diff --git a/.cvsignore b/.cvsignore index e8205f1..2fed538 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1,3 @@ -modsecurity-apache_1.9.4.tar.gz +mod_security.conf +modsecurity-apache_2.1.0.tar.gz +modsecurity_localrules.conf diff --git a/mod_security.conf b/mod_security.conf index 44d4213..07aef9d 100644 --- a/mod_security.conf +++ b/mod_security.conf @@ -1,107 +1,43 @@ # Example configuration file for the mod_security Apache module -LoadModule security_module modules/mod_security.so +LoadFile /usr/lib/libxml2.so.2 - +# For users of x86_64 / ppc64 et. al machines +# LoadFile /usr/lib64/libxml2.so.2 - # Turn the filtering engine On or Off - SecFilterEngine On +LoadModule security2_module modules/mod_security2.so - # The audit engine works independently and - # can be turned On of Off on the per-server or - # on the per-directory basis - SecAuditEngine RelevantOnly + + # This is the ModSecurity Core Rules Set. + + # Basic configuration goes in here + Include modsecurity.d/modsecurity_crs_10_config.conf + + # Protocol violation and anomalies. + # These are disabled as there's a bug in REQUEST_FILENAME handling + # causing the "+" character to be incorrectly handled. + + # Include modsecurity.d/modsecurity_crs_20_protocol_violations.conf + # Include modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf + + # HTTP policy rules + + Include modsecurity.d/modsecurity_crs_30_http_policy.conf - # Make sure that URL encoding is valid - SecFilterCheckURLEncoding On - - # Unicode encoding check - SecFilterCheckUnicodeEncoding On - - # Only allow bytes from this range - SecFilterForceByteRange 1 255 + # Here comes the Bad Stuff... + + Include modsecurity.d/modsecurity_crs_35_bad_robots.conf + Include modsecurity.d/modsecurity_crs_40_generic_attacks.conf + Include modsecurity.d/modsecurity_crs_45_trojans.conf + Include modsecurity.d/modsecurity_crs_50_outbound.conf - # Cookie format checks. - SecFilterCheckCookieFormat On - - # The name of the audit log file - SecAuditLog logs/audit_log + # Search engines and other crawlers. Only useful if you want to track + # Google / Yahoo et. al. + + # Include modsecurity.d/modsecurity_crs_55_marketing.conf + + # Put your local rules in here. + # The existing example is for the CVE-2007-1359 vulnerability - # Should mod_security inspect POST payloads - SecFilterScanPOST On - - # Default action set - SecFilterDefaultAction "deny,log,status:406" - - # Simple example filter - # SecFilter 111 - - # Prevent path traversal (..) attacks - # SecFilter "\.\./" - - # Weaker XSS protection but allows common HTML tags - # SecFilter "<( |\n)*script" - - # Prevent XSS atacks (HTML/Javascript injection) - # SecFilter "<(.|\n)+>" - - # Very crude filters to prevent SQL injection attacks - # SecFilter "delete[[:space:]]+from" - # SecFilter "insert[[:space:]]+into" - # SecFilter "select.+from" - - # Require HTTP_USER_AGENT and HTTP_HOST headers - SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" - - # Only accept request encodings we know how to handle - # we exclude GET requests from this because some (automated) - # clients supply "text/html" as Content-Type - SecFilterSelective REQUEST_METHOD "!^GET$" chain - SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded|^multipart/form-data)" - - # Require Content-Length to be provided with - # every POST request - SecFilterSelective REQUEST_METHOD "^POST$" chain - SecFilterSelective HTTP_Content-Length "^$" - - # Don't accept transfer encodings we know we don't handle - # (and you don't need it anyway) - SecFilterSelective HTTP_Transfer-Encoding "!^$" - - # Some common application-related rules from - # http://modsecrules.monkeydev.org/rules.php?safety=safe - - #Nuke Bookmarks XSS - SecFilterSelective THE_REQUEST "/modules\.php\?name=Bookmarks\&file=(del_cat\&catname|del_mark\&markname|edit_cat\&catname|edit_cat\&catcomment|marks\&catname|uploadbookmarks\&category)=(<[[:space:]]*script|(http|https|ftp)\:/)" - - #Nuke Bookmarks Marks.php SQL Injection Vulnerability - SecFilterSelective THE_REQUEST "modules\.php\?name=Bookmarks\&file=marks\&catname=.*\&category=.*/\*\*/(union|select|delete|insert)" - - #PHPNuke general XSS attempt - #/modules.php?name=News&file=article&sid=1&optionbox= - SecFilterSelective THE_REQUEST "/modules\.php\?*name=<[[:space:]]*script" - - # PHPNuke SQL injection attempt - SecFilterSelective THE_REQUEST "/modules\.php\?*name=Search*instory=" - - #phpnuke sql insertion - SecFilterSelective THE_REQUEST "/modules\.php*name=Forums.*file=viewtopic*/forum=.*\'/" - - # WEB-PHP phpbb quick-reply.php arbitrary command attempt - - SecFilterSelective THE_REQUEST "/quick-reply\.php" chain - SecFilter "phpbb_root_path=" - - #Topic Calendar Mod for phpBB Cross-Site Scripting Attack - SecFilterSelective THE_REQUEST "/calendar_scheduler\.php\?start=(<[[:space:]]*script|(http|https|ftp)\:/)" - - # phpMyAdmin: Safe - - #phpMyAdmin Export.PHP File Disclosure Vulnerability - SecFilterSelective SCRIPT_FILENAME "export\.php$" chain - SecFilterSelective ARG_what "\.\." - - #phpMyAdmin path vln - SecFilterSelective REQUEST_URI "/css/phpmyadmin\.css\.php\?GLOBALS\[cfg\]\[ThemePath\]=/etc" - + Include modsecurity.d/modsecurity_localrules.conf diff --git a/mod_security.spec b/mod_security.spec index fdd2571..f15af34 100644 --- a/mod_security.spec +++ b/mod_security.spec @@ -1,15 +1,16 @@ Summary: Security module for the Apache HTTP Server Name: mod_security -Version: 1.9.4 -Release: 2%{?dist} +Version: 2.1.0 +Release: 1%{?dist} License: GPL URL: http://www.modsecurity.org/ Group: System Environment/Daemons Source: http://www.modsecurity.org/download/modsecurity-apache_%{version}.tar.gz Source1: mod_security.conf +Source2: modsecurity_localrules.conf BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Requires: httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing) -BuildRequires: httpd-devel +Requires: libxml2 pcre httpd httpd-mmn = %([ -a %{_includedir}/httpd/.mmn ] && cat %{_includedir}/httpd/.mmn || echo missing) +BuildRequires: httpd-devel libxml2-devel pcre-devel %description ModSecurity is an open source intrusion detection and prevention engine @@ -18,28 +19,41 @@ as a powerful umbrella - shielding web applications from attacks. %prep -%setup -q -n modsecurity-apache_%{version} +%setup -n modsecurity-apache_%{version} %build -/usr/sbin/apxs -Wc,"%{optflags}" -c apache2/mod_security.c +make -C apache2 CFLAGS="%{optflags}" top_dir="%{_libdir}/httpd" %install rm -rf %{buildroot} -mkdir -p %{buildroot}%{_libdir}/httpd/modules/ -mkdir -p %{buildroot}/%{_sysconfdir}/httpd/conf.d/ -install -p apache2/.libs/mod_security.so %{buildroot}/%{_libdir}/httpd/modules/ -install -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/ +install -D -m644 apache2/.libs/mod_security2.so %{buildroot}/%{_libdir}/httpd/modules/mod_security2.so +install -D -m644 %{SOURCE1} %{buildroot}/%{_sysconfdir}/httpd/conf.d/mod_security.conf +install -d %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/blocking/ +cp -r rules/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/ +cp -r rules/blocking/*.conf %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/blocking/ +install -D -m644 %{SOURCE2} %{buildroot}/%{_sysconfdir}/httpd/modsecurity.d/modsecurity_localrules.conf %clean rm -rf %{buildroot} %files %defattr (-,root,root) -%doc CHANGES LICENSE INSTALL README httpd* util doc -%{_libdir}/httpd/modules/mod_security.so -%config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_security.conf +%doc CHANGES LICENSE README.* modsecurity* doc +%{_libdir}/httpd/modules/mod_security2.so +%config %{_sysconfdir}/httpd/conf.d/mod_security.conf +%dir %{_sysconfdir}/httpd/modsecurity.d +%dir %{_sysconfdir}/httpd/modsecurity.d/blocking +%config %{_sysconfdir}/httpd/modsecurity.d/*.conf +%config %{_sysconfdir}/httpd/modsecurity.d/blocking/*.conf + %changelog +* Tue Mar 13 2007 Michael Fleming 2.1.0-1 +- New major release - 2.1.0 +- Fix CVE-2007-1359 with a local rule courtesy of Ivan Ristic +- Addition of core ruleset +- (Build)Requires libxml2 and pcre added. + * Sun Sep 3 2006 Michael Fleming 1.9.4-2 - Rebuild - Fix minor longstanding braino in included sample configuration (bz #203972) diff --git a/sources b/sources index 2fb9383..4072767 100644 --- a/sources +++ b/sources @@ -1 +1,3 @@ -74d2317781bab619cd7b6b376b978107 modsecurity-apache_1.9.4.tar.gz +3ca79f6bb96deb57e5035c246ce3c8aa mod_security.conf +2e919766f2878c4ee46334816004dd15 modsecurity-apache_2.1.0.tar.gz +cbd1dbca89666a85fe9d703de26444c6 modsecurity_localrules.conf