--- /dev/null
+mod-security-cn
+---------------
+
+Ovaj paket sadrzi dodatne CARNetove postavke za ModSecurity
+pakete. Povlaci za sobom instalaciju Debian paketa:
+
+ + mod-security-common
+ + libapache-mod-security
+
+
+MODSECURITY KONFIGURACIJA
+
+ModSecurity konfiguracija nalazi se unutar datoteke:
+
+ /etc/apache2/conf.d/mod-security-cn.conf
+
+Nakon sto prepravite ModSecurity konfiguraciju, potrebno je
+obaviti restart Apache2 web servera:
+
+ invoke-rc.d apache2 force-reload
+
+
+VAZNA NAPOMENA
+
+Kako bi Vas Apache2 web server mogao normalno posluzivati
+sadrzaj, preporuca se da NE brisete i da ne uredjujete navedenu
+konfiguracijsku datoteku, osim ako znate sto cinite.
+
+
+ -- Dragan Dosen <ddosen@ffzg.hr> Sat, 24 Jan 2009 15:28:38 +0100
--- /dev/null
+mod-security-cn (2.5.9-1) stable; urgency=low
+
+ * Inicijalni paket za Debian lenny.
+
+ -- Dragan Dosen <ddosen@ffzg.hr> Mon, 15 Dec 2008 21:21:42 +0100
--- /dev/null
+changelog.Debian
\ No newline at end of file
--- /dev/null
+#!/bin/sh
+
+set -e
+
+# Load debconf
+. /usr/share/debconf/confmodule
+
+if [ "$1" != reconfigure ]; then
+ db_fget mod-security-cn/rbl seen
+ if [ "$RET" = "true" ]; then
+ exit 0
+ fi
+fi
+
+A2DIR="/etc/apache2"
+CONFDIR="$A2DIR/conf.d"
+MODSECCONF="$CONFDIR/mod-security-cn.conf"
+
+
+# chk_conf_tag ()
+#
+# Check if configuration file has CARNet package info lines.
+# return: $RET => 0 - tagged
+# 1 - file does not exists
+# 2 - file exists, but it is not tagged
+#
+chk_conf_tag () {
+
+ local conf_file
+ conf_file="$1"
+ RET=1
+
+ if [ -f "$conf_file" ]; then
+ if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then
+ RET=0
+ else
+ RET=2
+ fi
+ fi
+}
+
+
+# Check for CARNet ModSecurity configuration file.
+#
+chk_conf_tag "$MODSECCONF"
+if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
+
+ # Configuration file is tagged or does not exist - ask user
+ # for RBL.
+ db_title mod-security-cn - konfiguracija
+ db_input critical mod-security-cn/rbl || true
+ db_go || true
+else
+
+ # Configuration file is not tagged - skip question.
+ db_set mod-security-cn/rbl false || true
+ db_fset mod-security-cn/rbl seen true
+fi
+
+exit 0
--- /dev/null
+Source: mod-security-cn
+Section: web
+Priority: optional
+Maintainer: Dragan Dosen <ddosen@ffzg.hr>
+Build-Depends: debhelper (>= 4.0.0)
+Standards-Version: 3.7.2
+
+Package: mod-security-cn
+Architecture: all
+Pre-Depends: libapache-mod-security, mod-security-common
+Depends: wget, carnet-tools-cn (>= 2.8.1), ${misc:Depends}
+Suggests: geoip-bin
+Description: Tighten web applications security for Apache (CARNet configuration)
+ Mod_security is an Apache module whose purpose is to tighten the Web
+ application security. Effectively, it is an intrusion detection and prevention
+ system for the web server.
+ .
+ This package contains additional CARNet configuration.
--- /dev/null
+debian/README.CARNet
+debian/changelog.CARNet
--- /dev/null
+mod-security-cn.conf usr/share/mod-security-cn
+rules usr/share/mod-security-cn
--- /dev/null
+#!/bin/sh
+
+set -e
+
+[ "$DEBIAN_SCRIPT_DEBUG" ] && set -vx
+
+case "$1" in
+ configure)
+ # continue below
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ exit 0
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+
+# Load debconf
+. /usr/share/debconf/confmodule
+
+# Include CARNet functions
+. /usr/share/carnet-tools/functions.sh
+
+PKG="mod-security-cn"
+A2DIR="/etc/apache2"
+CONFDIR="$A2DIR/conf.d"
+A2MODEDIR="$A2DIR/mods-enabled"
+MODSECCONF="$CONFDIR/mod-security-cn.conf"
+MODSECCND="/usr/share/mod-security-cn"
+GEOLOOKUPDB_URL="http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz"
+GEOLOOKUPDB_DIR="/usr/share/GeoIP"
+
+temp_files=
+need_restart=0
+
+
+# cleanup()
+#
+# Cleanup all temp files or directories.
+#
+cleanup () {
+
+ local item
+
+ if [ -n "$temp_files" ]; then
+ for item in $temp_files; do
+ if [ -e "$item" ]; then
+ rm -rf $item
+ fi
+ done
+ fi
+}
+
+# chk_conf_tag ()
+#
+# Check if configuration file has CARNet package info lines.
+# return: $RET => 0 - tagged
+# 1 - file does not exists
+# 2 - file exists, but it is not tagged
+#
+chk_conf_tag () {
+
+ local conf_file
+ conf_file="$1"
+ RET=1
+
+ if [ -f "$conf_file" ]; then
+ if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then
+ RET=0
+ else
+ RET=2
+ fi
+ fi
+}
+
+# get_geolookupdb ()
+#
+# Download GeoLookup database from maxmind.com
+# Return: 0 - OK
+# 1 - ERROR
+#
+get_geolookupdb () {
+
+ local db db_tmp db_tmp_dir db_error
+
+ db=$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)
+ db_tmp_dir=$(mktemp -d /tmp/geolookupdb.tmp.XXXXXX)
+ temp_files="${temp_files} ${db_tmp_dir}"
+ db_error=0
+
+ echo -n "Attempting to download GeoLookup database for ModSecurity: "
+
+ if [ ! -d "$GEOLOOKUPDB_DIR" ]; then
+ mkdir -p $GEOLOOKUPDB_DIR/
+ fi
+
+ /usr/bin/wget -o /dev/null -P $db_tmp_dir $GEOLOOKUPDB_URL || db_error=1
+
+ if [ $db_error -eq 1 ]; then
+ echo "ERROR"
+ else
+ db_tmp=$(mktemp ${db}.XXXXXX)
+ temp_files="${temp_files} ${db_tmp}"
+ gunzip -c $db_tmp_dir/$(basename $GEOLOOKUPDB_URL) > $db_tmp
+ cp_mv $db_tmp $db
+
+ echo "OK"
+ need_restart=1
+ if [ -f "$db_tmp" ]; then rm -f $db_tmp; fi
+ fi
+
+ if [ -d "$db_tmp_dir" ]; then rm -rf $db_tmp_dir; fi
+
+ RET=$db_error
+}
+
+
+# Set trap for deleting all temp files.
+#
+trap cleanup 0 1 2 15
+
+
+# Enable ModSecurity and unique_id Apache2 modules.
+#
+if [ -e /etc/apache2/apache2.conf ]; then
+
+ # Enable mod-security.load
+ if [ ! -e "$A2MODEDIR/mod-security.load" ]; then
+ cp_echo "CN: Enabling ModSecurity module for Apache2 web server."
+ a2enmod mod-security >/dev/null || true
+ need_restart=1
+ fi
+
+ # Enable unique_id.load
+ if [ ! -e "$A2MODEDIR/unique_id.load" ]; then
+ a2enmod unique_id >/dev/null || true
+ cp_echo "CN: Enabling unique_id module for Apache2 web server."
+ need_restart=1
+ fi
+fi
+
+
+# Generate ModSecurity configuration file and activate RBL lookup
+# for ModSecurity if needed.
+#
+chk_conf_tag "$MODSECCONF"
+if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
+
+ # Create /etc/apache2/conf.d/ directory if missing.
+ if [ ! -d "$CONFDIR" ]; then
+ cp_echo "CN: Creating configuration directory $CONFDIR"
+ mkdir -p $CONFDIR/
+ fi
+
+ # Enable mod-security-cn.conf
+ if [ ! -e "$MODSECCONF" ]; then
+ cp_echo "CN: Enabling ModSecurity specific configuration."
+ need_restart=1
+ fi
+
+ out=$(mktemp $MODSECCONF.XXXXXX)
+ temp_files="${temp_files} ${out}"
+ cp "$MODSECCND/mod-security-cn.conf" "$out"
+
+ # GeoLookup database.
+ if [ -n "$2" ] || [ ! -e "$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)" ]; then
+
+ get_geolookupdb
+ if [ $RET -eq 1 ]; then
+ db_set mod-security-cn/rbl false || true
+ db_fset mod-security-cn/rbl seen true
+ fi
+ fi
+
+ db_get mod-security-cn/rbl || true
+ if [ "$RET" = "true" ]; then
+
+ # Add RBL configuration.
+ cp_echo "CN: Enabling RBL lookup in $MODSECCONF."
+ cat $MODSECCND/rbl_lookup.conf >> $out
+ need_restart=1
+ else
+
+ # Remove RBL configuration.
+ cp_echo "CN: Disabling RBL lookup in $MODSECCONF."
+ need_restart=1
+ fi
+
+ # Update mod-security-cn.conf configuration file.
+ if ! cmp -s "$MODSECCONF" "$out"; then
+ cp_mv "$out" "$MODSECCONF"
+ need_restart=1
+ fi
+
+ if [ -f "$out" ]; then rm -f $out; fi
+fi
+
+db_stop || true
+
+
+# Restart Apache2 web server if needed.
+#
+if [ $need_restart -eq 1 ]; then
+
+ # Check Apache2 web server configuration.
+ if /usr/sbin/apache2ctl configtest 2>/dev/null; then
+
+ # Restart Apache2 web server.
+ if [ -x "/etc/init.d/apache2" ]; then
+ if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
+ invoke-rc.d apache2 restart || true
+ else
+ /etc/init.d/apache2 restart || true
+ fi
+ fi
+ else
+
+ # Something is broken.
+ cp_echo "CN: Your Apache2 configuration is broken."
+ cp_echo "CN: Please, check the service after the installation finishes!"
+ fi
+fi
+
+
+# Mail root
+#
+cp_mail "$PKG"
+
+exit 0
--- /dev/null
+#!/bin/sh
+
+set -e
+
+if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then
+ . /usr/share/debconf/confmodule
+ db_purge
+fi
+
+exit 0
--- /dev/null
+#!/bin/sh
+
+set -e
+
+case "$1" in
+ remove|deconfigure)
+
+ # Include CARNet functions.
+ . /usr/share/carnet-tools/functions.sh
+
+ PKG="mod-security-cn"
+ A2DIR="/etc/apache2"
+ CONFDIR="$A2DIR/conf.d"
+ MODSECCONF="$CONFDIR/mod-security-cn.conf"
+ need_restart=0
+
+ # Remove configuration file generated by this CARNet package.
+ if [ -f "$MODSECCONF" ]; then
+ if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$MODSECCONF"; then
+ cp_echo "CN: Removing configuration file ${MODSECCONF}."
+ rm -f $MODSECCONF
+ need_restart=1
+ fi
+ fi
+
+ # Restart Apache2 web server.
+ if [ $need_restart -eq 1 ]; then
+ if apache2ctl configtest 2>/dev/null; then
+
+ # Restart Apache2 web server.
+ if [ -x "/etc/init.d/apache2" ]; then
+ if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
+ invoke-rc.d apache2 restart || true
+ else
+ /etc/init.d/apache2 restart || true
+ fi
+ fi
+ else
+ # Something is broken.
+ cp_echo "CN: Your Apache2 configuration seem to be broken."
+ cp_echo "CN: Please, check the service configuration!"
+ fi
+ fi
+
+ # Mail root
+ cp_mail "$PKG"
+
+ echo
+ ;;
+ upgrade|failed-upgrade)
+ ;;
+ *)
+ echo "prerm called with unknown argument \$1'" >&2
+ exit 0
+ ;;
+esac
+
+exit 0
--- /dev/null
+#!/usr/bin/make -f
+# -*- makefile -*-
+# Sample debian/rules that uses debhelper.
+# This file was originally written by Joey Hess and Craig Small.
+# As a special exception, when this file is copied by dh-make into a
+# dh-make output file, you may use that output file without restriction.
+# This special exception was added by Craig Small in version 0.37 of dh-make.
+
+#export DH_VERBOSE=1
+
+configure: configure-stamp
+configure-stamp:
+ dh_testdir
+ touch configure-stamp
+
+build: build-stamp
+
+build-stamp: configure-stamp
+ dh_testdir
+ touch build-stamp
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f build-stamp configure-stamp
+ dh_clean
+
+install: build
+ dh_testdir
+ dh_testroot
+ dh_clean -k
+ dh_installdirs
+
+binary-indep: build install
+
+binary-arch: build install
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs
+ dh_installdocs
+ dh_install -X.svn
+# dh_installexamples
+# dh_install
+# dh_installmenu
+ dh_installdebconf
+# dh_installlogrotate
+# dh_installemacsen
+# dh_installpam
+# dh_installmime
+# dh_installinit
+# dh_installcron
+# dh_installinfo
+ dh_installman
+ dh_link
+# dh_strip
+ dh_compress
+ dh_fixperms
+# dh_perl
+# dh_python
+# dh_makeshlibs
+ dh_installdeb
+ dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary install configure
--- /dev/null
+Template: mod-security-cn/rbl
+Type: boolean
+Description: Zelite li aktivirati RBL?
+ ModSecurity moze provjeravati da li se adresa klijenta koji pristupa
+ Vasem web posluzitelju nalazi na RBL (Realtime Blackhole List)
+ listi. U slucaju da se adresa nalazi na RBL listi, sa doticne adrese
+ nece se moci pristupiti Vasem web posluzitelju. RBL provjera se
+ preskace za adrese koje su iz HR domene. Ova funkcionalnost je
+ slicna onoj koju ima Postfix MTA.
+ .
+ RBL posluzitelj koji se koristi za provjeru je xbl.dnsbl-sh.carnet.hr.
+ .
+ VAZNO: Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je
+ dopusten samo sa CARNetove mreze (161.53.0.0/16 i 193.198.0.0/16).
--- /dev/null
+## Begin - Generated by CARNet package mod-security-cn
+#
+# REMOVE this whole block if you DON'T WANT mod-security-cn
+# to edit your configuration file.
+#
+## End - Generated by CARNet package mod-security-cn
+
+<IfModule mod_security2.c>
+
+ # Basic configuration options
+ #
+ SecRuleEngine On
+ SecRequestBodyAccess On
+ SecResponseBodyAccess Off
+
+ # Handling of file uploads
+ #
+ SecUploadKeepFiles Off
+
+ # Debug log
+ #
+ SecDebugLog /var/log/apache2/modsec_debug.log
+ SecDebugLogLevel 0
+
+ # Serial audit log
+ #
+ SecAuditEngine RelevantOnly
+ SecAuditLogRelevantStatus ^5
+ SecAuditLogParts ABIFHZ
+ SecAuditLogType Serial
+ SecAuditLog /var/log/apache2/modsec_audit.log
+
+ # Maximum request body size we will
+ # accept for buffering
+ #
+ SecRequestBodyLimit 134217728
+
+ # Store up to 128 KB in memory
+ #
+ SecRequestBodyInMemoryLimit 131072
+
+ # Buffer response bodies of up to
+ # 512 KB in length
+ #
+ SecResponseBodyLimit 524288
+
+</IfModule>
--- /dev/null
+<IfModule mod_security2.c>
+
+ # Defines the path to the geographical database file.
+ #
+ SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat
+ #SecGeoLookupDb /usr/share/GeoIP/GeoLiteCity.dat
+
+ # Skip RBL lookup for localhost.
+ #
+ SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:2,pass,nolog,t:none,skip:2"
+
+ # GeoLookup - skip RBL lookup for HR address.
+ #
+ SecRule REMOTE_ADDR "@geoLookup" "phase:2,chain,pass,nolog,t:none,skip:1"
+ SecRule GEO:COUNTRY_CODE "^HR$" "t:none"
+
+ # RBL lookup using xbl.dnsbl-sh.carnet.hr.
+ #
+ SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr" "phase:2,log,deny,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:'1'"
+
+</IfModule>
projects / mod-security-cn.git / commitdiff