Attachment #153193 for bug #197833

Lines 1-12 Link Here

(-)Makefile (-18 / +30 lines)
1	# $FreeBSD$	1	# $FreeBSD$
2		2
3	PORTNAME= mod_security	3	PORTNAME= mod_security
4	PORTVERSION= 2.7.7	4	PORTVERSION= 2.9.0
5	PORTREVISION= 3
6	CATEGORIES= www security	5	CATEGORIES= www security
7	MASTER_SITES= http://www.modsecurity.org/tarball/${PORTVERSION}/	6	MASTER_SITES= http://www.modsecurity.org/tarball/${PORTVERSION}/
8	PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX}	7	PKGNAMEPREFIX= ${APACHE_PKGNAMEPREFIX}
9	DISTNAME= ${PORTNAME:S/_//:S/2//}-apache_${PORTVERSION}	8	DISTNAME= ${PORTNAME:S/_//:S/2//}-${PORTVERSION}
10		9
11	MAINTAINER= walter@lifeforms.nl	10	MAINTAINER= walter@lifeforms.nl
12	COMMENT= Intrusion detection and prevention engine	11	COMMENT= Intrusion detection and prevention engine
Lines 14-27 Link Here
14	LICENSE= APACHE20	13	LICENSE= APACHE20
15		14
16	LIB_DEPENDS+= libpcre.so:${PORTSDIR}/devel/pcre \	15	LIB_DEPENDS+= libpcre.so:${PORTSDIR}/devel/pcre \
17	libapr-1.so:${PORTSDIR}/devel/apr1	16	libapr-1.so:${PORTSDIR}/devel/apr1 \
		17	libyajl.so:${PORTSDIR}/devel/yajl \
		18	libcurl.so:${PORTSDIR}/ftp/curl
18		19
19	USE_APACHE= 22+	20	USE_APACHE= 22+
20	USE_GNOME= libxml2	21	USE_GNOME= libxml2
21	GNU_CONFIGURE= yes	22	GNU_CONFIGURE= yes
22	USES= perl5	23	USES= perl5 shebangfix pkgconfig
		24	SHEBANG_FILES=tools/rules-updater.pl.in mlogc/mlogc-batch-load.pl.in
		25	perl_OLD_CMD =@PERL@
23		26
24	AP_GENPLIST= yes
25	AP_INC= ${LOCALBASE}/include/libxml2	27	AP_INC= ${LOCALBASE}/include/libxml2
26	AP_LIB= ${LOCALBASE}/lib	28	AP_LIB= ${LOCALBASE}/lib
27	MODULENAME= mod_security2	29	MODULENAME= mod_security2
Lines 30-55 Link Here
30	PORTDOCS= *	32	PORTDOCS= *
31	DOCSDIR= ${PREFIX}/share/doc/${MODULENAME}	33	DOCSDIR= ${PREFIX}/share/doc/${MODULENAME}
32		34
33	SUB_FILES+= mod_security2.conf	35	SUB_FILES+= pkg-message
		36	SUB_FILES+= README
34	SUB_LIST+= APACHEETCDIR="${APACHEETCDIR}"	37	SUB_LIST+= APACHEETCDIR="${APACHEETCDIR}"
		38	SUB_LIST+= APACHEMODDIR="${APACHEMODDIR}"
35		39
36	PLIST_FILES= etc/modsecurity.conf-example \	40	PLIST_SUB+= APXS="${APXS}"
37	${APACHEMODDIR}/mod_security2.so \	41	PLIST_SUB+= APACHEMODDIR="${APACHEMODDIR}"
38	bin/rules-updater.pl \
39	lib/mod_security2.so
40		42
41	OPTIONS_DEFINE= LUA MLOGC	43	OPTIONS_DEFINE= LUA MLOGC FUZZYHASH
		44	OPTIONS_SUB=yes
42		45
43	LUA_CONFIGURE_ON= --with-lua=${LOCALBASE}	46	LUA_CONFIGURE_ON= --with-lua=${LOCALBASE}
44	LUA_CONFIGURE_OFF+= --without-lua	47	LUA_CONFIGURE_OFF+= --without-lua
45	LUA_USES= lua	48	LUA_USES= lua:51
46		49
47	MLOGC_DESC= Build ModSecurity Log Collector	50	MLOGC_DESC= Build ModSecurity Log Collector
48	MLOGC_CONFIGURE_ON= --with-curl=${LOCALBASE} --disable-errors	51	MLOGC_CONFIGURE_ON= --disable-errors
49	MLOGC_CONFIGURE_OFF= --disable-mlogc	52	MLOGC_CONFIGURE_OFF= --disable-mlogc
50	MLOGC_LIB_DEPENDS= libcurl.so:${PORTSDIR}/ftp/curl
51	MLOGC_PLIST_FILES= bin/mlogc bin/mlogc-batch-load.pl
52		53
		54	FUZZYHASH_DESC= Allow matching contents using fuzzy hashes with ssdeep
		55	FUZZYHASH_CONFIGURE_ON= --with-ssdeep=${LOCALBASE}
		56	FUZZYHASH_CONFIGURE_OFF= --without-ssdeep
		57	FUZZYHASH_LIB_DEPENDS= libfuzzy.so:${PORTSDIR}/security/ssdeep
		58
		59	ETCDIR=etc/modsecurity
		60
53	# ap2x- prefix OPTIONSFILE fix	61	# ap2x- prefix OPTIONSFILE fix
54	OPTIONSFILE= ${PORT_DBDIR}/www_mod_security/options	62	OPTIONSFILE= ${PORT_DBDIR}/www_mod_security/options
55	.include <bsd.port.options.mk>	63	.include <bsd.port.options.mk>
Lines 56-62 Link Here
56		64
57	REINPLACE_ARGS= -i ""	65	REINPLACE_ARGS= -i ""
58	AP_EXTRAS+= -DWITH_LIBXML2	66	AP_EXTRAS+= -DWITH_LIBXML2
59	CONFIGURE_ARGS+= --with-apxs=${APXS} --with-pcre=${LOCALBASE}	67	CONFIGURE_ARGS+= --with-apxs=${APXS} --with-pcre=${LOCALBASE} --with-yajl=${LOCALBASE} --with-curl=${LOCALBASE}
60		68
61	post-patch:	69	post-patch:
62	@${REINPLACE_CMD} -e "s/lua5.1/lua-${LUA_VER}/g" ${WRKSRC}/configure	70	@${REINPLACE_CMD} -e "s/lua5.1/lua-${LUA_VER}/g" ${WRKSRC}/configure
Lines 65-74 Link Here
65	@${MKDIR} ${STAGEDIR}${PREFIX}/${APACHEMODDIR}	73	@${MKDIR} ${STAGEDIR}${PREFIX}/${APACHEMODDIR}
66		74
67	post-install:	75	post-install:
		76	@${MKDIR} ${STAGEDIR}${PREFIX}/${ETCDIR}
68	${INSTALL_DATA} ${WRKSRC}/modsecurity.conf-recommended \	77	${INSTALL_DATA} ${WRKSRC}/modsecurity.conf-recommended \
69	${STAGEDIR}${PREFIX}/etc/modsecurity.conf-example	78	${STAGEDIR}${PREFIX}/${ETCDIR}/modsecurity.conf.sample
		79	${INSTALL_DATA} ${WRKSRC}/unicode.mapping \
		80	${STAGEDIR}${PREFIX}/${ETCDIR}/unicode.mapping
70		81
71	@${MKDIR} ${STAGEDIR}${DOCSDIR}	82	@${MKDIR} ${STAGEDIR}${DOCSDIR}
72	(cd ${WRKSRC} && ${COPYTREE_SHARE} "doc" ${STAGEDIR}${DOCSDIR})	83	(cd ${WRKSRC} && ${COPYTREE_SHARE} "doc" ${STAGEDIR}${DOCSDIR})
		84	${INSTALL_DATA} ${WRKDIR}/README ${STAGEDIR}${DOCSDIR}/
73		85
74	.include <bsd.port.mk>	86	.include <bsd.port.mk>

Lines 1-2 Link Here

(-)distinfo (-2 / +2 lines)
1	SHA256 (modsecurity-apache_2.7.7.tar.gz) = 11e05cfa6b363c2844c6412a40ff16f0021e302152b38870fd1f2f44b204379b	1	SHA256 (modsecurity-2.9.0.tar.gz) = e2bbf789966c1f80094d88d9085a81bde082b2054f8e38e0db571ca49208f434
2	SIZE (modsecurity-apache_2.7.7.tar.gz) = 1003835	2	SIZE (modsecurity-2.9.0.tar.gz) = 4246467




Configuring ModSecurity on FreeBSD
----------------------------------

To enable ModSecurity in Apache, add the following to your httpd.conf:

  LoadModule security2_module %%APACHEMODDIR%%/mod_security2.so
  Include etc/modsecurity/*.conf

Getting the Core Rule Set
-------------------------

ModSecurity requires firewall rule definitions. Most people use the
OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the
OWASP CRS repository right now is to use Git. Let's make a directory
for all our ModSecurity related stuff, and clone the CRS repository
under it.

  pkg install git
  cd /usr/local/etc/modsecurity
  git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
  cp owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example \
    crs.conf

To activate the CRS base rules, add the following to your httpd.conf:

  Include etc/modsecurity/owasp-modsecurity-crs/base_rules/*.conf

You can also add custom configuration and CRS exceptions here.
For instance, you might want to disable rules that generate false
positives. Example:

  SecRuleRemoveById 960015

Starting ModSecurity
--------------------

When the configuration is all set, simply restart Apache and confirm
that ModSecurity is loaded by checking Apache's log file:

  apachectl restart
  tail /var/log/httpd-error.log

Configuring blocking mode
-------------------------

Now that ModSecurity is active, try making a suspicious request to
your web server, for instance browse to a URL:
http://www.example.com/?foo=/etc/passwd. The CRS has a rule against
this type of request. After browsing to the URL, you should now see
the request logged in /var/log/modsec_audit.log.

You'll notice that the request succeeds, and the response is sent to
the browser normally. The reason is that ModSecurity runs in
"DetectionOnly" mode by default, in order to prevent downtime from
misconfiguration or heavy-handed blocking. You can enable blocking
mode simply by editing modsecurity.conf and changing the following
line:

  SecRuleEngine On

Again, restart Apache. Now, make the same suspicious request to your
web server. You should now see a "403 Forbidden" error!

In practice, it's probably best to keep SecRuleEngine DetectionOnly
for some time, while your users exercise the web applications.
Meanwhile, you should keep an eye on /var/log/modsec_audit.log to see
what is being blocked. If there are any false positives, you need to
mitigate this by writing custom exceptions.

Maintenance
-----------

An essential resource for working with ModSecurity is the ModSecurity
Handbook by Ivan Ristic. ModSecurity exposes quite some internals, and
it's good to scan this book before you start writing custom rules and
exceptions.

You probably want to keep the CRS updated from time to time. You can
do this with Git:

  cd /usr/local/etc/modsecurity/owasp-modsecurity-crs
  git pull
  apachectl restart

Line 0 Link Here

(-)files/pkg-message.in (+9 lines)
	1
	2	You have installed ModSecurity.
	3	To enable ModSecurity in Apache, add the following to your httpd.conf:
	4
	5	LoadModule security2_module %%APACHEMODDIR%%/mod_security2.so
	6	Include etc/modsecurity/*.conf
	7
	8	Most users will use the signatures from the OWASP Core Rule Set (CRS).
	9	For configuration instructions, see %%DOCSDIR%%/README.

Line 0 Link Here

(-)pkg-plist (+11 lines)
	1	bin/rules-updater.pl
	2	lib/mod_security2.so
	3	%%APACHEMODDIR%%/mod_security2.so
	4	@exec %%APXS%% -e -n unique_id -a %%APACHEMODDIR%%/mod_unique_id.so
	5	@unexec if cmp -s %D/etc/modsecurity/modsecurity.conf.sample %D/etc/modsecurity/modsecurity.conf; then rm -f %D/etc/modsecurity/modsecurity.conf; fi
	6	%%ETCDIR%%/modsecurity.conf.sample
	7	@exec if [ ! -f %D/etc/modsecurity/modsecurity.conf ] ; then cp -p %D/%F %B/modsecurity.conf; fi
	8	%%ETCDIR%%/unicode.mapping
	9	@dirrmtry %%ETCDIR%%
	10	%%MLOGC%%bin/mlogc
	11	%%MLOGC%%bin/mlogc-batch-load.pl

Return to bug 197833

Line 0 Link Here

(-)files/README.in (+83 lines)
		1	Configuring ModSecurity on FreeBSD
		2	----------------------------------
		3
		4	To enable ModSecurity in Apache, add the following to your httpd.conf:
		5
		6	LoadModule security2_module %%APACHEMODDIR%%/mod_security2.so
		7	Include etc/modsecurity/*.conf
		8
		9	Getting the Core Rule Set
		10	-------------------------
		11
		12	ModSecurity requires firewall rule definitions. Most people use the
		13	OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the
		14	OWASP CRS repository right now is to use Git. Let's make a directory
		15	for all our ModSecurity related stuff, and clone the CRS repository
		16	under it.
		17
		18	pkg install git
		19	cd /usr/local/etc/modsecurity
		20	git clone https://github.com/SpiderLabs/owasp-modsecurity-crs
		21	cp owasp-modsecurity-crs/modsecurity_crs_10_setup.conf.example \
		22	crs.conf
		23
		24	To activate the CRS base rules, add the following to your httpd.conf:
		25
		26	Include etc/modsecurity/owasp-modsecurity-crs/base_rules/*.conf
		27
		28	You can also add custom configuration and CRS exceptions here.
		29	For instance, you might want to disable rules that generate false
		30	positives. Example:
		31
		32	SecRuleRemoveById 960015
		33
		34	Starting ModSecurity
		35	--------------------
		36
		37	When the configuration is all set, simply restart Apache and confirm
		38	that ModSecurity is loaded by checking Apache's log file:
		39
		40	apachectl restart
		41	tail /var/log/httpd-error.log
		42
		43	Configuring blocking mode
		44	-------------------------
		45
		46	Now that ModSecurity is active, try making a suspicious request to
		47	your web server, for instance browse to a URL:
		48	http://www.example.com/?foo=/etc/passwd. The CRS has a rule against
		49	this type of request. After browsing to the URL, you should now see
		50	the request logged in /var/log/modsec_audit.log.
		51
		52	You'll notice that the request succeeds, and the response is sent to
		53	the browser normally. The reason is that ModSecurity runs in
		54	"DetectionOnly" mode by default, in order to prevent downtime from
		55	misconfiguration or heavy-handed blocking. You can enable blocking
		56	mode simply by editing modsecurity.conf and changing the following
		57	line:
		58
		59	SecRuleEngine On
		60
		61	Again, restart Apache. Now, make the same suspicious request to your
		62	web server. You should now see a "403 Forbidden" error!
		63
		64	In practice, it's probably best to keep SecRuleEngine DetectionOnly
65	for some time, while your users exercise the web applications.
66	Meanwhile, you should keep an eye on /var/log/modsec_audit.log to see
67	what is being blocked. If there are any false positives, you need to
68	mitigate this by writing custom exceptions.
69
70	Maintenance
71	-----------
72
73	An essential resource for working with ModSecurity is the ModSecurity
74	Handbook by Ivan Ristic. ModSecurity exposes quite some internals, and
75	it's good to scan this book before you start writing custom rules and
76	exceptions.
77
78	You probably want to keep the CRS updated from time to time. You can
79	do this with Git:
80
81	cd /usr/local/etc/modsecurity/owasp-modsecurity-crs
82	git pull
83	apachectl restart