おのたく日記 YouTubeも始めました→
2009-10-13(Tue) mod-security 2.5をupdate [長年日記]
■ [Debian]mod-security 2.5をupdate
2008年6月15日の日記で書いたように、Debian Officialではなくいmod-security 2.5を使っていたけど、最近Debian squeeze(testing)にも「パッケージ: libapache-mod-security (2.5.10-1)」が出来たようなので、オフィシャルのパッケージでupgradeした。
#いままでは、libpapache2-modがapache2用だったけど、libapache-modと言いながらapache2.2用になっているのは、apache1.3のDebianでのサポートが終わったからかな?
#!/bin/sh
#http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules
LAST=.last-update
TARFILE=modsec-2.5-free-latest.tar.gz
cd /usr/local/etc/modsecurity2
/usr/bin/wget -nv -N http://downloads.prometheus-group.com/delayed/rules/$TARFILE
if [ $LAST -nt $TARFILE ];then
exit 0
fi
/bin/tar xvfz modsec-2.5-free-latest.tar.gz
/usr/bin/touch $LAST
sudo /etc/init.d/apache2 restart
[/usr/local/etc/modsecurity2/get.shより引用]
で定期的に取ってくるようにして、/etc/apache2/mods-available/mod-security.confとして
# based on Quick Start. http://www.modsecurity.org/projects/rules/index.html
#Include /usr/share/doc/mod-security2-common/examples/modsecurity.conf-minimal
Include /usr/share/doc/mod-security-common/examples/rules/modsecurity_crs_*.conf
SecResponseBodyAccess Off
#SecDefaultAction "phase:2,log,deny,status:406,t:lowercase,t:replaceNulls,t:compressWhitespace"
SecServerSignature "NOYB2"
SecDebugLogLevel 0
SecDebugLog /var/log/apache2/modsec_debug.log
SecAuditEngine off
SecAuditLog /var/log/apache2/audit.log
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_20_protocol_violations.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_21_protocol_anomalies.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_23_request_limits.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_30_http_policy.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_35_bad_robots.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_40_generic_attacks.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_41_phpids_filters.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_41_xss_attacks.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_45_trojans.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_46_et_sql_injection.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_46_et_web_rules.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_47_common_exceptions.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_48_local_exceptions.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_49_enforcement.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_50_outbound.conf
Include /usr/share/doc/mod-security-common/examples/rules/base_rules/modsecurity_crs_60_correlation.conf
#ASCII only: Include /usr/share/doc/mod-security2-common/examples/rules/optional_rules/modsecurity_crs_20_protocol_violations.conf
Include /usr/share/doc/mod-security-common/examples/rules/optional_rules/modsecurity_crs_21_protocol_anomalies.conf
Include /usr/share/doc/mod-security-common/examples/rules/optional_rules/modsecurity_crs_40_generic_attacks.conf
Include /usr/share/doc/mod-security-common/examples/rules/optional_rules/modsecurity_crs_42_comment_spam.conf
Include /usr/share/doc/mod-security-common/examples/rules/optional_rules/modsecurity_crs_42_tight_security.conf
#Yahoo/MSN/Google Robot Block: Include /usr/share/doc/mod-security2-common/examples/rules/optional_rules/modsecurity_crs_55_marketing.conf
#Atomic ModSecurity Rules
#Binary? Include /usr/local/etc/modsecurity2/modsec/00_asl_rbl.conf
#/etc/asl Include /usr/local/etc/modsecurity2/modsec/00_asl_whitelist.conf
SecRule REMOTE_ADDR "@pmFromFile /usr/local/etc/modsecurity2/modsec/whitelist.txt" "nolog,phase:1,allow"
#empty Include /usr/local/etc/modsecurity2/modsec/00_asl_rbl.conf
#/usr/bin/modsec-clamscan.pl Include /usr/local/etc/modsecurity2/modsec/05_asl_scanner.conf
SecUploadFileMode 0644
SecRule FILES_TMPNAMES "@inspectFile /usr/share/doc/mod-security-common/examples/rules/util/modsec-clamscan.pl" \
"id:351000,rev:1,severity:2,msg:'Atomicorp.com Upload Malware Scanner: Malicious File upload attempt detected and blocked',log,deny,auditlog,status:403,t:none"
Include /usr/local/etc/modsecurity2/modsec/10_asl_antimalware.conf
Include /usr/local/etc/modsecurity2/modsec/10_asl_rules.conf
Include /usr/local/etc/modsecurity2/modsec/11_asl_data_loss.conf
Include /usr/local/etc/modsecurity2/modsec/20_asl_useragents.conf
Include /usr/local/etc/modsecurity2/modsec/30_asl_antimalware.conf
Include /usr/local/etc/modsecurity2/modsec/30_asl_antispam.conf
Include /usr/local/etc/modsecurity2/modsec/30_asl_antispam_referrer.conf
Include /usr/local/etc/modsecurity2/modsec/40_asl_apache2-rules.conf
Include /usr/local/etc/modsecurity2/modsec/50_asl_rootkits.conf
Include /usr/local/etc/modsecurity2/modsec/60_asl_recons.conf
Include /usr/local/etc/modsecurity2/modsec/99_asl_exclude.conf
Include /usr/local/etc/modsecurity2/modsec/99_asl_jitp.conf
を準備して # a2enmod mod-securityで有効について使えるようにした。
|