Ikke's Blog

Post details: gotroot.com mod_security rules update script

Dec 2
gotroot.com mod_security rules update script

Lately I've been working on the new webserver machine for VTK. Today I configured mod_security for Apache2, partially by using the rules one can find on gotroot.com.
On the site a little script is provided to update the rules automagicly (in a cronjob or something alike), but when I started using the script I didn't like it for several reasons.
So I decided to rewrite it to suit my needs. You can find my enhanced version here.

The machine now also runs PHP4 and PHP5 side by side thanks to this great documentation (and the Gentoo PHP herd developers, obviously). PHP4 as an Apache module (because this is the "default", so it must run as efficient as possible), PHP5 using the CGI interface for all .php5 files.
We can't make "the big switch" to a PHP5-only server due to our bloody PhpBB forum which is not PHP5 compatible. And as our forum is one of the biggest PHP consumers on the server, I don't want to run PHP4 as CGI and only run the forum this way.

[edit]
I enhanced the script a little more, here's a diff:

--- update_mod_security_rules.sh        2005-12-02 14:46:02.000000000 +0100
+++ update_rules_v2.sh  2005-12-04 14:34:33.000000000 +0100
@@ -15,6 +15,7 @@
 APACHESTART="/etc/init.d/apache2 restart"
 MODSECPATH="/etc/modsecurity"
 APACHEPID="/var/run/apache2.pid"
+APACHECTL="/usr/sbin/apache2ctl"

 #Modules
 #If you want the "exclude" rules, they should be the first entry in the list
@@ -59,10 +60,21 @@

 echo "Make sure you got \"Include ${MODSECPATH}/all.conf\" somewhere in your Apache config"

+${APACHECTL} configtest > /dev/null 2>&1
+if [ ! "x$?" = "x0" ]; then
+        echo
+        echo "There's something wrong in Apache's configuration:"
+        echo
+        ${APACHECTL} configtest
+        echo
+        echo "Exiting, not restarting Apache"
+        exit 1
+fi
+
 # try restart
 if [ "$UPDATED" -gt "0" ]; then
         echo -n "Restarting apache: "
-        /bin/kill -HUP ${PID} 2>/dev/null
+        ${APACHECTL} graceful
         # did it work?
         if `/bin/kill -CHLD ${PID} >/dev/null 2>&1`; then
                 echo "ok."

The script

Comments:

Comment from: gi5geg [Visitor] · http://www.google.com/sf905hf
http://www.google.com/sf905hf gi5geg be$t gi5geg rulez [URL=http://www.google.com/sf905hf]gi5geg[/URL] be$t
http://www.google.com/349gfff 45hgfhg be$t 45hgfhg brin [URL=http://www.google.com/349gfff]45hgfhg[/URL] rockz
http://www.google.com/345gfrw dshf95g brin [URL=http://www.google.com/345gfrw]dshf95g[/URL] rockz dshf95g brin
PermalinkPermalink 04/23/06 @ 00:46
Comment from: zuyxayjl [Visitor] · http://ktlfwkso.com
byrabtit hsythqxw http://eiuxtrdu.com bkbopuvb zvnvqrzk
PermalinkPermalink 05/05/06 @ 09:29

Leave a comment:

Your email address will not be displayed on this site.
Your URL will be displayed.

Allowed XHTML tags: <p, ul, ol, li, dl, dt, dd, address, blockquote, ins, del, span, bdo, br, em, strong, dfn, code, samp, kdb, var, cite, abbr, acronym, q, sub, sup, tt, i, b, big, small>
(Line breaks become <br />)
(Set cookies for name, email and url)
(Allow users to contact you through a message form (your email will NOT be displayed.))

Categories

Who's Online?

  • Guest Users: 153

Misc

XML Feeds

What is RSS?