Hardening di un web server Apache: differenze tra le versioni

Riga 429: Riga 429:
<pre>
<pre>
# nano /etc/apache2/modsecurity-crs/gotroot_update.sh
# nano /etc/apache2/modsecurity-crs/gotroot_update.sh
</pre>
con contenuto:
<pre>
#!/bin/sh
# Autoupdater for modsec rulesets.
#
# This script will attempt to update your rulefiles, and restart apache.
# If it apache does not start after changing rules, it will roll back to
# the old ruleset and restart apache again.
#
# Version: $Id: modsec.sh,v 1.1 2005/06/29 18:07:53 olei Exp $
# URL: http://cs.evilnetwork.org/cycro
# Copyright 2005, All Rights Reserved
APACHESTART="/usr/sbin/apache2ctl start"
MODSECPATH="/etc/apache2/modsecurity-crs/gotroot_rules"
APACHEPID="/var/run/apache2.pid"
##########################################################################
######### you probably don't need to change anything below here ##########
##########################################################################
# urls
BLACKLIST="http://www.gotroot.com/downloads/ftp/mod_security/blacklist.conf"
RULES="http://www.gotroot.com/downloads/ftp/mod_security/rules.conf"
APACHE2="http://www.gotroot.com/downloads/ftp/mod_security/apache2-rules.conf"
# internal
PID=`cat ${APACHEPID}`
UPDATED=0
echo -n "Changing PWD: "
cd ${MODSECPATH}
echo `pwd`
# blacklist
echo -n "Updating blacklist.conf: "
/usr/bin/wget -t 30 -O blacklist.conf.1 -q ${BLACKLIST}
if [ `md5sum blacklist.conf | cut -d " " -f1` != `md5sum blacklist.conf.1 | cut -d " " -f1` ] ; then
/bin/mv blacklist.conf blacklist.conf.bak
/bin/mv blacklist.conf.1 blacklist.conf
UPDATED=`expr $UPDATED + 1`
echo "ok."
else
echo "allready up to date."
/bin/rm -f blacklist.conf.1
fi
# rules
echo -n "Updating rules.conf: "
/usr/bin/wget -t 30 -O rules.conf.1 -q ${RULES}
if [ `md5sum rules.conf | cut -d " " -f1` != `md5sum rules.conf.1 | cut -d " " -f1` ] ; then
/bin/mv rules.conf rules.conf.bak
/bin/mv rules.conf.1 rules.conf
UPDATED=`expr $UPDATED + 1`
echo "ok."
else
echo "allready up to date."
/bin/rm -f rules.conf.1
fi
# apache2 rules
echo -n "Updating apache2-rules.conf: "
/usr/bin/wget -t 30 -O apache2-rules.conf.1 -q ${APACHE2}
if [ `md5sum apache2-rules.conf | cut -d " " -f1` != `md5sum apache2-rules.conf.1 | cut -d " " -f1` ] ; then
/bin/mv apache2-rules.conf apache2-rules.conf.bak
/bin/mv apache2-rules.conf.1 apache2-rules.conf
UPDATED=`expr $UPDATED + 1`
echo "ok."
else
echo "allready up to date."
/bin/rm -f apache2-rules.conf.1
fi
# try restart
if [ "$UPDATED" -gt "0" ]; then
echo -n "Restarting apache: "
/bin/kill -HUP ${PID} 2>/dev/null
# did it work?
if `/bin/kill -CHLD ${PID} >/dev/null 2>&1`; then
echo "ok."
exit 0
fi
echo "error. Apache not running."
# blacklist
echo -n "Rolling back blacklist.conf: "
/bin/mv blacklist.conf blacklist.conf.new
/bin/mv blacklist.conf.bak blacklist.conf
echo "ok."
# rules
echo -n "Rolling back rules.conf: "
/bin/mv rules.conf rules.conf.new
/bin/mv rules.conf.bak rules.conf
echo "ok."
# apache2 rules
echo -n "Rolling back apache2-rules.conf: "
/bin/mv apache2-rules.conf apache2-rules.conf.new
/bin/mv apache2-rules.conf.bak apache2-rules.conf
echo "ok."
# try starting httpd again
`${APACHESTART}`
PID=`cat ${APACHEPID}`
# did that fix the problem?
if `/bin/kill -CHLD ${PID} >/dev/null 2>&1`; then
echo "That did the trick."
exit 0
fi
echo "Fatal: Apache still not running! Run apache2ctl -t to find the error."
exit 999
fi
</pre>
</pre>