%define apache_version 2.0.53 Summary: Apache Security Tools Name: apache-tools Version: 1.0.1 Release: 1mdk License: GPL Group: System/Servers URL: http://www.apachesecurity.net/ Source0: http://www.apachesecurity.net/download/apache_tools-%{version}.tar.bz2 Source1: apache-tools-index.html.bz2 BuildRequires: apache2-devel Requires: rrdtool Requires: iptables Requires: apache2-conf Requires: apache2-common Requires: apache2-modules BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot %description o apache-monitor.pl - monitors mod_status output and stores web server activity in a RRD file. o apache-monitor-graph.pl - creates pretty graphs from a RRD file populated by the previous script (you can find an example here). o apache-protect - monitors mod_status output to detect a DoS attack, then uses the blacklist tool to cut the offending IP address at the firewall. o error_log_ai.pl - implementation of the Artificial Ignorance concept (devised by Marcus J. Ranum) for the Apache error log. o blacklist - uses iptables to create a temporarily blacklist. o blacklist-webclient.c - a C program that can be marked suid root, and called from a non-root script to blacklist IP addresses. o logscan.pl - easy-to-use log analysis script, supports field names and regular expressions (will support anti-evasion techniques in the future). o mod_globalerror.c - Apache 2 module that allows the server to have per-virtual host error logs *and* have one file where all errors are duplicated (useful for server monitoring). %package -n apache2-mod_globalerror Summary: Produces an independent global error log Version: %{apache_version}_%{version} Group: System/Servers PreReq: apache2-conf PreReq: apache2-common PreReq: apache2-modules %description -n apache2-mod_globalerror This Apache 2.x module will produce an independent, global, error log. This is very handy to allow for server monitoring (using Swatch, for example) in situations where independent, per-virtual host, logs are used. After adding the module to the configuration, use the GlobalErrorLog directive to specify the file where the log should go to (piped logging is supported) and the GlobalErrorLogLevel directive to specify the log level. %prep %setup -q -n apache_tools bzcat %{SOURCE1} > apache-tools-index.html %build gcc %{optflags} blacklist-webclient.c -o blacklist-webclient %{_sbindir}/apxs2 -c mod_globalerror.c %install [ "%{buildroot}" != "/" ] && rm -rf %{buildroot} install -d %{buildroot}%{_var}/www/cgi-bin install -d %{buildroot}%{_bindir} install -d %{buildroot}/sbin install -d %{buildroot}%{_sysconfdir}/httpd/conf.d install -d %{buildroot}%{_sysconfdir}/httpd/webapps.d install -d %{buildroot}%{_sysconfdir}/cron.hourly install -d %{buildroot}%{_localstatedir}/apache-monitor install -d %{buildroot}%{_var}/www/html/admin/apache-monitor install -d %{buildroot}%{_libdir}/apache2-extramodules install -m0755 blacklist-webclient %{buildroot}%{_var}/www/cgi-bin/blacklist.cgi install -m0755 apache-monitor %{buildroot}%{_bindir}/ install -m0755 apache-monitor-graph %{buildroot}%{_bindir}/ install -m0755 apache-protect %{buildroot}%{_bindir}/ install -m0755 error_log_ai %{buildroot}%{_bindir}/ install -m0755 logscan %{buildroot}%{_bindir}/ install -m0755 blacklist %{buildroot}/sbin/ install -m0644 apache-tools-index.html %{buildroot}%{_var}/www/html/admin/apache-monitor/index.html install -m0755 .libs/mod_globalerror.so %{buildroot}%{_libdir}/apache2-extramodules/ cat << EOF > %{buildroot}%{_sysconfdir}/httpd/conf.d/mod_globalerror.conf <IfDefine HAVE_GLOBALERROR> <IfModule !mod_globalerror.c> LoadModule globalerror_module extramodules/mod_globalerror.so </IfModule> </IfDefine> <IfModule mod_globalerror.c> GlobalErrorLog logs/globalerror_log GlobalErrorLogLevel debug </IfModule> EOF cat << EOF > %{buildroot}%{_sysconfdir}/httpd/webapps.d/apache-tools.conf <Directory %{_var}/www/html/admin/apache-monitor/> Order allow,deny Allow from 127.0.0.1 </Directory> EOF cat << EOF > %{buildroot}%{_sysconfdir}/httpd/webapps.d/blacklist.conf <Location /cgi-bin/blacklist.cgi> Order allow,deny Allow from 127.0.0.1 </Location> EOF cat << EOF > %{buildroot}%{_sysconfdir}/cron.hourly/apache-tools #!/bin/bash # GPL, Fri Feb 18 2005 Oden Eriksson <oeriksson@mandrakesoft.com> # Simple script to utilize apache-tools, serves as an example. # It requires mod_status and "ExtendedStatus On". # Edit these files (and the file you are reading) to suit your needs: # %{_sysconfdir}/httpd/webapps.d/apache-tools.conf # %{_var}/www/html/admin/apache-monitor/index.html # poll stats %{_bindir}/apache-monitor %{_localstatedir}/apache-monitor/localhost http://127.0.0.1/server-status/ # make stats %{_bindir}/apache-monitor-graph %{_localstatedir}/apache-monitor/localhost %{_var}/www/html/admin/apache-monitor/ 3600 EOF %post %{_initrddir}/httpd restart %postun %{_initrddir}/httpd restart %post -n apache2-mod_globalerror %{_initrddir}/httpd restart %postun -n apache2-mod_globalerror %{_initrddir}/httpd restart %clean [ "%{buildroot}" != "/" ] && rm -rf %{buildroot} %files %defattr(-,root,root) %doc README LICENSE CHANGES %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/webapps.d/apache-tools.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/webapps.d/blacklist.conf %attr(0755,root,root) %config(noreplace) %{_sysconfdir}/cron.hourly/apache-tools %attr(0755,root,root) %{_bindir}/apache-monitor %attr(0755,root,root) %{_bindir}/apache-monitor-graph %attr(0755,root,root) %{_bindir}/apache-protect %attr(0755,root,root) %{_bindir}/error_log_ai %attr(0755,root,root) %{_bindir}/logscan %attr(0755,root,root) /sbin/blacklist %attr(4755,root,root) %{_var}/www/cgi-bin/blacklist.cgi %attr(0755,root,root) %dir %{_var}/www/html/admin/apache-monitor %attr(0755,root,root) %dir %{_localstatedir}/apache-monitor %attr(0644,root,root) %{_var}/www/html/admin/apache-monitor/index.html %files -n apache2-mod_globalerror %defattr(-,root,root) %doc README LICENSE CHANGES %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/mod_globalerror.conf %attr(0755,root,root) %{_libdir}/apache2-extramodules/mod_globalerror.so %changelog * Fri Feb 18 2005 Oden Eriksson <oeriksson@mandrakesoft.com> 1.0.1-1mdk - added S1 and some cron stuff * Fri Feb 11 2005 Oden Eriksson <oeriksson@mandrakesoft.com> 1.0-1mdk - the version was really 1.0 (@sf) * Fri Feb 11 2005 Oden Eriksson <oeriksson@mandrakesoft.com> 0.0-1mdk - initial Mandrakelinux package