modsecurity: fix in Stretchv0.26.14

author: nachoparker <nacho@ownyourbits.com> 2017-09-06 20:00:20 +0300
committer: nachoparker <nacho@ownyourbits.com> 2017-09-06 20:00:20 +0300
commit: 21832c1c0662ff11ea316dbc5c5c52f1c9fb248b (patch)
tree: 72bc89937f013a2f036bcee54e0fd9ba8f411dfd
parent: b5f037ef42fa433a49f7a9f5745bb720ad095cff (diff)
3 files changed, 21 insertions, 28 deletions
diff --git a/etc/nextcloudpi-config.d/modsecurity.sh b/etc/nextcloudpi-config.d/modsecurity.sh
index aa1e9c69..1610bf18 100644
--- a/etc/nextcloudpi-config.d/modsecurity.sh
+++ b/etc/nextcloudpi-config.d/modsecurity.sh
@@ -16,6 +16,7 @@
 
 ACTIVE_=no
 NCDIR=/var/www/nextcloud/
+NCPWB=/var/www/ncp-web/
 DESCRIPTION="Web Application Firewall for extra security (experimental)"
 
 install()
@@ -24,7 +25,11 @@ install()
   apt-get install -y --no-install-recommends libapache2-mod-security2 modsecurity-crs
   a2dismod security2
 
-  #FIXME - after migration to Stretch is done
+  cat >> /etc/modsecurity/crs/crs-setup.conf <<'EOF'
+
+  # NextCloudPi: allow PROPFIND for webDAV
+  SecAction "id:900200, phase:1, nolog, pass, t:none, setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PROPFIND'"
+EOF
 
   # CONFIGURE
   cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
@@ -32,25 +37,6 @@ install()
   sed -i 's|SecTmpDir .*|SecTmpDir   /var/cache/modsecurity/|' /etc/modsecurity/modsecurity.conf
   sed -i 's|SecDataDir .*|SecDataDir /var/cache/modsecurity/|' /etc/modsecurity/modsecurity.conf
 
-  cp /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/modsecurity_crs_10_setup.conf
-  patch /etc/modsecurity/modsecurity_crs_10_setup.conf <<<'66,67c66
-< SecDefaultAction "phase:1,deny,log"
-< SecDefaultAction "phase:2,deny,log"
----
-> SecDefaultAction "phase:2,pass,log"
-152c151
-< #SecAction \
----
-> SecAction \
-278c277
-<   setvar:'\''tx.allowed_methods=GET HEAD POST OPTIONS'\'', \
----
->   setvar:'\''tx.allowed_methods=GET HEAD POST OPTIONS PROPFIND'\'', \
-280c279
-<   setvar:'\''tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1'\'', \
----
->   setvar:'\''tx.allowed_http_versions=HTTP/1.1 HTTP/2.0'\'', \'
-
   cat >> /etc/apache2/apache2.conf <<EOF
 <IfModule mod_security2.c>
   SecServerSignature " "
@@ -74,15 +60,15 @@ configure()
 <Directory $NCDIR>
   # VIDEOS
   SecRuleRemoveById 958291             # Range Header Checks
-  SecRuleRemoveById 981203             # Correlated Attack Attempt
+  SecRuleRemoveById 980120             # Correlated Attack Attempt
 
   # PDF
-  SecRuleRemoveById 950109             # Check URL encodings
+  SecRuleRemoveById 920230             # Check URL encodings
 
   # ADMIN (webdav)
   SecRuleRemoveById 960024             # Repeatative Non-Word Chars (heuristic)
   SecRuleRemoveById 981173             # SQL Injection Character Anomaly Usage
-  SecRuleRemoveById 981204             # Correlated Attack Attempt
+  SecRuleRemoveById 980130             # Correlated Attack Attempt
   SecRuleRemoveById 981243             # PHPIDS - Converted SQLI Filters
   SecRuleRemoveById 981245             # PHPIDS - Converted SQLI Filters
   SecRuleRemoveById 981246             # PHPIDS - Converted SQLI Filters
@@ -102,18 +88,23 @@ configure()
   SecRequestBodyNoFilesLimit 5242880
 
   # GENERAL
-  SecRuleRemoveById 960017             # Host header is a numeric IP address
+  SecRuleRemoveById 920350             # Host header is a numeric IP address
 
   # REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM
   #SecRuleRemoveById 981220 900046 981407
-  #SecRuleRemoveById 981222 981405 981185 981184
+  #SecRuleRemoveById 981222 981405 981185 949160
 
 </Directory>
+<Directory $NCPWB>
+  # GENERAL
+  SecRuleRemoveById 920350             # Host header is a numeric IP address
+</Directory>
 EOF
 
   [[ $ACTIVE_ == "yes" ]] && local STATE=On || local STATE=Off
   sed -i "s|SecRuleEngine .*|SecRuleEngine $STATE|" /etc/modsecurity/modsecurity.conf
-  [[ $ACTIVE_ == "yes" ]] && a2enmod security2 || a2dismod security2
+  [[ $ACTIVE_ == "yes" ]] && echo "Enabling module security2" || echo "Disabling module security2"
+  [[ $ACTIVE_ == "yes" ]] && a2enmod security2 &>/dev/null || a2dismod security2 &>/dev/null
 
   # delayed in bg so it does not kill the connection, and we get AJAX response
   ( sleep 2 && systemctl restart apache2 ) &>/dev/null & 
diff --git a/nextcloudpi.sh b/nextcloudpi.sh
index f724b88c..ca5f0356 100644
--- a/nextcloudpi.sh
+++ b/nextcloudpi.sh
@@ -135,8 +135,6 @@ EOF
   sed -i "s|^;\?upload_tmp_dir =.*$|upload_tmp_dir = $UPLOADTMPDIR|" /etc/php/7.0/fpm/php.ini
   sed -i "s|^;\?sys_temp_dir =.*$|sys_temp_dir = $UPLOADTMPDIR|"     /etc/php/7.0/fpm/php.ini
 
-  touch /usr/local/etc/nextcloudpi-config.d/modsecurity.sh # TODO fix after migration to Stretch is done
-
   # update to latest version from github as part of the build process
   wget https://raw.githubusercontent.com/nextcloud/nextcloudpi/master/bin/ncp-update -O /usr/local/bin/ncp-update
   chmod a+x /usr/local/bin/ncp-update
diff --git a/update.sh b/update.sh
index ddfcbd31..3a8bc178 100755
--- a/update.sh
+++ b/update.sh
@@ -16,6 +16,10 @@ source /usr/local/etc/library.sh
 AMFILE=/usr/local/etc/nextcloudpi-config.d/nc-automount.sh
 grep -q inotify-tools $AMFILE || rm $AMFILE
 
+# fix modsecurity, reinstall if its old verion
+MSFILE=/usr/local/etc/nextcloudpi-config.d/modsecurity.sh
+grep -q "NextCloudPi:" $MSFILE  || rm $MSFILE
+
 # copy all files in bin and etc
 for file in bin/* etc/*; do
   [ -f "$file" ] || continue;
author	nachoparker <nacho@ownyourbits.com>	2017-09-06 20:00:20 +0300
committer	nachoparker <nacho@ownyourbits.com>	2017-09-06 20:00:20 +0300
commit	21832c1c0662ff11ea316dbc5c5c52f1c9fb248b (patch)
tree	72bc89937f013a2f036bcee54e0fd9ba8f411dfd
parent	b5f037ef42fa433a49f7a9f5745bb720ad095cff (diff)