mod-security-cn
---------------
-Ovaj paket sadrzi dodatne CARNetove postavke za ModSecurity
-pakete. Povlaci za sobom instalaciju Debian paketa:
+Ovaj paket sadrzi dodatne CARNetove postavke za ModSecurity.
+Povlaci za sobom instalaciju Debian paketa:
+ mod-security-common
+ libapache-mod-security
MODSECURITY KONFIGURACIJA
-ModSecurity konfiguracija nalazi se unutar datoteke:
+ModSecurity konfiguracija nalazi se unutar direktorija
+/etc/apache2/mod-security/, datoteke:
- /etc/apache2/conf.d/mod-security-cn.conf
+ /etc/apache2/mod-security/mod-security-cn.conf
+ /etc/apache2/mod-security/rbl_lookup.conf
-Nakon sto prepravite ModSecurity konfiguraciju, potrebno je
-obaviti restart Apache2 web servera:
+mod-security-cn.conf je glavna konfiguracijska datoteka za
+ModSecurity, dok rbl_lookup.conf sadrzi samo konfiguraciju
+specificnu za RBL. RBL konfiguracija bit ce ukljucena kroz glavnu
+konfiguracijsku datoteku ovisno jeste li odlucili koristiti RBL
+provjeru ili ne.
- invoke-rc.d apache2 force-reload
+Kako bi konfiguracija bila aktivna, unutar Apache2 direktorija
+/etc/apache2/conf.d/ kreiran je simbolicki link na glavnu
+konfiguracijsku datoteku mod-security-cn.conf.
RBL (REALTIME BLACKHOLE LIST)
pristupa Vasem web posluzitelju nalazi na RBL (Realtime Blackhole
List) listi.
+U slucaju da se adresa nalazi na RBL listi, sa doticne adrese
+nece se moci pristupiti Vasem web posluzitelju. RBL provjera se
+preskace za adrese koje su iz CARNetove mreze. Ova funkcionalnost
+je slicna onoj koju ima Postfix MTA.
+
RBL posluzitelj koji se koristi za provjeru je:
xbl.dnsbl-sh.carnet.hr
Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je
-dopusten samo sa CARNetove mreze (161.53.0.0/16, 193.198.0.0/16,
-te 82.132.0.0/17).
+dopusten samo sa CARNetove mreze (161.53.0.0/16 i 193.198.0.0/16).
VAZNA NAPOMENA
-Kako bi Vas Apache2 web server mogao normalno posluzivati
-sadrzaj, preporuca se da NE brisete i da ne uredjujete navedenu
-konfiguracijsku datoteku, osim ako znate sto cinite.
+Kako bi Vas Apache2 web server mogao normalno posluzivati sadrzaj,
+preporuca se da NE brisete i da ne uredjujete navedene
+konfiguracijske datoteke, osim ako znate sto cinite.
-- Dragan Dosen <ddosen@ffzg.hr> Thu, 28 May 2009 20:26:52 +0200
fi
A2DIR="/etc/apache2"
-CONFDIR="$A2DIR/conf.d"
-MODSECCONF="$CONFDIR/mod-security-cn.conf"
+MODSECDIR="$A2DIR/mod-security"
+MODSECCONF="$MODSECDIR/mod-security-cn.conf"
# chk_conf_tag ()
Package: mod-security-cn
Architecture: all
-Pre-Depends: libapache-mod-security, mod-security-common
+Pre-Depends: libapache-mod-security (>= 2.5.9-1~cn1), mod-security-common (>= 2.5.9-1~cn1)
Depends: carnet-tools-cn (>= 2.8.1), ${misc:Depends}
Description: Tighten web applications security for Apache (CARNet configuration)
Mod_security is an Apache module whose purpose is to tighten the Web
PKG="mod-security-cn"
A2DIR="/etc/apache2"
+CONF="$A2DIR/apache2.conf"
CONFDIR="$A2DIR/conf.d"
-CONF="$CONFDIR/apache2.conf"
A2MODEDIR="$A2DIR/mods-enabled"
MODSECDIR="$A2DIR/mod-security"
MODSECCONF="$MODSECDIR/mod-security-cn.conf"
-MODSECTDIR="/usr/share/mod-security-cn"
+MODSECRBL="$MODSECDIR/rbl_lookup.conf"
+MODSECLNK="$CONFDIR/$(basename $MODSECCONF)"
+MODSECTPL="/usr/share/mod-security-cn"
temp_files=
need_restart=0
fi
}
-# install_conf()
-#
-# Install specified ModSecurity configuration file.
-#
-install_conf () {
-
- local conftmpl conf
- conftmpl="$MODSECTDIR/$1"
- conf="$MODSECDIR/$1"
-
- if [ ! -e "$conf" ]; then
- cp_echo "CN: Creating new configuration file $conf"
- cp "$conftmpl" "$conf"
- need_restart=1
- else
- if ! cmp -s "$conf" "$conftmpl"; then
- cp_echo "CN: Updating configuration file $conf"
- cp "$conftmpl" "$conf"
- need_restart=1
- else
- cp_echo "CN: $conf already exists." 1>&2
- fi
- fi
-}
-
# Set trap for deleting all temp files.
#
mkdir -p $MODSECDIR/
fi
- install_conf "mod-security-cn.conf"
+ out=$(mktemp $MODSECCONF.XXXXXX)
+ temp_files="${temp_files} ${out}"
+ cp "$MODSECTPL/$(basename $MODSECCONF)" "$out"
db_get mod-security-cn/rbl || true
if [ "$RET" = "true" ]; then
- cp_echo "CN: Enabling ModSecurity RBL lookup in $MODSECCONF"
-
# Add RBL configuration.
- chk_conf_tag "$MODSECDIR/rbl_lookup.conf"
+ chk_conf_tag "$MODSECRBL"
if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
- install_conf "rbl_lookup.conf"
+
+ if [ $RET -eq 1 ]; then
+ cp_echo "CN: Creating new configuration file $MODSECRBL"
+ cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
+ need_restart=1
+ else
+ if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then
+ cp_echo "CN: Updating configuration file $MODSECRBL"
+ cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
+ need_restart=1
+ fi
+ fi
fi
- else
- cp_echo "CN: Disabling ModSecurity RBL lookup in $MODSECCONF"
+ cp_check_and_sed '#RBLLOOKUP#' \
+ "s,#RBLLOOKUP#,Include $MODSECRBL,g" \
+ "$out" || true
+
+ if [ -e "$MODSECCONF" ]; then
+ if ! cmp -s "$MODSECCONF" "$out"; then
+ cp_echo "CN: Updating configuration file $MODSECCONF"
+ mv -f "$out" "$MODSECCONF"
+ cp_echo "CN: Enabled ModSecurity RBL lookup."
+ need_restart=1
+ fi
+ else
+ cp_echo "CN: Creating new configuration file $MODSECCONF"
+ mv "$out" "$MODSECCONF"
+ cp_echo "CN: Enabled ModSecurity RBL lookup."
+ need_restart=1
+ fi
+ else
# Remove RBL configuration.
- out=$(mktemp $MODSECCONF.XXXXXX)
- temp_files="${temp_files} ${out}"
- sed -r "s/^([[:space:]]*)(Include[[:space:]]+\/etc\/apache2\/mod-security\/rbl_lookup\.conf)$/\1#\2/I" \
- "$MODSECCONF" > "$out"
- mv -f "$out" "$MODSECCONF"
- if [ -f "$out" ]; then rm -f $out; fi
-
- chk_conf_tag "$MODSECDIR/rbl_lookup.conf"
- if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
- rm -f "$MODSECDIR/rbl_lookup.conf"
+ cp_check_and_sed '#RBLLOOKUP#' \
+ "s,#RBLLOOKUP#,# DISABLED,g" \
+ "$out" || true
+
+ if [ -e "$MODSECCONF" ]; then
+ if ! cmp -s "$MODSECCONF" "$out"; then
+ cp_echo "CN: Updating configuration file $MODSECCONF"
+ mv -f "$out" "$MODSECCONF"
+ cp_echo "CN: Disabled ModSecurity RBL lookup."
+ need_restart=1
+ fi
+ else
+ cp_echo "CN: Creating new configuration file $MODSECCONF"
+ mv "$out" "$MODSECCONF"
+ cp_echo "CN: Disabled ModSecurity RBL lookup."
+ need_restart=1
fi
- need_restart=1
+ chk_conf_tag "$MODSECRBL"
+ if [ $RET -eq 0 ]; then
+ cp_echo "CN: Removing configuration file $MODSECRBL"
+ rm -f "$MODSECRBL"
+ need_restart=1
+ fi
fi
+ if [ -f "$out" ]; then rm -f $out; fi
+
# Enable ModSecurity configuration.
- if [ ! -e "$CONFDIR/mod-security-cn.conf" ]; then
+ if [ ! -e "$MODSECLNK" ]; then
cp_echo "CN: Enabling ModSecurity configuration."
- ln -fs "$MODSECCONF" "$CONFDIR/."
+ ln -fs "$MODSECCONF" "$MODSECLNK"
need_restart=1
fi
fi
CONFDIR="$A2DIR/conf.d"
MODSECDIR="$A2DIR/mod-security"
MODSECCONF="$MODSECDIR/mod-security-cn.conf"
+ MODSECRBL="$MODSECDIR/rbl_lookup.conf"
+ MODSECLNK="$CONFDIR/$(basename $MODSECCONF)"
need_restart=0
# Disable ModSecurity configuration.
chk_conf_tag "$MODSECCONF"
if [ $RET -eq 0 ]; then
- if [ -e "$CONFDIR/mod-security-cn.conf" ]; then
+ if [ -e "$MODSECLNK" ]; then
cp_echo "CN: Disabling ModSecurity configuration."
- rm -f "$CONFDIR/mod-security-cn.conf"
+ rm -f "$MODSECLNK"
need_restart=1
fi
fi
# Remove configuration files generated by this CARNet package.
- for file in "$MODSECCONF" "$MODSECDIR/rbl_lookup.conf"; do
+ for file in "$MODSECCONF" "$MODSECRBL"; do
chk_conf_tag "$file"
if [ $RET -eq 0 ]; then
cp_echo "CN: Removing configuration file $file"
Vasem web posluzitelju nalazi na RBL (Realtime Blackhole List)
listi. U slucaju da se adresa nalazi na RBL listi, sa doticne adrese
nece se moci pristupiti Vasem web posluzitelju. RBL provjera se
- preskace za adrese koje su iz HR domene. Ova funkcionalnost je
- slicna onoj koju ima Postfix MTA.
+ preskace za adrese koje su iz CARNetove mreze. Ova funkcionalnost
+ je slicna onoj koju ima Postfix MTA.
.
RBL posluzitelj koji se koristi za provjeru je xbl.dnsbl-sh.carnet.hr.
.
VAZNO: Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je
- dopusten samo sa CARNetove mreze (161.53.0.0/16, 193.198.0.0/16, te
- 82.132.0.0/17).
+ dopusten samo sa CARNetove mreze (161.53.0.0/16 i 193.198.0.0/16).
#
SecResponseBodyLimit 524288
- # RBL configuration
- Include /etc/apache2/mod-security/rbl_lookup.conf
+ # RBL lookup configuration
+ #RBLLOOKUP#
</IfModule>
<IfModule mod_security2.c>
- # Skip RBL lookup for localhost, 161.53.0.0/16, 193.198.0.0/16 and 82.132.0.0/17.
+ # Skip RBL lookup for localhost, 161.53.0.0/16, 193.198.0.0/16 and 82.132.0.0/17
SecRule REMOTE_ADDR "^(127\.0\.0\.1|161\.53\.\d{1,3}\.\d{1,3}|193\.198\.\d{1,3}\.\d{1,3}|82\.132\.(\d{1,2}|10\d{1}|11\d{1}|12[0-7]{1})\.\d{1,3})$" "phase:2,pass,nolog,t:none,skip:1"
- # RBL lookup using xbl.dnsbl-sh.carnet.hr.
+ # RBL lookup using xbl.dnsbl-sh.carnet.hr
SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr" "phase:2,deny,log,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:'1'"
</IfModule>
projects / mod-security-cn.git / commitdiff