Index: Makefile =================================================================== --- Makefile (revision 379386) +++ Makefile (working copy) @@ -1,12 +1,11 @@ # $FreeBSD$ PORTNAME= mod_security -PORTVERSION= 2.7.7 -PORTREVISION= 3 +PORTVERSION= 2.9.0 CATEGORIES= www security MASTER_SITES= http://www.modsecurity.org/tarball/${PORTVERSION}/ PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX} -DISTNAME= ${PORTNAME:S/_//:S/2//}-apache_${PORTVERSION} +DISTNAME= ${PORTNAME:S/_//:S/2//}-${PORTVERSION} MAINTAINER= walter@lifeforms.nl COMMENT= Intrusion detection and prevention engine @@ -14,14 +13,17 @@ LICENSE= APACHE20 LIB_DEPENDS+= libpcre.so:${PORTSDIR}/devel/pcre \ - libapr-1.so:${PORTSDIR}/devel/apr1 + libapr-1.so:${PORTSDIR}/devel/apr1 \ + libyajl.so:${PORTSDIR}/devel/yajl \ + libcurl.so:${PORTSDIR}/ftp/curl USE_APACHE= 22+ USE_GNOME= libxml2 GNU_CONFIGURE= yes -USES= perl5 +USES= perl5 shebangfix pkgconfig +SHEBANG_FILES=tools/rules-updater.pl.in mlogc/mlogc-batch-load.pl.in +perl_OLD_CMD =@PERL@ -AP_GENPLIST= yes AP_INC= ${LOCALBASE}/include/libxml2 AP_LIB= ${LOCALBASE}/lib MODULENAME= mod_security2 @@ -30,26 +32,32 @@ PORTDOCS= * DOCSDIR= ${PREFIX}/share/doc/${MODULENAME} -SUB_FILES+= mod_security2.conf +SUB_FILES+= pkg-message +SUB_FILES+= README SUB_LIST+= APACHEETCDIR="${APACHEETCDIR}" +SUB_LIST+= APACHEMODDIR="${APACHEMODDIR}" -PLIST_FILES= etc/modsecurity.conf-example \ - ${APACHEMODDIR}/mod_security2.so \ - bin/rules-updater.pl \ - lib/mod_security2.so +PLIST_SUB+= APXS="${APXS}" +PLIST_SUB+= APACHEMODDIR="${APACHEMODDIR}" -OPTIONS_DEFINE= LUA MLOGC +OPTIONS_DEFINE= LUA MLOGC FUZZYHASH +OPTIONS_SUB=yes LUA_CONFIGURE_ON= --with-lua=${LOCALBASE} LUA_CONFIGURE_OFF+= --without-lua -LUA_USES= lua +LUA_USES= lua:51 MLOGC_DESC= Build ModSecurity Log Collector -MLOGC_CONFIGURE_ON= --with-curl=${LOCALBASE} --disable-errors +MLOGC_CONFIGURE_ON= --disable-errors MLOGC_CONFIGURE_OFF= --disable-mlogc -MLOGC_LIB_DEPENDS= libcurl.so:${PORTSDIR}/ftp/curl -MLOGC_PLIST_FILES= bin/mlogc bin/mlogc-batch-load.pl +FUZZYHASH_DESC= Allow matching contents using fuzzy hashes with ssdeep +FUZZYHASH_CONFIGURE_ON= --with-ssdeep=${LOCALBASE} +FUZZYHASH_CONFIGURE_OFF= --without-ssdeep +FUZZYHASH_LIB_DEPENDS= libfuzzy.so:${PORTSDIR}/security/ssdeep + +ETCDIR=etc/modsecurity + # ap2x- prefix OPTIONSFILE fix OPTIONSFILE= ${PORT_DBDIR}/www_mod_security/options .include @@ -56,7 +64,7 @@ REINPLACE_ARGS= -i "" AP_EXTRAS+= -DWITH_LIBXML2 -CONFIGURE_ARGS+= --with-apxs=${APXS} --with-pcre=${LOCALBASE} +CONFIGURE_ARGS+= --with-apxs=${APXS} --with-pcre=${LOCALBASE} --with-yajl=${LOCALBASE} --with-curl=${LOCALBASE} post-patch: @${REINPLACE_CMD} -e "s/lua5.1/lua-${LUA_VER}/g" ${WRKSRC}/configure @@ -65,10 +73,14 @@ @${MKDIR} ${STAGEDIR}${PREFIX}/${APACHEMODDIR} post-install: + @${MKDIR} ${STAGEDIR}${PREFIX}/${ETCDIR} ${INSTALL_DATA} ${WRKSRC}/modsecurity.conf-recommended \ - ${STAGEDIR}${PREFIX}/etc/modsecurity.conf-example + ${STAGEDIR}${PREFIX}/${ETCDIR}/modsecurity.conf.sample + ${INSTALL_DATA} ${WRKSRC}/unicode.mapping \ + ${STAGEDIR}${PREFIX}/${ETCDIR}/unicode.mapping @${MKDIR} ${STAGEDIR}${DOCSDIR} (cd ${WRKSRC} && ${COPYTREE_SHARE} "doc" ${STAGEDIR}${DOCSDIR}) + ${INSTALL_DATA} ${WRKDIR}/README ${STAGEDIR}${DOCSDIR}/ .include Index: distinfo =================================================================== --- distinfo (revision 379386) +++ distinfo (working copy) @@ -1,2 +1,2 @@ -SHA256 (modsecurity-apache_2.7.7.tar.gz) = 11e05cfa6b363c2844c6412a40ff16f0021e302152b38870fd1f2f44b204379b -SIZE (modsecurity-apache_2.7.7.tar.gz) = 1003835 +SHA256 (modsecurity-2.9.0.tar.gz) = e2bbf789966c1f80094d88d9085a81bde082b2054f8e38e0db571ca49208f434 +SIZE (modsecurity-2.9.0.tar.gz) = 4246467 Index: files/README.in =================================================================== --- files/README.in (revision 0) +++ files/README.in (working copy) @@ -0,0 +1,83 @@ +Configuring ModSecurity on FreeBSD +---------------------------------- + +To enable ModSecurity in Apache, add the following to your httpd.conf: + + LoadModule security2_module %%APACHEMODDIR%%/mod_security2.so + Include etc/modsecurity/*.conf + +Getting the Core Rule Set +------------------------- + +ModSecurity requires firewall rule definitions. Most people use the +OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the +OWASP CRS repository right now is to use Git. Let's make a directory +for all our ModSecurity related stuff, and clone the CRS repository +under it. + + pkg install git + cd /usr/local/etc/modsecurity + git clone https://github.com/SpiderLabs/owasp-modsecurity-crs + cp owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example \ + crs.conf + +To activate the CRS base rules, add the following to your httpd.conf: + + Include etc/modsecurity/owasp-modsecurity-crs/base_rules/*.conf + +You can also add custom configuration and CRS exceptions here. +For instance, you might want to disable rules that generate false +positives. Example: + + SecRuleRemoveById 960015 + +Starting ModSecurity +-------------------- + +When the configuration is all set, simply restart Apache and confirm +that ModSecurity is loaded by checking Apache's log file: + + apachectl restart + tail /var/log/httpd-error.log + +Configuring blocking mode +------------------------- + +Now that ModSecurity is active, try making a suspicious request to +your web server, for instance browse to a URL: +http://www.example.com/?foo=/etc/passwd. The CRS has a rule against +this type of request. After browsing to the URL, you should now see +the request logged in /var/log/modsec_audit.log. + +You'll notice that the request succeeds, and the response is sent to +the browser normally. The reason is that ModSecurity runs in +"DetectionOnly" mode by default, in order to prevent downtime from +misconfiguration or heavy-handed blocking. You can enable blocking +mode simply by editing modsecurity.conf and changing the following +line: + + SecRuleEngine On + +Again, restart Apache. Now, make the same suspicious request to your +web server. You should now see a "403 Forbidden" error! + +In practice, it's probably best to keep SecRuleEngine DetectionOnly +for some time, while your users exercise the web applications. +Meanwhile, you should keep an eye on /var/log/modsec_audit.log to see +what is being blocked. If there are any false positives, you need to +mitigate this by writing custom exceptions. + +Maintenance +----------- + +An essential resource for working with ModSecurity is the ModSecurity +Handbook by Ivan Ristic. ModSecurity exposes quite some internals, and +it's good to scan this book before you start writing custom rules and +exceptions. + +You probably want to keep the CRS updated from time to time. You can +do this with Git: + + cd /usr/local/etc/modsecurity/owasp-modsecurity-crs + git pull + apachectl restart Property changes on: files/README.in ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: files/pkg-message.in =================================================================== --- files/pkg-message.in (revision 0) +++ files/pkg-message.in (working copy) @@ -0,0 +1,9 @@ + +You have installed ModSecurity. +To enable ModSecurity in Apache, add the following to your httpd.conf: + + LoadModule security2_module %%APACHEMODDIR%%/mod_security2.so + Include etc/modsecurity/*.conf + +Most users will use the signatures from the OWASP Core Rule Set (CRS). +For configuration instructions, see %%DOCSDIR%%/README. Property changes on: files/pkg-message.in ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: pkg-plist =================================================================== --- pkg-plist (revision 0) +++ pkg-plist (working copy) @@ -0,0 +1,11 @@ +bin/rules-updater.pl +lib/mod_security2.so +%%APACHEMODDIR%%/mod_security2.so +@exec %%APXS%% -e -n unique_id -a %%APACHEMODDIR%%/mod_unique_id.so +@unexec if cmp -s %D/etc/modsecurity/modsecurity.conf.sample %D/etc/modsecurity/modsecurity.conf; then rm -f %D/etc/modsecurity/modsecurity.conf; fi +%%ETCDIR%%/modsecurity.conf.sample +@exec if [ ! -f %D/etc/modsecurity/modsecurity.conf ] ; then cp -p %D/%F %B/modsecurity.conf; fi +%%ETCDIR%%/unicode.mapping +@dirrmtry %%ETCDIR%% +%%MLOGC%%bin/mlogc +%%MLOGC%%bin/mlogc-batch-load.pl Property changes on: pkg-plist ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property