Azurirane ModSecurity konfiguracijske datoteke:
+ mod-security-cn.conf
+ rbl_lookup.conf
Bitne izmjene u funkcionalnosti unutar datoteka:
+ debian/postinst
+ debian/prerm
Dodan sadrzaj u README.CARNet i debian/templates.
mod-security-cn
---------------
mod-security-cn
---------------
-Ovaj paket sadrzi dodatne CARNetove postavke za ModSecurity
-pakete. Povlaci za sobom instalaciju Debian paketa:
+Ovaj paket sadrzi dodatne CARNetove postavke za ModSecurity.
+Povlaci za sobom instalaciju Debian paketa:
+ mod-security-common
+ libapache-mod-security
+ mod-security-common
+ libapache-mod-security
MODSECURITY KONFIGURACIJA
MODSECURITY KONFIGURACIJA
-ModSecurity konfiguracija nalazi se unutar datoteke:
+ModSecurity konfiguracija nalazi se unutar direktorija
+/etc/apache2/mod-security/, datoteke:
- /etc/apache2/conf.d/mod-security-cn.conf
+ /etc/apache2/mod-security/mod-security-cn.conf
+ /etc/apache2/mod-security/rbl_lookup.conf
-Nakon sto prepravite ModSecurity konfiguraciju, potrebno je
-obaviti restart Apache2 web servera:
+mod-security-cn.conf je glavna konfiguracijska datoteka za
+ModSecurity, dok rbl_lookup.conf sadrzi samo konfiguraciju
+specificnu za RBL. RBL konfiguracija bit ce ukljucena kroz glavnu
+konfiguracijsku datoteku ovisno jeste li odlucili koristiti RBL
+provjeru ili ne.
- invoke-rc.d apache2 force-reload
+Kako bi konfiguracija bila aktivna, unutar Apache2 direktorija
+/etc/apache2/conf.d/ kreiran je simbolicki link na glavnu
+konfiguracijsku datoteku mod-security-cn.conf.
RBL (REALTIME BLACKHOLE LIST)
RBL (REALTIME BLACKHOLE LIST)
pristupa Vasem web posluzitelju nalazi na RBL (Realtime Blackhole
List) listi.
pristupa Vasem web posluzitelju nalazi na RBL (Realtime Blackhole
List) listi.
+U slucaju da se adresa nalazi na RBL listi, sa doticne adrese
+nece se moci pristupiti Vasem web posluzitelju. RBL provjera se
+preskace za adrese koje su iz CARNetove mreze. Ova funkcionalnost
+je slicna onoj koju ima Postfix MTA.
+
RBL posluzitelj koji se koristi za provjeru je:
xbl.dnsbl-sh.carnet.hr
Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je
RBL posluzitelj koji se koristi za provjeru je:
xbl.dnsbl-sh.carnet.hr
Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je
-dopusten samo sa CARNetove mreze (161.53.0.0/16, 193.198.0.0/16,
-te 82.132.0.0/17).
+dopusten samo sa CARNetove mreze (161.53.0.0/16 i 193.198.0.0/16).
-Kako bi Vas Apache2 web server mogao normalno posluzivati
-sadrzaj, preporuca se da NE brisete i da ne uredjujete navedenu
-konfiguracijsku datoteku, osim ako znate sto cinite.
+Kako bi Vas Apache2 web server mogao normalno posluzivati sadrzaj,
+preporuca se da NE brisete i da ne uredjujete navedene
+konfiguracijske datoteke, osim ako znate sto cinite.
-- Dragan Dosen <ddosen@ffzg.hr> Thu, 28 May 2009 20:26:52 +0200
-- Dragan Dosen <ddosen@ffzg.hr> Thu, 28 May 2009 20:26:52 +0200
-CONFDIR="$A2DIR/conf.d"
-MODSECCONF="$CONFDIR/mod-security-cn.conf"
+MODSECDIR="$A2DIR/mod-security"
+MODSECCONF="$MODSECDIR/mod-security-cn.conf"
Package: mod-security-cn
Architecture: all
Package: mod-security-cn
Architecture: all
-Pre-Depends: libapache-mod-security, mod-security-common
+Pre-Depends: libapache-mod-security (>= 2.5.9-1~cn1), mod-security-common (>= 2.5.9-1~cn1)
Depends: carnet-tools-cn (>= 2.8.1), ${misc:Depends}
Description: Tighten web applications security for Apache (CARNet configuration)
Mod_security is an Apache module whose purpose is to tighten the Web
Depends: carnet-tools-cn (>= 2.8.1), ${misc:Depends}
Description: Tighten web applications security for Apache (CARNet configuration)
Mod_security is an Apache module whose purpose is to tighten the Web
PKG="mod-security-cn"
A2DIR="/etc/apache2"
PKG="mod-security-cn"
A2DIR="/etc/apache2"
+CONF="$A2DIR/apache2.conf"
-CONF="$CONFDIR/apache2.conf"
A2MODEDIR="$A2DIR/mods-enabled"
MODSECDIR="$A2DIR/mod-security"
MODSECCONF="$MODSECDIR/mod-security-cn.conf"
A2MODEDIR="$A2DIR/mods-enabled"
MODSECDIR="$A2DIR/mod-security"
MODSECCONF="$MODSECDIR/mod-security-cn.conf"
-MODSECTDIR="/usr/share/mod-security-cn"
+MODSECRBL="$MODSECDIR/rbl_lookup.conf"
+MODSECLNK="$CONFDIR/$(basename $MODSECCONF)"
+MODSECTPL="/usr/share/mod-security-cn"
temp_files=
need_restart=0
temp_files=
need_restart=0
-# install_conf()
-#
-# Install specified ModSecurity configuration file.
-#
-install_conf () {
-
- local conftmpl conf
- conftmpl="$MODSECTDIR/$1"
- conf="$MODSECDIR/$1"
-
- if [ ! -e "$conf" ]; then
- cp_echo "CN: Creating new configuration file $conf"
- cp "$conftmpl" "$conf"
- need_restart=1
- else
- if ! cmp -s "$conf" "$conftmpl"; then
- cp_echo "CN: Updating configuration file $conf"
- cp "$conftmpl" "$conf"
- need_restart=1
- else
- cp_echo "CN: $conf already exists." 1>&2
- fi
- fi
-}
-
# Set trap for deleting all temp files.
#
# Set trap for deleting all temp files.
#
- install_conf "mod-security-cn.conf"
+ out=$(mktemp $MODSECCONF.XXXXXX)
+ temp_files="${temp_files} ${out}"
+ cp "$MODSECTPL/$(basename $MODSECCONF)" "$out"
db_get mod-security-cn/rbl || true
if [ "$RET" = "true" ]; then
db_get mod-security-cn/rbl || true
if [ "$RET" = "true" ]; then
- cp_echo "CN: Enabling ModSecurity RBL lookup in $MODSECCONF"
-
- chk_conf_tag "$MODSECDIR/rbl_lookup.conf"
+ chk_conf_tag "$MODSECRBL"
if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
- install_conf "rbl_lookup.conf"
+
+ if [ $RET -eq 1 ]; then
+ cp_echo "CN: Creating new configuration file $MODSECRBL"
+ cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
+ need_restart=1
+ else
+ if ! cmp -s "$MODSECRBL" "$MODSECTPL/$(basename $MODSECRBL)"; then
+ cp_echo "CN: Updating configuration file $MODSECRBL"
+ cp "$MODSECTPL/$(basename $MODSECRBL)" "$MODSECRBL"
+ need_restart=1
+ fi
+ fi
- cp_echo "CN: Disabling ModSecurity RBL lookup in $MODSECCONF"
+ cp_check_and_sed '#RBLLOOKUP#' \
+ "s,#RBLLOOKUP#,Include $MODSECRBL,g" \
+ "$out" || true
+
+ if [ -e "$MODSECCONF" ]; then
+ if ! cmp -s "$MODSECCONF" "$out"; then
+ cp_echo "CN: Updating configuration file $MODSECCONF"
+ mv -f "$out" "$MODSECCONF"
+ cp_echo "CN: Enabled ModSecurity RBL lookup."
+ need_restart=1
+ fi
+ else
+ cp_echo "CN: Creating new configuration file $MODSECCONF"
+ mv "$out" "$MODSECCONF"
+ cp_echo "CN: Enabled ModSecurity RBL lookup."
+ need_restart=1
+ fi
+ else
# Remove RBL configuration.
# Remove RBL configuration.
- out=$(mktemp $MODSECCONF.XXXXXX)
- temp_files="${temp_files} ${out}"
- sed -r "s/^([[:space:]]*)(Include[[:space:]]+\/etc\/apache2\/mod-security\/rbl_lookup\.conf)$/\1#\2/I" \
- "$MODSECCONF" > "$out"
- mv -f "$out" "$MODSECCONF"
- if [ -f "$out" ]; then rm -f $out; fi
-
- chk_conf_tag "$MODSECDIR/rbl_lookup.conf"
- if [ $RET -eq 0 ] || [ $RET -eq 1 ]; then
- rm -f "$MODSECDIR/rbl_lookup.conf"
+ cp_check_and_sed '#RBLLOOKUP#' \
+ "s,#RBLLOOKUP#,# DISABLED,g" \
+ "$out" || true
+
+ if [ -e "$MODSECCONF" ]; then
+ if ! cmp -s "$MODSECCONF" "$out"; then
+ cp_echo "CN: Updating configuration file $MODSECCONF"
+ mv -f "$out" "$MODSECCONF"
+ cp_echo "CN: Disabled ModSecurity RBL lookup."
+ need_restart=1
+ fi
+ else
+ cp_echo "CN: Creating new configuration file $MODSECCONF"
+ mv "$out" "$MODSECCONF"
+ cp_echo "CN: Disabled ModSecurity RBL lookup."
+ need_restart=1
+ chk_conf_tag "$MODSECRBL"
+ if [ $RET -eq 0 ]; then
+ cp_echo "CN: Removing configuration file $MODSECRBL"
+ rm -f "$MODSECRBL"
+ need_restart=1
+ fi
+ if [ -f "$out" ]; then rm -f $out; fi
+
# Enable ModSecurity configuration.
# Enable ModSecurity configuration.
- if [ ! -e "$CONFDIR/mod-security-cn.conf" ]; then
+ if [ ! -e "$MODSECLNK" ]; then
cp_echo "CN: Enabling ModSecurity configuration."
cp_echo "CN: Enabling ModSecurity configuration."
- ln -fs "$MODSECCONF" "$CONFDIR/."
+ ln -fs "$MODSECCONF" "$MODSECLNK"
CONFDIR="$A2DIR/conf.d"
MODSECDIR="$A2DIR/mod-security"
MODSECCONF="$MODSECDIR/mod-security-cn.conf"
CONFDIR="$A2DIR/conf.d"
MODSECDIR="$A2DIR/mod-security"
MODSECCONF="$MODSECDIR/mod-security-cn.conf"
+ MODSECRBL="$MODSECDIR/rbl_lookup.conf"
+ MODSECLNK="$CONFDIR/$(basename $MODSECCONF)"
# Disable ModSecurity configuration.
chk_conf_tag "$MODSECCONF"
if [ $RET -eq 0 ]; then
# Disable ModSecurity configuration.
chk_conf_tag "$MODSECCONF"
if [ $RET -eq 0 ]; then
- if [ -e "$CONFDIR/mod-security-cn.conf" ]; then
+ if [ -e "$MODSECLNK" ]; then
cp_echo "CN: Disabling ModSecurity configuration."
cp_echo "CN: Disabling ModSecurity configuration."
- rm -f "$CONFDIR/mod-security-cn.conf"
need_restart=1
fi
fi
# Remove configuration files generated by this CARNet package.
need_restart=1
fi
fi
# Remove configuration files generated by this CARNet package.
- for file in "$MODSECCONF" "$MODSECDIR/rbl_lookup.conf"; do
+ for file in "$MODSECCONF" "$MODSECRBL"; do
chk_conf_tag "$file"
if [ $RET -eq 0 ]; then
cp_echo "CN: Removing configuration file $file"
chk_conf_tag "$file"
if [ $RET -eq 0 ]; then
cp_echo "CN: Removing configuration file $file"
Vasem web posluzitelju nalazi na RBL (Realtime Blackhole List)
listi. U slucaju da se adresa nalazi na RBL listi, sa doticne adrese
nece se moci pristupiti Vasem web posluzitelju. RBL provjera se
Vasem web posluzitelju nalazi na RBL (Realtime Blackhole List)
listi. U slucaju da se adresa nalazi na RBL listi, sa doticne adrese
nece se moci pristupiti Vasem web posluzitelju. RBL provjera se
- preskace za adrese koje su iz HR domene. Ova funkcionalnost je
- slicna onoj koju ima Postfix MTA.
+ preskace za adrese koje su iz CARNetove mreze. Ova funkcionalnost
+ je slicna onoj koju ima Postfix MTA.
.
RBL posluzitelj koji se koristi za provjeru je xbl.dnsbl-sh.carnet.hr.
.
VAZNO: Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je
.
RBL posluzitelj koji se koristi za provjeru je xbl.dnsbl-sh.carnet.hr.
.
VAZNO: Zbog licencnih razloga pristup CARNetovom RBL posluzitelju je
- dopusten samo sa CARNetove mreze (161.53.0.0/16, 193.198.0.0/16, te
- 82.132.0.0/17).
+ dopusten samo sa CARNetove mreze (161.53.0.0/16 i 193.198.0.0/16).
#
SecResponseBodyLimit 524288
#
SecResponseBodyLimit 524288
- # RBL configuration
- Include /etc/apache2/mod-security/rbl_lookup.conf
+ # RBL lookup configuration
+ #RBLLOOKUP#
<IfModule mod_security2.c>
<IfModule mod_security2.c>
- # Skip RBL lookup for localhost, 161.53.0.0/16, 193.198.0.0/16 and 82.132.0.0/17.
+ # Skip RBL lookup for localhost, 161.53.0.0/16, 193.198.0.0/16 and 82.132.0.0/17
SecRule REMOTE_ADDR "^(127\.0\.0\.1|161\.53\.\d{1,3}\.\d{1,3}|193\.198\.\d{1,3}\.\d{1,3}|82\.132\.(\d{1,2}|10\d{1}|11\d{1}|12[0-7]{1})\.\d{1,3})$" "phase:2,pass,nolog,t:none,skip:1"
SecRule REMOTE_ADDR "^(127\.0\.0\.1|161\.53\.\d{1,3}\.\d{1,3}|193\.198\.\d{1,3}\.\d{1,3}|82\.132\.(\d{1,2}|10\d{1}|11\d{1}|12[0-7]{1})\.\d{1,3})$" "phase:2,pass,nolog,t:none,skip:1"
- # RBL lookup using xbl.dnsbl-sh.carnet.hr.
+ # RBL lookup using xbl.dnsbl-sh.carnet.hr
SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr" "phase:2,deny,log,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:'1'"
</IfModule>
SecRule REMOTE_ADDR "@rbl xbl.dnsbl-sh.carnet.hr" "phase:2,deny,log,status:500,t:none,msg:'RBL: xbl.dnsbl-sh.carnet.hr',severity:'1'"
</IfModule>