diff options
| author | Adam Weinberger <adamw@FreeBSD.org> | 2015-04-24 21:19:39 +0000 |
|---|---|---|
| committer | Adam Weinberger <adamw@FreeBSD.org> | 2015-04-24 21:19:39 +0000 |
| commit | a0d9e076d7a0b2bbfc8876b39e3afc1946b8ac17 (patch) | |
| tree | 954e0668c34a500006694f69a6924462d8954ff8 /www/mod_security | |
| parent | 924782e86910000ca0e44579e2cc0aac12117460 (diff) | |
| download | freebsd-ports-a0d9e076d7a0b2bbfc8876b39e3afc1946b8ac17.zip | |
Update to 2.9.0.
Changes:
- update ModSecurity to 2.9.0 (released Feb 12, 2015)
- add JSON parsing support via devel/yajl
- add support for loading remote configuration, which depends on ftp/curl
- add optional support for fuzzy hashes via security/ssdeep
- fix: use lua51 only, ModSecurity does not support lua 5.2 yet
- add FreeBSD specific README with installation and configuration hints
- pkg-message: refer uses to README
- install recommended modsecurity.conf using .sample config file convention
- port skeleton cleanups
PR: 197833
Submitted by: maintainer (Walter Hop)
Diffstat (limited to 'www/mod_security')
| -rw-r--r-- | www/mod_security/Makefile | 55 | ||||
| -rw-r--r-- | www/mod_security/distinfo | 4 | ||||
| -rw-r--r-- | www/mod_security/files/README.in | 83 | ||||
| -rw-r--r-- | www/mod_security/files/pkg-message.in | 9 | ||||
| -rw-r--r-- | www/mod_security/pkg-plist | 8 |
5 files changed, 135 insertions, 24 deletions
diff --git a/www/mod_security/Makefile b/www/mod_security/Makefile index 6022095acf72..6928266b3461 100644 --- a/www/mod_security/Makefile +++ b/www/mod_security/Makefile @@ -1,12 +1,11 @@ # $FreeBSD$ PORTNAME= mod_security -PORTVERSION= 2.7.7 -PORTREVISION= 3 +PORTVERSION= 2.9.0 CATEGORIES= www security MASTER_SITES= http://www.modsecurity.org/tarball/${PORTVERSION}/ PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX} -DISTNAME= ${PORTNAME:S/_//:S/2//}-apache_${PORTVERSION} +DISTNAME= ${PORTNAME:S/_//:S/2//}-${PORTVERSION} MAINTAINER= walter@lifeforms.nl COMMENT= Intrusion detection and prevention engine @@ -14,49 +13,57 @@ COMMENT= Intrusion detection and prevention engine LICENSE= APACHE20 LIB_DEPENDS+= libpcre.so:${PORTSDIR}/devel/pcre \ - libapr-1.so:${PORTSDIR}/devel/apr1 + libapr-1.so:${PORTSDIR}/devel/apr1 \ + libyajl.so:${PORTSDIR}/devel/yajl \ + libcurl.so:${PORTSDIR}/ftp/curl USE_APACHE= 22+ USE_GNOME= libxml2 GNU_CONFIGURE= yes -USES= perl5 +USES= perl5 pkgconfig shebangfix +SHEBANG_FILES= tools/rules-updater.pl.in mlogc/mlogc-batch-load.pl.in +perl_OLD_CMD= @PERL@ -AP_GENPLIST= yes -AP_INC= ${LOCALBASE}/include/libxml2 -AP_LIB= ${LOCALBASE}/lib +AP_INC= ${LOCALBASE}/include/libxml2 +AP_LIB= ${LOCALBASE}/lib MODULENAME= mod_security2 SRC_FILE= *.c PORTDOCS= * DOCSDIR= ${PREFIX}/share/doc/${MODULENAME} -SUB_FILES+= mod_security2.conf +SUB_FILES+= pkg-message +SUB_FILES+= README SUB_LIST+= APACHEETCDIR="${APACHEETCDIR}" +SUB_LIST+= APACHEMODDIR="${APACHEMODDIR}" -PLIST_FILES= etc/modsecurity.conf-example \ - ${APACHEMODDIR}/mod_security2.so \ - bin/rules-updater.pl \ - lib/mod_security2.so +PLIST_SUB+= APXS="${APXS}" +PLIST_SUB+= APACHEMODDIR="${APACHEMODDIR}" -OPTIONS_DEFINE= LUA MLOGC +OPTIONS_DEFINE= DOCS FUZZYHASH LUA MLOGC +OPTIONS_SUB= yes LUA_CONFIGURE_ON= --with-lua=${LOCALBASE} LUA_CONFIGURE_OFF+= --without-lua -LUA_USES= lua +LUA_USES= lua:51 MLOGC_DESC= Build ModSecurity Log Collector -MLOGC_CONFIGURE_ON= --with-curl=${LOCALBASE} --disable-errors +MLOGC_CONFIGURE_ON= --disable-errors MLOGC_CONFIGURE_OFF= --disable-mlogc -MLOGC_LIB_DEPENDS= libcurl.so:${PORTSDIR}/ftp/curl -MLOGC_PLIST_FILES= bin/mlogc bin/mlogc-batch-load.pl + +FUZZYHASH_DESC= Allow matching contents using fuzzy hashes with ssdeep +FUZZYHASH_CONFIGURE_ON= --with-ssdeep=${LOCALBASE} +FUZZYHASH_CONFIGURE_OFF=--without-ssdeep +FUZZYHASH_LIB_DEPENDS= libfuzzy.so:${PORTSDIR}/security/ssdeep + +ETCDIR= ${PREFIX}/etc/modsecurity # ap2x- prefix OPTIONSFILE fix OPTIONSFILE= ${PORT_DBDIR}/www_mod_security/options -.include <bsd.port.options.mk> REINPLACE_ARGS= -i "" AP_EXTRAS+= -DWITH_LIBXML2 -CONFIGURE_ARGS+= --with-apxs=${APXS} --with-pcre=${LOCALBASE} +CONFIGURE_ARGS+=--with-apxs=${APXS} --with-pcre=${LOCALBASE} --with-yajl=${LOCALBASE} --with-curl=${LOCALBASE} post-patch: @${REINPLACE_CMD} -e "s/lua5.1/lua-${LUA_VER}/g" ${WRKSRC}/configure @@ -65,10 +72,14 @@ pre-install: @${MKDIR} ${STAGEDIR}${PREFIX}/${APACHEMODDIR} post-install: + @${MKDIR} ${STAGEDIR}${ETCDIR} ${INSTALL_DATA} ${WRKSRC}/modsecurity.conf-recommended \ - ${STAGEDIR}${PREFIX}/etc/modsecurity.conf-example + ${STAGEDIR}${ETCDIR}/modsecurity.conf.sample + ${INSTALL_DATA} ${WRKSRC}/unicode.mapping \ + ${STAGEDIR}${ETCDIR}/unicode.mapping @${MKDIR} ${STAGEDIR}${DOCSDIR} - (cd ${WRKSRC} && ${COPYTREE_SHARE} "doc" ${STAGEDIR}${DOCSDIR}) + (cd ${WRKSRC} && ${COPYTREE_SHARE} doc ${STAGEDIR}${DOCSDIR}) + ${INSTALL_DATA} ${WRKDIR}/README ${STAGEDIR}${DOCSDIR} .include <bsd.port.mk> diff --git a/www/mod_security/distinfo b/www/mod_security/distinfo index ae9b991bac4e..f71c858036d4 100644 --- a/www/mod_security/distinfo +++ b/www/mod_security/distinfo @@ -1,2 +1,2 @@ -SHA256 (modsecurity-apache_2.7.7.tar.gz) = 11e05cfa6b363c2844c6412a40ff16f0021e302152b38870fd1f2f44b204379b -SIZE (modsecurity-apache_2.7.7.tar.gz) = 1003835 +SHA256 (modsecurity-2.9.0.tar.gz) = e2bbf789966c1f80094d88d9085a81bde082b2054f8e38e0db571ca49208f434 +SIZE (modsecurity-2.9.0.tar.gz) = 4246467 diff --git a/www/mod_security/files/README.in b/www/mod_security/files/README.in new file mode 100644 index 000000000000..db818871284d --- /dev/null +++ b/www/mod_security/files/README.in @@ -0,0 +1,83 @@ +Configuring ModSecurity on FreeBSD +---------------------------------- + +To enable ModSecurity in Apache, add the following to your httpd.conf: + + LoadModule security2_module %%APACHEMODDIR%%/mod_security2.so + Include etc/modsecurity/*.conf + +Getting the Core Rule Set +------------------------- + +ModSecurity requires firewall rule definitions. Most people use the +OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the +OWASP CRS repository right now is to use Git. Let's make a directory +for all our ModSecurity related stuff, and clone the CRS repository +under it. + + pkg install git + cd /usr/local/etc/modsecurity + git clone https://github.com/SpiderLabs/owasp-modsecurity-crs + cp owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example \ + crs.conf + +To activate the CRS base rules, add the following to your httpd.conf: + + Include etc/modsecurity/owasp-modsecurity-crs/base_rules/*.conf + +You can also add custom configuration and CRS exceptions here. +For instance, you might want to disable rules that generate false +positives. Example: + + SecRuleRemoveById 960015 + +Starting ModSecurity +-------------------- + +When the configuration is all set, simply restart Apache and confirm +that ModSecurity is loaded by checking Apache's log file: + + apachectl restart + tail /var/log/httpd-error.log + +Configuring blocking mode +------------------------- + +Now that ModSecurity is active, try making a suspicious request to +your web server, for instance browse to a URL: +http://www.example.com/?foo=/etc/passwd. The CRS has a rule against +this type of request. After browsing to the URL, you should now see +the request logged in /var/log/modsec_audit.log. + +You'll notice that the request succeeds, and the response is sent to +the browser normally. The reason is that ModSecurity runs in +"DetectionOnly" mode by default, in order to prevent downtime from +misconfiguration or heavy-handed blocking. You can enable blocking +mode simply by editing modsecurity.conf and changing the following +line: + + SecRuleEngine On + +Again, restart Apache. Now, make the same suspicious request to your +web server. You should now see a "403 Forbidden" error! + +In practice, it's probably best to keep SecRuleEngine DetectionOnly +for some time, while your users exercise the web applications. +Meanwhile, you should keep an eye on /var/log/modsec_audit.log to see +what is being blocked. If there are any false positives, you need to +mitigate this by writing custom exceptions. + +Maintenance +----------- + +An essential resource for working with ModSecurity is the ModSecurity +Handbook by Ivan Ristic. ModSecurity exposes quite some internals, and +it's good to scan this book before you start writing custom rules and +exceptions. + +You probably want to keep the CRS updated from time to time. You can +do this with Git: + + cd /usr/local/etc/modsecurity/owasp-modsecurity-crs + git pull + apachectl restart diff --git a/www/mod_security/files/pkg-message.in b/www/mod_security/files/pkg-message.in new file mode 100644 index 000000000000..b8ef75171f41 --- /dev/null +++ b/www/mod_security/files/pkg-message.in @@ -0,0 +1,9 @@ + +You have installed ModSecurity. +To enable ModSecurity in Apache, add the following to your httpd.conf: + + LoadModule security2_module %%APACHEMODDIR%%/mod_security2.so + Include etc/modsecurity/*.conf + +Most users will use the signatures from the OWASP Core Rule Set (CRS). +For configuration instructions, see %%DOCSDIR%%/README. diff --git a/www/mod_security/pkg-plist b/www/mod_security/pkg-plist new file mode 100644 index 000000000000..fb9385642d4f --- /dev/null +++ b/www/mod_security/pkg-plist @@ -0,0 +1,8 @@ +bin/rules-updater.pl +lib/mod_security2.so +%%APACHEMODDIR%%/mod_security2.so +@comment @exec %%APXS%% -e -n unique_id -a %%APACHEMODDIR%%/mod_unique_id.so +@sample %%ETCDIR%%/modsecurity.conf.sample +%%ETCDIR%%/unicode.mapping +%%MLOGC%%bin/mlogc +%%MLOGC%%bin/mlogc-batch-load.pl |