Welcome to mirror list, hosted at ThFree Co, Russian Federation.

modsecurity.sh « nextcloudpi-config.d « etc - github.com/nextcloud/nextcloudpi.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/etc/nextcloudpi-config.d/modsecurity.sh
blob: 37a1b8ea9ac287825eefbd2fbabce7c2180385eb (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123

#!/bin/bash

# modsecurity WAF installation on Raspbian 
# Tested with 2017-03-02-raspbian-jessie-lite.img
#
# Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
# GPL licensed (see end of file) * Use at your own risk!
#
# Usage:
# 
#   ./installer.sh modsecurity.sh <IP> (<img>)
#
# See installer.sh instructions for details
#
# More at ownyourbits.com
#

ACTIVE_=no
NCDIR_=/var/www/nextcloud/
DESCRIPTION="Web Application Firewall for extra security (experimental)"

install()
{
  apt-get update
  apt-get install -y --no-install-recommends libapache2-mod-security2 modsecurity-crs

  # COPY RULES
  cd /usr/share/modsecurity-crs/base_rules/
  for ruleFile in * ; do sudo ln -s /usr/share/modsecurity-crs/base_rules/$ruleFile /etc/modsecurity/$ruleFile ; done
  cd /usr/share/modsecurity-crs/optional_rules/
  for ruleFile in * ; do sudo ln -s /usr/share/modsecurity-crs/optional_rules/$ruleFile /etc/modsecurity/$ruleFile ; done
  rm /etc/modsecurity/modsecurity_crs_16_session_hijacking.conf # https://github.com/SpiderLabs/owasp-modsecurity-crs/commit/e2fbef4ce89fed0c4dd338002b9a090dd2f6491d

  # CONFIGURE
  cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
  sed -i "s|SecRuleEngine .*|SecRuleEngine Off|"               /etc/modsecurity/modsecurity.conf
  sed -i 's|SecTmpDir .*|SecTmpDir   /var/cache/modsecurity/|' /etc/modsecurity/modsecurity.conf
  sed -i 's|SecDataDir .*|SecDataDir /var/cache/modsecurity/|' /etc/modsecurity/modsecurity.conf

  cp /usr/share/modsecurity-crs/modsecurity_crs_10_setup.conf /etc/modsecurity/modsecurity_crs_10_setup.conf
  patch /etc/modsecurity/modsecurity_crs_10_setup.conf <<<'66,67c66
< SecDefaultAction "phase:1,deny,log"
< SecDefaultAction "phase:2,deny,log"
---
> SecDefaultAction "phase:2,pass,log"
152c151
< #SecAction \
---
> SecAction \
278c277
<   setvar:'\''tx.allowed_methods=GET HEAD POST OPTIONS'\'', \
---
>   setvar:'\''tx.allowed_methods=GET HEAD POST OPTIONS PROPFIND'\'', \
280c279
<   setvar:'\''tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1'\'', \
---
>   setvar:'\''tx.allowed_http_versions=HTTP/1.1 HTTP/2.0'\'', \'

cat >> /etc/modsecurity/modsecurity_crs_99_whitelist.conf <<EOF
<Directory $NCDIR_>
  # VIDEOS
  SecRuleRemoveById 958291             # Range Header Checks
  SecRuleRemoveById 981203             # Correlated Attack Attempt

  # PDF
  SecRuleRemoveById 950109             # Check URL encodings

  # ADMIN (webdav)
  SecRuleRemoveById 960024             # Repeatative Non-Word Chars (heuristic)
  SecRuleRemoveById 981173             # SQL Injection Character Anomaly Usage
  SecRuleRemoveById 981204             # Correlated Attack Attempt
  SecRuleRemoveById 981243             # PHPIDS - Converted SQLI Filters
  SecRuleRemoveById 981245             # PHPIDS - Converted SQLI Filters
  SecRuleRemoveById 981246             # PHPIDS - Converted SQLI Filters
  SecRuleRemoveById 981318             # String Termination/Statement Ending Injection Testing
  SecRuleRemoveById 973332             # XSS Filters from IE
  SecRuleRemoveById 973338             # XSS Filters - Category 3
  SecRuleRemoveById 981143             # CSRF Protections ( TODO edit LocationMatch filter )

  # COMING BACK FROM OLD SESSION
  SecRuleRemoveById 970903             # Microsoft Office document properties leakage
</Directory>
EOF
  cat >> /etc/apache2/apache2.conf <<EOF
<IfModule mod_security2.c>
  SecServerSignature " "
</IfModule>
EOF
}

configure() 
{ 
  [[ $ACTIVE_ == "yes" ]] && local STATE=On || local STATE=Off
  sed -i "s|SecRuleEngine .*|SecRuleEngine $STATE|" /etc/modsecurity/modsecurity.conf
  service apache2 restart
}

cleanup()
{
  apt-get autoremove -y
  apt-get clean
  rm /var/lib/apt/lists/* -r
  rm -f /home/pi/.bash_history
  systemctl disable ssh
}

# License
#
# This script is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This script is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this script; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
# Boston, MA  02111-1307  USA
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-30 00:13:45 +0300