Ova funkcionalnost je + slicna onoj koju ima Postfix MTA. + . + RBL posluzitelj koji se koristi za provjeru je xbl.dnsbl-sh.carnet.hr. + . + VAZNO: Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je + dopusten samo sa CARNetove mreze (161.53.0.0/16 i 193.198.0.0/16). diff --git a/mod-security-cn.conf b/mod-security-cn.conf new file mode 100644 index 0000000..aaf03b6 --- /dev/null +++ b/mod-security-cn.conf @@ -0,0 +1,47 @@ +## Begin - Generated by CARNet package mod-security-cn +# +# REMOVE this whole block if you DON'T WANT mod-security-cn +# to edit your configuration file. +# +## End - Generated by CARNet package mod-security-cn + + + + # Basic configuration options + # + SecRuleEngine On + SecRequestBodyAccess On + SecResponseBodyAccess Off + + # Handling of file uploads + # + SecUploadKeepFiles Off + + # Debug log + # + SecDebugLog /var/log/apache2/modsec_debug.log + SecDebugLogLevel 0 + + # Serial audit log + # + SecAuditEngine RelevantOnly + SecAuditLogRelevantStatus ^5 + SecAuditLogParts ABIFHZ + SecAuditLogType Serial + SecAuditLog /var/log/apache2/modsec_audit.log + + # Maximum request body size we will + # accept for buffering + # + SecRequestBodyLimit 134217728 + + # Store up to 128 KB in memory + # + SecRequestBodyInMemoryLimit 131072 + + # Buffer response bodies of up to + # 512 KB in length + # + SecResponseBodyLimit 524288 + + diff --git a/rules/rbl_lookup.conf b/rules/rbl_lookup.conf new file mode 100644 index 0000000..6746643 --- /dev/null +++ b/rules/rbl_lookup.conf @@ -0,0 +1,21 @@ + + + # Defines the path to the geographical database file. + # + SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat + #SecGeoLookupDb /usr/share/GeoIP/GeoLiteCity.dat + + # Skip RBL lookup for localhost. + # + SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:2,pass,nolog,t:none,skip:2" + + # GeoLookup - skip RBL lookup for HR address. + # + SecRule REMOTE_ADDR "@geoLookup" "phase:2,chain,pass,nolog,t:none,skip:1" + SecRule GEO:COUNTRY_CODE "^HR$" "t:none" + + # RBL lookup using xbl.dnsbl-sh.carnet.hr. + # + SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr" "phase:2,log,deny,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:'1'" + + -- 1.7.10.4