From eae9627db45a5346d7c6ee014dfa626848410e65 Mon Sep 17 00:00:00 2001 From: Dragan Dosen Date: Fri, 29 May 2009 14:31:09 +0200 Subject: [PATCH] Izbaceno koristenje geoLookup operatora. Koristi se samo RBL uz whitelistu za 161.53.0.0/16, 193.198.0.0/16 i 82.132.0.0/17. --- debian/README.CARNet | 17 ++++++- debian/changelog | 2 +- debian/control | 3 +- debian/dirs | 2 + debian/install | 2 +- debian/postinst | 119 ++++++++++++++++++++++--------------------------- debian/prerm | 53 ++++++++++++++++++---- debian/templates | 4 +- mod-security-cn.conf | 3 ++ rbl_lookup.conf | 16 +++++++ rules/rbl_lookup.conf | 21 --------- 11 files changed, 141 insertions(+), 101 deletions(-) create mode 100644 debian/dirs create mode 100644 rbl_lookup.conf delete mode 100644 rules/rbl_lookup.conf diff --git a/debian/README.CARNet b/debian/README.CARNet index a928cf2..b751faf 100644 --- a/debian/README.CARNet +++ b/debian/README.CARNet @@ -20,6 +20,21 @@ obaviti restart Apache2 web servera: invoke-rc.d apache2 force-reload +RBL (REALTIME BLACKHOLE LIST) + +ModSecurity moze provjeravati da li se adresa klijenta koji +pristupa Vasem web posluzitelju nalazi na RBL (Realtime Blackhole +List) listi. + +RBL posluzitelj koji se koristi za provjeru je: + + xbl.dnsbl-sh.carnet.hr + +Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je +dopusten samo sa CARNetove mreze (161.53.0.0/16, 193.198.0.0/16, +te 82.132.0.0/17). + + VAZNA NAPOMENA Kako bi Vas Apache2 web server mogao normalno posluzivati @@ -27,4 +42,4 @@ sadrzaj, preporuca se da NE brisete i da ne uredjujete navedenu konfiguracijsku datoteku, osim ako znate sto cinite. - -- Dragan Dosen Sat, 24 Jan 2009 15:28:38 +0100 + -- Dragan Dosen Thu, 28 May 2009 20:26:52 +0200 diff --git a/debian/changelog b/debian/changelog index 068014e..5d08ca4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,4 +2,4 @@ mod-security-cn (2.5.9-1) stable; urgency=low * Inicijalni paket za Debian lenny. - -- Dragan Dosen Mon, 15 Dec 2008 21:21:42 +0100 + -- Dragan Dosen Thu, 28 May 2009 20:26:52 +0200 diff --git a/debian/control b/debian/control index 6d55d4f..072b1da 100644 --- a/debian/control +++ b/debian/control @@ -8,8 +8,7 @@ Standards-Version: 3.7.2 Package: mod-security-cn Architecture: all Pre-Depends: libapache-mod-security, mod-security-common -Depends: wget, carnet-tools-cn (>= 2.8.1), ${misc:Depends} -Suggests: geoip-bin +Depends: carnet-tools-cn (>= 2.8.1), ${misc:Depends} Description: Tighten web applications security for Apache (CARNet configuration) Mod_security is an Apache module whose purpose is to tighten the Web application security. Effectively, it is an intrusion detection and prevention diff --git a/debian/dirs b/debian/dirs new file mode 100644 index 0000000..22498d5 --- /dev/null +++ b/debian/dirs @@ -0,0 +1,2 @@ +etc/apache2/mod-security +usr/share/mod-security-cn diff --git a/debian/install b/debian/install index 16ace88..7a9310b 100644 --- a/debian/install +++ b/debian/install @@ -1,2 +1,2 @@ mod-security-cn.conf usr/share/mod-security-cn -rules usr/share/mod-security-cn +rbl_lookup.conf usr/share/mod-security-cn diff --git a/debian/postinst b/debian/postinst index 2a84610..634d107 100644 --- a/debian/postinst +++ b/debian/postinst @@ -29,11 +29,11 @@ esac PKG="mod-security-cn" A2DIR="/etc/apache2" CONFDIR="$A2DIR/conf.d" +CONF="$CONFDIR/apache2.conf" A2MODEDIR="$A2DIR/mods-enabled" -MODSECCONF="$CONFDIR/mod-security-cn.conf" -MODSECCND="/usr/share/mod-security-cn" -GEOLOOKUPDB_URL="http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz" -GEOLOOKUPDB_DIR="/usr/share/GeoIP" +MODSECDIR="$A2DIR/mod-security" +MODSECCONF="$MODSECDIR/mod-security-cn.conf" +MODSECTDIR="/usr/share/mod-security-cn" temp_files= need_restart=0 @@ -78,45 +78,29 @@ chk_conf_tag () { fi } -# get_geolookupdb () +# install_conf() # -# Download GeoLookup database from maxmind.com -# Return: 0 - OK -# 1 - ERROR +# Install specified ModSecurity configuration file. # -get_geolookupdb () { +install_conf () { - local db db_tmp db_tmp_dir db_error + local conftmpl conf + conftmpl="$MODSECTDIR/$1" + conf="$MODSECDIR/$1" - db=$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz) - db_tmp_dir=$(mktemp -d /tmp/geolookupdb.tmp.XXXXXX) - temp_files="${temp_files} ${db_tmp_dir}" - db_error=0 - - echo -n "Attempting to download GeoLookup database for ModSecurity: " - - if [ ! -d "$GEOLOOKUPDB_DIR" ]; then - mkdir -p $GEOLOOKUPDB_DIR/ - fi - - /usr/bin/wget -o /dev/null -P $db_tmp_dir $GEOLOOKUPDB_URL || db_error=1 - - if [ $db_error -eq 1 ]; then - echo "ERROR" - else - db_tmp=$(mktemp ${db}.XXXXXX) - temp_files="${temp_files} ${db_tmp}" - gunzip -c $db_tmp_dir/$(basename $GEOLOOKUPDB_URL) > $db_tmp - cp_mv $db_tmp $db - - echo "OK" + if [ ! -e "$conf" ]; then + cp_echo "CN: Creating new configuration file $conf" + cp "$conftmpl" "$conf" need_restart=1 - if [ -f "$db_tmp" ]; then rm -f $db_tmp; fi + else + if ! cmp -s "$conf" "$conftmpl"; then + cp_echo "CN: Updating configuration file $conf" + cp "$conftmpl" "$conf" + need_restart=1 + else + cp_echo "CN: $conf already exists." 1>&2 + fi fi - - if [ -d "$db_tmp_dir" ]; then rm -rf $db_tmp_dir; fi - - RET=$db_error } @@ -127,7 +111,7 @@ trap cleanup 0 1 2 15 # Enable ModSecurity and unique_id Apache2 modules. # -if [ -e /etc/apache2/apache2.conf ]; then +if [ -e "$CONF" ]; then # Enable mod-security.load if [ ! -e "$A2MODEDIR/mod-security.load" ]; then @@ -138,8 +122,8 @@ if [ -e /etc/apache2/apache2.conf ]; then # Enable unique_id.load if [ ! -e "$A2MODEDIR/unique_id.load" ]; then - a2enmod unique_id >/dev/null || true cp_echo "CN: Enabling unique_id module for Apache2 web server." + a2enmod unique_id >/dev/null || true need_restart=1 fi fi @@ -153,51 +137,54 @@ if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then # Create /etc/apache2/conf.d/ directory if missing. if [ ! -d "$CONFDIR" ]; then - cp_echo "CN: Creating configuration directory $CONFDIR" + cp_echo "CN: Creating configuration directory $CONFDIR/" mkdir -p $CONFDIR/ fi - # Enable mod-security-cn.conf - if [ ! -e "$MODSECCONF" ]; then - cp_echo "CN: Enabling ModSecurity specific configuration." - need_restart=1 + # Create /etc/apache2/mod-security/ directory if missing. + if [ ! -d "$MODSECDIR" ]; then + cp_echo "CN: Creating ModSecurity configuration directory $MODSECDIR/" + mkdir -p $MODSECDIR/ fi - out=$(mktemp $MODSECCONF.XXXXXX) - temp_files="${temp_files} ${out}" - cp "$MODSECCND/mod-security-cn.conf" "$out" - - # GeoLookup database. - if [ -n "$2" ] || [ ! -e "$GEOLOOKUPDB_DIR/$(basename $GEOLOOKUPDB_URL .gz)" ]; then - - get_geolookupdb - if [ $RET -eq 1 ]; then - db_set mod-security-cn/rbl false || true - db_fset mod-security-cn/rbl seen true - fi - fi + install_conf "mod-security-cn.conf" db_get mod-security-cn/rbl || true if [ "$RET" = "true" ]; then + cp_echo "CN: Enabling ModSecurity RBL lookup in $MODSECCONF" + # Add RBL configuration. - cp_echo "CN: Enabling RBL lookup in $MODSECCONF." - cat $MODSECCND/rbl_lookup.conf >> $out - need_restart=1 + chk_conf_tag "$MODSECDIR/rbl_lookup.conf" + if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then + install_conf "rbl_lookup.conf" + fi else + cp_echo "CN: Disabling ModSecurity RBL lookup in $MODSECCONF" + # Remove RBL configuration. - cp_echo "CN: Disabling RBL lookup in $MODSECCONF." + out=$(mktemp $MODSECCONF.XXXXXX) + temp_files="${temp_files} ${out}" + sed -r "s/^([[:space:]]*)(Include[[:space:]]+\/etc\/apache2\/mod-security\/rbl_lookup\.conf)$/\1#\2/I" \ + "$MODSECCONF" > "$out" + mv -f "$out" "$MODSECCONF" + if [ -f "$out" ]; then rm -f $out; fi + + chk_conf_tag "$MODSECDIR/rbl_lookup.conf" + if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then + rm -f "$MODSECDIR/rbl_lookup.conf" + fi + need_restart=1 fi - # Update mod-security-cn.conf configuration file. - if ! cmp -s "$MODSECCONF" "$out"; then - cp_mv "$out" "$MODSECCONF" + # Enable ModSecurity configuration. + if [ ! -e "$CONFDIR/mod-security-cn.conf" ]; then + cp_echo "CN: Enabling ModSecurity configuration." + ln -fs "$MODSECCONF" "$CONFDIR/." need_restart=1 fi - - if [ -f "$out" ]; then rm -f $out; fi fi db_stop || true diff --git a/debian/prerm b/debian/prerm index aeef7d6..e9c9a13 100644 --- a/debian/prerm +++ b/debian/prerm @@ -2,6 +2,29 @@ set -e +# chk_conf_tag () +# +# Check if configuration file has CARNet package info lines. +# return: $RET => 0 - tagged +# 1 - file does not exists +# 2 - file exists, but it is not tagged +# +chk_conf_tag () { + + local conf_file + conf_file="$1" + RET=1 + + if [ -f "$conf_file" ]; then + if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$conf_file"; then + RET=0 + else + RET=2 + fi + fi +} + + case "$1" in remove|deconfigure) @@ -9,17 +32,31 @@ case "$1" in . /usr/share/carnet-tools/functions.sh PKG="mod-security-cn" - A2DIR="/etc/apache2" + A2DIR="/etc/apache2" CONFDIR="$A2DIR/conf.d" - MODSECCONF="$CONFDIR/mod-security-cn.conf" + MODSECDIR="$A2DIR/mod-security" + MODSECCONF="$MODSECDIR/mod-security-cn.conf" + need_restart=0 - # Remove configuration file generated by this CARNet package. - if [ -f "$MODSECCONF" ]; then - if egrep -q "^## Begin - Generated by CARNet package mod-security-cn$" "$MODSECCONF"; then - cp_echo "CN: Removing configuration file ${MODSECCONF}." - rm -f $MODSECCONF - need_restart=1 + + # Disable ModSecurity configuration. + chk_conf_tag "$MODSECCONF" + if [ $RET -eq 0 ]; then + if [ -e "$CONFDIR/mod-security-cn.conf" ]; then + cp_echo "CN: Disabling ModSecurity configuration." + rm -f "$CONFDIR/mod-security-cn.conf" + need_restart=1 + fi + fi + + # Remove configuration files generated by this CARNet package. + for file in "$MODSECCONF" "$MODSECDIR/rbl_lookup.conf"; do + chk_conf_tag "$file" + if [ $RET -eq 0 ]; then + cp_echo "CN: Removing configuration file $file" + rm -f $file + need_restart=1 fi fi diff --git a/debian/templates b/debian/templates index 4c1e6f7..14c3eb1 100644 --- a/debian/templates +++ b/debian/templates @@ -1,5 +1,6 @@ Template: mod-security-cn/rbl Type: boolean +Default: true Description: Zelite li aktivirati RBL? ModSecurity moze provjeravati da li se adresa klijenta koji pristupa Vasem web posluzitelju nalazi na RBL (Realtime Blackhole List) @@ -11,4 +12,5 @@ Description: Zelite li aktivirati RBL? RBL posluzitelj koji se koristi za provjeru je xbl.dnsbl-sh.carnet.hr. . VAZNO: Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je - dopusten samo sa CARNetove mreze (161.53.0.0/16 i 193.198.0.0/16). + dopusten samo sa CARNetove mreze (161.53.0.0/16, 193.198.0.0/16, te + 82.132.0.0/17). diff --git a/mod-security-cn.conf b/mod-security-cn.conf index aaf03b6..8b3c8d2 100644 --- a/mod-security-cn.conf +++ b/mod-security-cn.conf @@ -44,4 +44,7 @@ # SecResponseBodyLimit 524288 + # RBL configuration + Include /etc/apache2/mod-security/rbl_lookup.conf + diff --git a/rbl_lookup.conf b/rbl_lookup.conf new file mode 100644 index 0000000..0497faa --- /dev/null +++ b/rbl_lookup.conf @@ -0,0 +1,16 @@ +## Begin - Generated by CARNet package mod-security-cn +# +# REMOVE this whole block if you DON'T WANT mod-security-cn +# to edit your configuration file. +# +## End - Generated by CARNet package mod-security-cn + + + + # Skip RBL lookup for localhost, 161.53.0.0/16, 193.198.0.0/16 and 82.132.0.0/17. + SecRule REMOTE_ADDR "^(127\.0\.0\.1|161\.53\.\d{1,3}\.\d{1,3}|193\.198\.\d{1,3}\.\d{1,3}|82\.132\.(\d{1,2}|10\d{1}|11\d{1}|12[0-7]{1})\.\d{1,3})$" "phase:2,pass,nolog,t:none,skip:1" + + # RBL lookup using xbl.dnsbl-sh.carnet.hr. + SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr" "phase:2,deny,log,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:'1'" + + diff --git a/rules/rbl_lookup.conf b/rules/rbl_lookup.conf deleted file mode 100644 index 6746643..0000000 --- a/rules/rbl_lookup.conf +++ /dev/null @@ -1,21 +0,0 @@ - - - # Defines the path to the geographical database file. - # - SecGeoLookupDb /usr/share/GeoIP/GeoIP.dat - #SecGeoLookupDb /usr/share/GeoIP/GeoLiteCity.dat - - # Skip RBL lookup for localhost. - # - SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:2,pass,nolog,t:none,skip:2" - - # GeoLookup - skip RBL lookup for HR address. - # - SecRule REMOTE_ADDR "@geoLookup" "phase:2,chain,pass,nolog,t:none,skip:1" - SecRule GEO:COUNTRY_CODE "^HR$" "t:none" - - # RBL lookup using xbl.dnsbl-sh.carnet.hr. - # - SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr" "phase:2,log,deny,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:'1'" - - -- 1.7.10.4