# ASL cpanel easyapache hook Template: /var/asl/data/templates/template-cpanel-apache-hook #!/bin/sh # # Version: 2.0 GET="/usr/bin/wget -S -T 10 -N" SERVER="updates.atomicorp.com" ARCH=`uname -i` MODSEC="mod_security-latest.src.rpm" MODEVA="mod_evasive-latest.src.rpm" MODSED="mod_sed-latest.src.rpm" DATE=`date +%Y%m%d-%H%M%S` TYPE=default if [ $1 ]; then TYPE=$1 fi source /etc/asl/config if [ ! -d /root/atomic ]; then mkdir /root/atomic fi cd /root/atomic/ if [ -d /usr/local/directadmin ] ; then DIRECTADMIN=1 HTTPD=/usr/sbin/httpd APXS=/usr/sbin/apxs HTTP_CONF="/etc/httpd/conf/httpd.conf" elif [ -d /usr/local/cpanel ]; then CPANEL=1 HTTPD=/usr/local/apache/bin/httpd APXS=/usr/bin/apxs HTTP_CONF="/usr/local/apache/conf/httpd.conf" else # neither exit fi if [ ! -f $HTTPD ]; then echo "Error: Apache not detected at $HTTPD. Installation cannot continue" exit 1 fi # Version #APACHE_VERSION=`$HTTPD -v |grep Apache |sed 's/\.//g' |awk -F/ '{print $2}' | cut -c1-2` if $HTTPD -v | grep -q "Server version.*2.2" ; then APACHE_VERSION=22 else APACHE_VERSION=24 fi # Requires: rpm --quiet -q pcre || yum --disableexcludes=all -y install pcre rpm --quiet -q pcre-devel || yum --disableexcludes=all -y install pcre-devel rpm --quiet -q expat-devel || yum --disableexcludes=all -y install expat-devel rpm --quiet -q ssdeep-devel || yum --disableexcludes=all -y install ssdeep-devel rpm --quiet -q yajl-devel || yum --disableexcludes=all -y install yajl-devel rpm --quiet -q atomic-yajl-yajl-devel || yum --disableexcludes=all -y install atomic-yajl-yajl-devel rpm --quiet -q lua-devel || yum --disableexcludes=all -y install lua-devel # %setup #if [ ! -f $MODSEC ]; then $GET http://$SERVER/channels/rules/installers/cpanel/$MODSEC || exit 1 #fi if [ "$TYPE" != "module" ]; then $GET http://$SERVER/channels/rules/installers/cpanel/$MODEVA || exit 1 if [ $APACHE_VERSION -lt 24 ]; then $GET http://$SERVER/channels/rules/installers/cpanel/$MODSED || exit 1 fi fi if [ -f /usr/local/apache/include/pcre.h ]; then rm -f /usr/local/apache/include/pcre.h fi export CC="gcc -Wl,-rpath,/opt/atomic/atomic-yajl/root/usr/lib,-rpath,/opt/atomic/atomic-yajl/root/usr/lib64,-rpath,/opt/curlssl/lib" export LDFLAGS="-L/opt/atomic/atomic-yajl/root/usr/lib -L/opt/atomic/atomic-yajl/root/usr/lib64 -L/lib " export CFLAGS="-I/opt/atomic/atomic-yajl/root/usr/include" export PKG_CONFIG_PATH="/opt/atomic/atomic-yajl/root/usr/lib/pkgconfig:/opt/atomic/atomic-yajl/root/usr/lib64/pkgconfig:/usr/lib/pkgconfig/:/usr/lib64/pkgconfig/" if egrep -q "(release 6|release 7)" /etc/redhat-release ; then BUILDROOT=/root/rpmbuild/ rm -rf $BUILDROOT/BUILD/mod* rpm -Uvh --define "%_topdir /root/rpmbuild" $MODSEC || exit 1 if [ "$TYPE" != "module" ]; then rpm -Uvh --define "%_topdir /root/rpmbuild" $MODEVA || exit 1 if [ $APACHE_VERSION -lt 24 ]; then rpm -Uvh --define "%_topdir /root/rpmbuild" $MODSED || exit 1 fi fi else BUILDROOT=/usr/src/redhat/ rm -rf $BUILDROOT/BUILD/mod* rpm -Uvh --nomd5 $MODSEC || exit 1 if [ "$TYPE" != "module" ]; then rpm -Uvh --nomd5 $MODEVA || exit 1 rpm -Uvh --nomd5 $MODSED || exit 1 fi fi if [ ! -f /usr/bin/rpmbuild ]; then yum -y --disableexcludes=all --skip-broken install rpm-build fi rpmbuild -bp $BUILDROOT/SPECS/mod_security-art.spec --define "%_topdir $BUILDROOT" --nodeps || exit 1 cd $BUILDROOT/BUILD/modsecurity* # cpanel # %build if [ $CPANEL ]; then ./configure \ --disable-mlogc \ --enable-pcre-match-limit=no \ --enable-pcre-match-limit-recursion=no \ --enable-pcre-study \ --enable-pcre-jit \ --with-yajl \ --with-ssdeep \ --enable-lua-cache \ --with-pcre=/opt/pcre \ --with-libxml=/opt/xml2 \ --with-curl=/opt/curlssl \ --with-apr=/usr/local/apache/ \ --with-apu=/usr/local/apache/ || exit 1 elif [ $DIRECTADMIN ]; then ./configure \ --disable-mlogc \ --enable-pcre-match-limit=no \ --enable-pcre-match-limit-recursion=no \ --enable-pcre-study \ --with-pcre=/usr fi # %build make $DEBUG || exit 1 if [ $CPANEL ]; then DIRS="msa audit suspicious" for i in $DIRS; do if [ ! -d /var/asl/data/$i ]; then mkdir -p /var/asl/data/$i fi chown nobody.nobody /var/asl/data/$i chmod o-rx /var/asl/data/$i chmod ug+rwx /var/asl/data/$i done # Ensure symlink is correct if [ ! -h /etc/httpd ] ; then if [ -d /etc/httpd ] ; then mv /etc/httpd /etc/httpd-atomic-bak-$DATE fi ln -sf /usr/local/apache /etc/httpd fi # Check logging path if [ ! -h /var/log/httpd ]; then if [ -d /var/log/httpd ]; then mv /var/log/httpd /var/log/httpd-atomic-bak-$DATE fi ln -sf /usr/local/apache/logs /var/log/httpd fi fi # Update Config perl -p -i -e "s[^Include.*conf.d.*][]g" $HTTP_CONF echo "Include /etc/httpd/conf.d/*.conf" > /root/atomic/httpd.conf cat $HTTP_CONF >> /root/atomic/httpd.conf cp /root/atomic/httpd.conf $HTTP_CONF # %install if [ -f /etc/httpd/modules/mod_security2.so ]; then rm -f /etc/httpd/modules/mod_security2.so fi install -m755 apache2/.libs/mod_security2.so /etc/httpd/modules/mod_security2.so # %files if [ ! -d /etc/httpd/modsecurity.d ]; then mkdir -p /etc/httpd/modsecurity.d fi if [ ! -d /etc/httpd/conf.d ]; then mkdir -p /etc/httpd/conf.d fi if [ "$TYPE" != "module" ]; then # mod_evasive rpmbuild -bp $BUILDROOT/SPECS/mod_evasive-art.spec --define "%_topdir $BUILDROOT" --nodeps || exit 1 cd $BUILDROOT/BUILD/mod_evasive* if [ $APACHE_VERSION -gt 22 ]; then sed -i 's/connection->remote_ip/connection->client_ip/' mod_evasive20.c sed -i 's/remote_ip/client_ip/g' mod_evasive20.c fi $APXS -Wc -c mod_evasive20.c || exit 1 if [ -f /etc/httpd/modules/mod_evasive20.so ]; then if [ ! -d /etc/httpd/modules ]; then mkdir -p /etc/httpd/modules fi rm -f /etc/httpd/modules/mod_evasive20.so fi install -m755 .libs/mod_evasive20.so /etc/httpd/modules/mod_evasive20.so || exit 1 # mod_sed if [ $APACHE_VERSION -lt 24 ]; then rpmbuild -bp $BUILDROOT/SPECS/mod_sed-art.spec --define "%_topdir $BUILDROOT" --nodeps || exit 1 cd $BUILDROOT/BUILD/mod_sed* $APXS -c mod_sed.c regexp.c sed0.c sed1.c || exit 1 if [ -f /etc/httpd/modules/mod_sed.so ]; then rm -f /etc/httpd/modules/mod_sed.so fi install -m755 .libs/mod_sed.so /etc/httpd/modules/mod_sed.so || exit 1 fi # %post if [ "$CONFIGURED" == "yes" ]; then if [ -f /var/asl/bin/asl ]; then /var/asl/bin/asl -m waf_check -f /var/asl/bin/asl -m mod_evasive_check -f else /var/asl/bin/aum -u if [ "$RESTART_APACHE" == "yes" ];then /usr/sbin/apachectl restart elif [ "$RESTART_APACHE" == "graceful" ]; then /usr/sbin/apachectl graceful fi fi fi fi