From d88c1a9e47b7892de4eda2a2a3f2494681c70856 Mon Sep 17 00:00:00 2001 From: Dragan Dosen Date: Fri, 29 May 2009 20:15:43 +0200 Subject: [PATCH] Dodatni upgrade paketa, izmjene u funkcionalnosti. Azurirane ModSecurity konfiguracijske datoteke: + mod-security-cn.conf + rbl_lookup.conf Bitne izmjene u funkcionalnosti unutar datoteka: + debian/postinst + debian/prerm Dodan sadrzaj u README.CARNet i debian/templates. --- debian/README.CARNet | 35 ++++++++++------ debian/config | 4 +- debian/control | 2 +- debian/postinst | 111 +++++++++++++++++++++++++++++--------------------- debian/prerm | 8 ++-- debian/templates | 7 ++-- mod-security-cn.conf | 4 +- rbl_lookup.conf | 4 +- 8 files changed, 102 insertions(+), 73 deletions(-) diff --git a/debian/README.CARNet b/debian/README.CARNet index b751faf..ecd0b5a 100644 --- a/debian/README.CARNet +++ b/debian/README.CARNet @@ -1,8 +1,8 @@ mod-security-cn --------------- -Ovaj paket sadrzi dodatne CARNetove postavke za ModSecurity -pakete. Povlaci za sobom instalaciju Debian paketa: +Ovaj paket sadrzi dodatne CARNetove postavke za ModSecurity. +Povlaci za sobom instalaciju Debian paketa: + mod-security-common + libapache-mod-security @@ -10,14 +10,21 @@ pakete. Povlaci za sobom instalaciju Debian paketa: MODSECURITY KONFIGURACIJA -ModSecurity konfiguracija nalazi se unutar datoteke: +ModSecurity konfiguracija nalazi se unutar direktorija +/etc/apache2/mod-security/, datoteke: - /etc/apache2/conf.d/mod-security-cn.conf + /etc/apache2/mod-security/mod-security-cn.conf + /etc/apache2/mod-security/rbl_lookup.conf -Nakon sto prepravite ModSecurity konfiguraciju, potrebno je -obaviti restart Apache2 web servera: +mod-security-cn.conf je glavna konfiguracijska datoteka za +ModSecurity, dok rbl_lookup.conf sadrzi samo konfiguraciju +specificnu za RBL. RBL konfiguracija bit ce ukljucena kroz glavnu +konfiguracijsku datoteku ovisno jeste li odlucili koristiti RBL +provjeru ili ne. - invoke-rc.d apache2 force-reload +Kako bi konfiguracija bila aktivna, unutar Apache2 direktorija +/etc/apache2/conf.d/ kreiran je simbolicki link na glavnu +konfiguracijsku datoteku mod-security-cn.conf. RBL (REALTIME BLACKHOLE LIST) @@ -26,20 +33,24 @@ ModSecurity moze provjeravati da li se adresa klijenta koji pristupa Vasem web posluzitelju nalazi na RBL (Realtime Blackhole List) listi. +U slucaju da se adresa nalazi na RBL listi, sa doticne adrese +nece se moci pristupiti Vasem web posluzitelju. RBL provjera se +preskace za adrese koje su iz CARNetove mreze. Ova funkcionalnost +je slicna onoj koju ima Postfix MTA. + RBL posluzitelj koji se koristi za provjeru je: xbl.dnsbl-sh.carnet.hr Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je -dopusten samo sa CARNetove mreze (161.53.0.0/16, 193.198.0.0/16, -te 82.132.0.0/17). +dopusten samo sa CARNetove mreze (161.53.0.0/16 i 193.198.0.0/16). VAZNA NAPOMENA -Kako bi Vas Apache2 web server mogao normalno posluzivati -sadrzaj, preporuca se da NE brisete i da ne uredjujete navedenu -konfiguracijsku datoteku, osim ako znate sto cinite. +Kako bi Vas Apache2 web server mogao normalno posluzivati sadrzaj, +preporuca se da NE brisete i da ne uredjujete navedene +konfiguracijske datoteke, osim ako znate sto cinite. -- Dragan Dosen Thu, 28 May 2009 20:26:52 +0200 diff --git a/debian/config b/debian/config index 7782e4a..6416f6f 100644 --- a/debian/config +++ b/debian/config @@ -13,8 +13,8 @@ if [ "$1" != reconfigure ]; then fi A2DIR="/etc/apache2" -CONFDIR="$A2DIR/conf.d" -MODSECCONF="$CONFDIR/mod-security-cn.conf" +MODSECDIR="$A2DIR/mod-security" +MODSECCONF="$MODSECDIR/mod-security-cn.conf" # chk_conf_tag () diff --git a/debian/control b/debian/control index 072b1da..db7f069 100644 --- a/debian/control +++ b/debian/control @@ -7,7 +7,7 @@ Standards-Version: 3.7.2 Package: mod-security-cn Architecture: all -Pre-Depends: libapache-mod-security, mod-security-common +Pre-Depends: libapache-mod-security (>= 2.5.9-1~cn1), mod-security-common (>= 2.5.9-1~cn1) Depends: carnet-tools-cn (>= 2.8.1), ${misc:Depends} Description: Tighten web applications security for Apache (CARNet configuration) Mod_security is an Apache module whose purpose is to tighten the Web diff --git a/debian/postinst b/debian/postinst index 634d107..96bf5f7 100644 --- a/debian/postinst +++ b/debian/postinst @@ -28,12 +28,14 @@ esac PKG="mod-security-cn" A2DIR="/etc/apache2" +CONF="$A2DIR/apache2.conf" CONFDIR="$A2DIR/conf.d" -CONF="$CONFDIR/apache2.conf" A2MODEDIR="$A2DIR/mods-enabled" MODSECDIR="$A2DIR/mod-security" MODSECCONF="$MODSECDIR/mod-security-cn.conf" -MODSECTDIR="/usr/share/mod-security-cn" +MODSECRBL="$MODSECDIR/rbl_lookup.conf" +MODSECLNK="$CONFDIR/$(basename $MODSECCONF)" +MODSECTPL="/usr/share/mod-security-cn" temp_files= need_restart=0 @@ -78,31 +80,6 @@ chk_conf_tag () { fi } -# install_conf() -# -# Install specified ModSecurity configuration file. -# -install_conf () { - - local conftmpl conf - conftmpl="$MODSECTDIR/$1" - conf="$MODSECDIR/$1" - - if [ ! -e "$conf" ]; then - cp_echo "CN: Creating new configuration file $conf" - cp "$conftmpl" "$conf" - need_restart=1 - else - if ! cmp -s "$conf" "$conftmpl"; then - cp_echo "CN: Updating configuration file $conf" - cp "$conftmpl" "$conf" - need_restart=1 - else - cp_echo "CN: $conf already exists." 1>&2 - fi - fi -} - # Set trap for deleting all temp files. # @@ -147,42 +124,82 @@ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then mkdir -p $MODSECDIR/ fi - install_conf "mod-security-cn.conf" + out=$(mktemp $MODSECCONF.XXXXXX) + temp_files="${temp_files} ${out}" + cp "$MODSECTPL/$(basename $MODSECCONF)" "$out" db_get mod-security-cn/rbl || true if [ "$RET" = "true" ]; then - cp_echo "CN: Enabling ModSecurity RBL lookup in $MODSECCONF" - # Add RBL configuration. - chk_conf_tag "$MODSECDIR/rbl_lookup.conf" + chk_conf_tag "$MODSECRBL" if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then - install_conf "rbl_lookup.conf" + + if [ $RET -eq 1 ]; then + cp_echo "CN: Creating new configuration file $MODSECRBL" + cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL" + need_restart=1 + else + if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then + cp_echo "CN: Updating configuration file $MODSECRBL" + cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL" + need_restart=1 + fi + fi fi - else - cp_echo "CN: Disabling ModSecurity RBL lookup in $MODSECCONF" + cp_check_and_sed '#RBLLOOKUP#' \ + "s,#RBLLOOKUP#,Include $MODSECRBL,g" \ + "$out" || true + + if [ -e "$MODSECCONF" ]; then + if ! cmp -s "$MODSECCONF" "$out"; then + cp_echo "CN: Updating configuration file $MODSECCONF" + mv -f "$out" "$MODSECCONF" + cp_echo "CN: Enabled ModSecurity RBL lookup." + need_restart=1 + fi + else + cp_echo "CN: Creating new configuration file $MODSECCONF" + mv "$out" "$MODSECCONF" + cp_echo "CN: Enabled ModSecurity RBL lookup." + need_restart=1 + fi + else # Remove RBL configuration. - out=$(mktemp $MODSECCONF.XXXXXX) - temp_files="${temp_files} ${out}" - sed -r "s/^([[:space:]]*)(Include[[:space:]]+\/etc\/apache2\/mod-security\/rbl_lookup\.conf)$/\1#\2/I" \ - "$MODSECCONF" > "$out" - mv -f "$out" "$MODSECCONF" - if [ -f "$out" ]; then rm -f $out; fi - - chk_conf_tag "$MODSECDIR/rbl_lookup.conf" - if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then - rm -f "$MODSECDIR/rbl_lookup.conf" + cp_check_and_sed '#RBLLOOKUP#' \ + "s,#RBLLOOKUP#,# DISABLED,g" \ + "$out" || true + + if [ -e "$MODSECCONF" ]; then + if ! cmp -s "$MODSECCONF" "$out"; then + cp_echo "CN: Updating configuration file $MODSECCONF" + mv -f "$out" "$MODSECCONF" + cp_echo "CN: Disabled ModSecurity RBL lookup." + need_restart=1 + fi + else + cp_echo "CN: Creating new configuration file $MODSECCONF" + mv "$out" "$MODSECCONF" + cp_echo "CN: Disabled ModSecurity RBL lookup." + need_restart=1 fi - need_restart=1 + chk_conf_tag "$MODSECRBL" + if [ $RET -eq 0 ]; then + cp_echo "CN: Removing configuration file $MODSECRBL" + rm -f "$MODSECRBL" + need_restart=1 + fi fi + if [ -f "$out" ]; then rm -f $out; fi + # Enable ModSecurity configuration. - if [ ! -e "$CONFDIR/mod-security-cn.conf" ]; then + if [ ! -e "$MODSECLNK" ]; then cp_echo "CN: Enabling ModSecurity configuration." - ln -fs "$MODSECCONF" "$CONFDIR/." + ln -fs "$MODSECCONF" "$MODSECLNK" need_restart=1 fi fi diff --git a/debian/prerm b/debian/prerm index e9c9a13..d574e4e 100644 --- a/debian/prerm +++ b/debian/prerm @@ -36,6 +36,8 @@ case "$1" in CONFDIR="$A2DIR/conf.d" MODSECDIR="$A2DIR/mod-security" MODSECCONF="$MODSECDIR/mod-security-cn.conf" + MODSECRBL="$MODSECDIR/rbl_lookup.conf" + MODSECLNK="$CONFDIR/$(basename $MODSECCONF)" need_restart=0 @@ -43,15 +45,15 @@ case "$1" in # Disable ModSecurity configuration. chk_conf_tag "$MODSECCONF" if [ $RET -eq 0 ]; then - if [ -e "$CONFDIR/mod-security-cn.conf" ]; then + if [ -e "$MODSECLNK" ]; then cp_echo "CN: Disabling ModSecurity configuration." - rm -f "$CONFDIR/mod-security-cn.conf" + rm -f "$MODSECLNK" need_restart=1 fi fi # Remove configuration files generated by this CARNet package. - for file in "$MODSECCONF" "$MODSECDIR/rbl_lookup.conf"; do + for file in "$MODSECCONF" "$MODSECRBL"; do chk_conf_tag "$file" if [ $RET -eq 0 ]; then cp_echo "CN: Removing configuration file $file" diff --git a/debian/templates b/debian/templates index 14c3eb1..037b574 100644 --- a/debian/templates +++ b/debian/templates @@ -6,11 +6,10 @@ Description: Zelite li aktivirati RBL? Vasem web posluzitelju nalazi na RBL (Realtime Blackhole List) listi. U slucaju da se adresa nalazi na RBL listi, sa doticne adrese nece se moci pristupiti Vasem web posluzitelju. RBL provjera se - preskace za adrese koje su iz HR domene. Ova funkcionalnost je - slicna onoj koju ima Postfix MTA. + preskace za adrese koje su iz CARNetove mreze. Ova funkcionalnost + je slicna onoj koju ima Postfix MTA. . RBL posluzitelj koji se koristi za provjeru je xbl.dnsbl-sh.carnet.hr. . VAZNO: Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je - dopusten samo sa CARNetove mreze (161.53.0.0/16, 193.198.0.0/16, te - 82.132.0.0/17). + dopusten samo sa CARNetove mreze (161.53.0.0/16 i 193.198.0.0/16). diff --git a/mod-security-cn.conf b/mod-security-cn.conf index 8b3c8d2..2a151c9 100644 --- a/mod-security-cn.conf +++ b/mod-security-cn.conf @@ -44,7 +44,7 @@ # SecResponseBodyLimit 524288 - # RBL configuration - Include /etc/apache2/mod-security/rbl_lookup.conf + # RBL lookup configuration + #RBLLOOKUP# diff --git a/rbl_lookup.conf b/rbl_lookup.conf index 0497faa..ebca5a3 100644 --- a/rbl_lookup.conf +++ b/rbl_lookup.conf @@ -7,10 +7,10 @@ - # Skip RBL lookup for localhost, 161.53.0.0/16, 193.198.0.0/16 and 82.132.0.0/17. + # Skip RBL lookup for localhost, 161.53.0.0/16, 193.198.0.0/16 and 82.132.0.0/17 SecRule REMOTE_ADDR "^(127\.0\.0\.1|161\.53\.\d{1,3}\.\d{1,3}|193\.198\.\d{1,3}\.\d{1,3}|82\.132\.(\d{1,2}|10\d{1}|11\d{1}|12[0-7]{1})\.\d{1,3})$" "phase:2,pass,nolog,t:none,skip:1" - # RBL lookup using xbl.dnsbl-sh.carnet.hr. + # RBL lookup using xbl.dnsbl-sh.carnet.hr SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr" "phase:2,deny,log,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:'1'" -- 1.7.10.4