diff options
author | Chuck Short <zul@gentoo.org> | 2004-06-04 01:30:14 +0000 |
---|---|---|
committer | Chuck Short <zul@gentoo.org> | 2004-06-04 01:30:14 +0000 |
commit | fb6eec6c571fc65066c8bc97a5ffa0e582884458 (patch) | |
tree | 28733082b63f7901d6bd7357862de39e81e02464 | |
parent | DEPEND on wxGTK-2.4.2; closes #52769 (diff) | |
download | gentoo-2-fb6eec6c571fc65066c8bc97a5ffa0e582884458.tar.gz gentoo-2-fb6eec6c571fc65066c8bc97a5ffa0e582884458.tar.bz2 gentoo-2-fb6eec6c571fc65066c8bc97a5ffa0e582884458.zip |
Initial version, closes #32190.
-rw-r--r-- | net-www/mod_security/ChangeLog | 11 | ||||
-rw-r--r-- | net-www/mod_security/Manifest | 2 | ||||
-rw-r--r-- | net-www/mod_security/files/99_mod_security.conf | 123 | ||||
-rw-r--r-- | net-www/mod_security/files/digest-mod_security-1.7.6 | 1 | ||||
-rw-r--r-- | net-www/mod_security/files/mod_security.conf | 113 | ||||
-rw-r--r-- | net-www/mod_security/metadata.xml | 8 | ||||
-rw-r--r-- | net-www/mod_security/mod_security-1.7.6.ebuild | 36 |
7 files changed, 294 insertions, 0 deletions
diff --git a/net-www/mod_security/ChangeLog b/net-www/mod_security/ChangeLog new file mode 100644 index 000000000000..8875266c0889 --- /dev/null +++ b/net-www/mod_security/ChangeLog @@ -0,0 +1,11 @@ +# ChangeLog for net-www/mod_security +# Copyright 2000-2004 Gentoo Technologies, Inc.; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/net-www/mod_security/ChangeLog,v 1.1 2004/06/04 01:30:14 zul Exp $ + +*mod_security-1.7.6 (03 Jun 2004) + + 03 Jun 2004; Chuck Short <zul@gentoo.org> metadata.xml, mod_security-1.7.6.ebuild, + files/99_mod_security.conf, files/mod_security.conf: + Initial version,e build written by dju` <dju @ elegiac.net>. + Closes #32190. + diff --git a/net-www/mod_security/Manifest b/net-www/mod_security/Manifest new file mode 100644 index 000000000000..c62e473ac575 --- /dev/null +++ b/net-www/mod_security/Manifest @@ -0,0 +1,2 @@ +MD5 7fbf85aa71902b2efb900e4c8f58cca5 mod_security-1.7.6.ebuild 1211 +MD5 93b283b1aef242964a12edd89989d103 files/digest-mod_security-1.7.6 70 diff --git a/net-www/mod_security/files/99_mod_security.conf b/net-www/mod_security/files/99_mod_security.conf new file mode 100644 index 000000000000..4b2cb1b36cc6 --- /dev/null +++ b/net-www/mod_security/files/99_mod_security.conf @@ -0,0 +1,123 @@ +<IfDefine SECURITY> + <IfModule !mod_security.c> + LoadModule security_module extramodules/mod_security.so + </IfModule> +</IfDefine> + +# Examples below are taken from the online documentation +# Refer to: +# http://www.modsecurity.org/documentation/quick-examples.html + +<IfModule mod_security.c> + + # Turn the filtering engine On or Off + SecFilterEngine On + + # Make sure that URL encoding is valid + SecFilterCheckURLEncoding On + + # Only allow bytes from this range + SecFilterForceByteRange 32 126 + + # The audit engine works independently and + # can be turned On of Off on the per-server or + # on the per-directory basis. "On" will log everything, + # "DynamicOrRelevant" will log dynamic requests or violations, + # and "RelevantOnly" will only log policy violations + SecAuditEngine RelevantOnly + + # The name of the audit log file + SecAuditLog logs/audit_log + + SecFilterDebugLog logs/modsec_debug_log + SecFilterDebugLevel 0 + + # Should mod_security inspect POST payloads + SecFilterScanPOST On + + # Action to take by default + SecFilterDefaultAction "deny,log,status:500" + + # Redirect user on filter match + SecFilter xxx redirect:http://www.webkreator.com + + # Execute the external script on filter match + SecFilter yyy log,exec:/home/users/ivanr/apache/bin/report-attack.pl + + # Simple filter + SecFilter 111 + + # Only check the QUERY_STRING variable + SecFilterSelective QUERY_STRING 222 + + # Only check the body of the POST request + SecFilterSelective POST_PAYLOAD 333 + + # Only check arguments (will work for GET and POST) + SecFilterSelective ARGS 444 + + # Test filter + SecFilter "/cgi-bin/modsec-test.pl/keyword" + + # Another test filter, will be denied with 404 but not logged + # action supplied as a parameter overrides the default action + SecFilter 999 "deny,nolog,status:500" + + # Prevent OS specific keywords + SecFilter /etc/passwd + + # Prevent path traversal (..) attacks + SecFilter "\.\./" + + # Weaker XSS protection but allows common HTML tags + SecFilter "<[[:space:]]*script" + + # Prevent XSS atacks (HTML/Javascript injection) + SecFilter "<(.|\n)+>" + + # Very crude filters to prevent SQL injection attacks + SecFilter "delete[[:space:]]+from" + SecFilter "insert[[:space:]]+into" + SecFilter "select.+from" + + # Require HTTP_USER_AGENT and HTTP_HOST headers + SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" + + # Forbid file upload + SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data + + # Only watch argument p1 + SecFilterSelective "ARG_p1" 555 + + # Watch all arguments except p1 + SecFilterSelective "ARGS|!ARG_p2" 666 + + # Only allow our own test utility to send requests (or Mozilla) + SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)" + + # Do not allow variables with this name + SecFilterSelective ARGS_NAMES 777 + + # Do now allow this variable value (names are ok) + SecFilterSelective ARGS_VALUES 888 + + # Test for a POST variable parsing bug, see test #41 + SecFilterSelective ARG_p2 AAA + + # Stop spamming through FormMail + # note the exclamation mark at the beginning + # of the filter - only requests that match this regex will + # be allowed + <Location /cgi-bin/FormMail> + SecFilterSelective "ARG_recipient" "!@webkreator.com$" + </Location> + + # when allowing upload, only allow images + # note that this is not foolproof, a determined attacker + # could get around this + <Location /fileupload.php> + SecFilterInheritance Off + SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)" + </Location> + +</IfModule> diff --git a/net-www/mod_security/files/digest-mod_security-1.7.6 b/net-www/mod_security/files/digest-mod_security-1.7.6 new file mode 100644 index 000000000000..0fa61fbcdf47 --- /dev/null +++ b/net-www/mod_security/files/digest-mod_security-1.7.6 @@ -0,0 +1 @@ +MD5 2be3a3a4ac98a95580e5c01d2d5b3b88 mod_security-1.7.6.tar.gz 272864 diff --git a/net-www/mod_security/files/mod_security.conf b/net-www/mod_security/files/mod_security.conf new file mode 100644 index 000000000000..186eaf58b46f --- /dev/null +++ b/net-www/mod_security/files/mod_security.conf @@ -0,0 +1,113 @@ +<IfModule mod_security.c> + + # Turn the filtering engine On or Off + SecFilterEngine On + + # Make sure that URL encoding is valid + SecFilterCheckURLEncoding On + + # Only allow bytes from this range + SecFilterForceByteRange 32 126 + + # The audit engine works independently and + # can be turned On of Off on the per-server or + # on the per-directory basis. "On" will log everything, + # "DynamicOrRelevant" will log dynamic requests or violations, + # and "RelevantOnly" will only log policy violations + SecAuditEngine RelevantOnly + + # The name of the audit log file + SecAuditLog logs/audit_log + + SecFilterDebugLog logs/modsec_debug_log + SecFilterDebugLevel 0 + + # Should mod_security inspect POST payloads + SecFilterScanPOST On + + # Action to take by default + SecFilterDefaultAction "deny,log,status:500" + + # Redirect user on filter match + SecFilter xxx redirect:http://www.webkreator.com + + # Execute the external script on filter match + SecFilter yyy log,exec:/home/users/ivanr/apache/bin/report-attack.pl + + # Simple filter + SecFilter 111 + + # Only check the QUERY_STRING variable + SecFilterSelective QUERY_STRING 222 + + # Only check the body of the POST request + SecFilterSelective POST_PAYLOAD 333 + + # Only check arguments (will work for GET and POST) + SecFilterSelective ARGS 444 + + # Test filter + SecFilter "/cgi-bin/modsec-test.pl/keyword" + + # Another test filter, will be denied with 404 but not logged + # action supplied as a parameter overrides the default action + SecFilter 999 "deny,nolog,status:500" + + # Prevent OS specific keywords + SecFilter /etc/passwd + + # Prevent path traversal (..) attacks + SecFilter "\.\./" + + # Weaker XSS protection but allows common HTML tags + SecFilter "<[[:space:]]*script" + + # Prevent XSS atacks (HTML/Javascript injection) + SecFilter "<(.|\n)+>" + + # Very crude filters to prevent SQL injection attacks + SecFilter "delete[[:space:]]+from" + SecFilter "insert[[:space:]]+into" + SecFilter "select.+from" + + # Require HTTP_USER_AGENT and HTTP_HOST headers + SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" + + # Forbid file upload + SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data + + # Only watch argument p1 + SecFilterSelective "ARG_p1" 555 + + # Watch all arguments except p1 + SecFilterSelective "ARGS|!ARG_p2" 666 + + # Only allow our own test utility to send requests (or Mozilla) + SecFilterSelective HTTP_USER_AGENT "!(mod_security|mozilla)" + + # Do not allow variables with this name + SecFilterSelective ARGS_NAMES 777 + + # Do now allow this variable value (names are ok) + SecFilterSelective ARGS_VALUES 888 + + # Test for a POST variable parsing bug, see test #41 + SecFilterSelective ARG_p2 AAA + + # Stop spamming through FormMail + # note the exclamation mark at the beginning + # of the filter - only requests that match this regex will + # be allowed + <Location /cgi-bin/FormMail> + SecFilterSelective "ARG_recipient" "!@webkreator.com$" + </Location> + + # when allowing upload, only allow images + # note that this is not foolproof, a determined attacker + # could get around this + <Location /fileupload.php> + SecFilterInheritance Off + SecFilterSelective POST_PAYLOAD "!image/(jpeg|bmp|gif)" + </Location> + +</IfModule> diff --git a/net-www/mod_security/metadata.xml b/net-www/mod_security/metadata.xml new file mode 100644 index 000000000000..bcaabdbbd0d3 --- /dev/null +++ b/net-www/mod_security/metadata.xml @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> +<herd>apache</herd> +<longdescription> +The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. +</longdescription> +</pkgmetadata> diff --git a/net-www/mod_security/mod_security-1.7.6.ebuild b/net-www/mod_security/mod_security-1.7.6.ebuild new file mode 100644 index 000000000000..f8439a25c3bf --- /dev/null +++ b/net-www/mod_security/mod_security-1.7.6.ebuild @@ -0,0 +1,36 @@ +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-www/mod_security/mod_security-1.7.6.ebuild,v 1.1 2004/06/04 01:30:14 zul Exp $ + +DESCRIPTION="Intrusion Detection System for apache" +HOMEPAGE="http://www.modsecurity.org" +SRC_URI="http://www.modsecurity.org/download/${P}.tar.gz" +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~x86" +IUSE="apache2 doc" +DEPEND="apache2? ( =net-www/apache-2* ) + !apache2? ( =net-www/apache-1* )" + +src_compile() { + use apache2 || apxs -S LIBEXECDIR=${S} -ci ${S}/apache1/mod_security.c + use apache2 && apxs2 -S LIBEXECDIR=${S} -ci ${S}/apache2/mod_security.c +} + +src_install() { + use apache2 || exeinto /usr/lib/apache-extramodules/ + use apache2 && exeinto /usr/lib/apache2-extramodules/ + doexe ${S}/mod_security.so + dodoc CHANGES httpd.conf.example-full httpd.conf.example-minimal INSTALL LICENSE README + use doc && dodoc modsecurity-manual-1.7.4.pdf + + if use apache2; then + einfo "Installing a Apache2 config for mod_security (99_mod_security.conf)" + insinto /etc/apache2/conf/modules.d + doins ${FILESDIR}/99_mod_security.conf + else + einfo "Installing a Apache config for mod_security (mod_security.conf)" + insinto /etc/apache/conf/addon-modules + doins ${FILESDIR}/mod_security.conf + fi +} |