2022年5月17日 星期二

[研究]ModSecurity 3.x ( libModSecurity ) 安裝 (CentOS Stream 9)

[研究]ModSecurity 3.x ( libModSecurity ) 安裝  (CentOS Stream 9 Linux )

2022-05-17

介紹請看這篇

[研究] ModSecurity 2.x 與 libModSecurity 3.x - 網頁應用程式防火牆(WAF)
https://shaurong.blogspot.com/2022/05/modsecurity-2x-libmodsecurity-3x-waf.html

CentOS 9 預設沒有 ModSecurity 3 可以安裝,只有 ModSecurity 2.9.3

[user1@localhost ~]$ yum list | grep mod | grep ecurity
mod_security.x86_64         2.9.3-12.el9	appstream     
mod_security-mlogc.x86_64	2.9.3-12.el9    appstream     
mod_security_crs.noarch     3.3.0-3.el9     appstream     
[user1@localhost ~]$ 



本篇安裝參考
https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x

參考 Centos 7 Minimal - libModSecurity 部分

yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure
yum install https://archives.fedoraproject.org/pub/archive/fedora/linux/updates/23/x86_64/b/bison-3.0.4-3.fc23.x86_64.rpm
make
make install

實際測試

****************************************

建議用 root 權限安裝,切換方法

sudo  passwd  root

su

不然 git  clone 時候建立目錄會失敗

****************************************

yum  install 問題:

錯誤:找不到符合項目: yajl-devel GeoIP-devel

解法:先不理會,因為某些套件非必須,而是選擇性安裝

****************************************

sh build.sh 問題:

build.sh: 列 6: libtoolize:指令找不到
build.sh: 列 7: autoreconf:指令找不到
build.sh: 列 8: autoheader:指令找不到
build.sh: 列 9: automake:指令找不到
build.sh: 列 10: autoconf:指令找不到

解法:

yum install -y epel-release
yum -y install libtool autoconf

libtoolize 在 CentOS 上實際套件名稱是 libtool,要 epel-release 後才能安裝

****************************************

./configure 問題:

checking whether the C++ compiler works... no

解法:

yum  -y install gcc-c++

yum -y install libtoolize autoreconf autoheader automake autoconf

****************************************

./configure 問題:

hecking for libcurl config script... no

configure: *** curl library not found.

checking for libxml2 config script... no

configure: *** libxml2 library not found.

checking for libpcre config script... no

configure: *** pcre library not found.

configure: error: pcre library is required

解法:

yum  -y  install  libcurl  libcurl-devel  libxml2  libxml2-devel  pcre  pcre-devel

****************************************
./configure 問題:

ModSecurity - v3.0.6-51-g76c0c864 for Linux
 
 Mandatory dependencies
   + libInjection                                  ....v3.0.6-51-g76c0c864  
   + SecLang tests                                 ....76c0c864
 
 Optional dependencies
   + GeoIP/MaxMind                                 ....not found
   + LibCURL                                       ....found v7.76.1 
      -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....not found
   + LMDB                                          ....not found
   + LibXML2                                       ....found v2.9.13
      -lxml2 -lz -llzma -lm, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....not found
   + LUA                                           ....not found
   + PCRE2                                          ....not found
 
 Other Options
   + Test Utilities                                ....disabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled
 
[root@localhost ModSecurity]# 


解法:選擇性安裝的可先不理會

****************************************
bison 問題:

yum install https://archives.fedoraproject.org/pub/archive/fedora/linux/updates/23/x86_64/b/bison-3.0.4-3.fc23.x86_64.rpm

因為 yum 已經安裝 bison,所以這行不執行了

****************************************

修改後如下


sudo  passwd  root
su  
yum  install  -y  epel-release
yum -y install git-core libtool autoconf gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre pcre-devel  libcurl  libcurl-devel  libxml2  libxml2-devel
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity
cd ModSecurity
git checkout -b v3/master origin/v3/master
sh build.sh
git submodule init
git submodule update
./configure

make
make install

最後 make install 安裝成功資訊

[root@localhost ModSecurity]# make install
Making install in others
make[1]: 進入目錄「/opt/ModSecurity/others」
make[2]: 進入目錄「/opt/ModSecurity/others」
make[2]: 對「install-exec-am」無需做任何事。
make[2]: 對「install-data-am」無需做任何事。
make[2]: 離開目錄「/opt/ModSecurity/others」
make[1]: 離開目錄「/opt/ModSecurity/others」
Making install in src
make[1]: 進入目錄「/opt/ModSecurity/src」
make[2]: 進入目錄「/opt/ModSecurity/src」
make[3]: 進入目錄「/opt/ModSecurity/src」
 /usr/bin/mkdir -p '/usr/local/modsecurity/lib'
 /bin/sh ../libtool   --mode=install /usr/bin/install -c   libmodsecurity.la '/usr/local/modsecurity/lib'
libtool: install: /usr/bin/install -c .libs/libmodsecurity.so.3.0.6 /usr/local/modsecurity/lib/libmodsecurity.so.3.0.6
libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.6 libmodsecurity.so.3 || { rm -f libmodsecurity.so.3 && ln -s libmodsecurity.so.3.0.6 libmodsecurity.so.3; }; })
libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.6 libmodsecurity.so || { rm -f libmodsecurity.so && ln -s libmodsecurity.so.3.0.6 libmodsecurity.so; }; })
libtool: install: /usr/bin/install -c .libs/libmodsecurity.lai /usr/local/modsecurity/lib/libmodsecurity.la
libtool: install: /usr/bin/install -c .libs/libmodsecurity.a /usr/local/modsecurity/lib/libmodsecurity.a
libtool: install: chmod 644 /usr/local/modsecurity/lib/libmodsecurity.a
libtool: install: ranlib /usr/local/modsecurity/lib/libmodsecurity.a
libtool: finish: PATH="/root/.local/bin:/root/bin:/home/user1/.local/bin:/home/user1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/sbin" ldconfig -n /usr/local/modsecurity/lib
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/modsecurity/lib

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the '-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the 'LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the 'LD_RUN_PATH' environment variable
     during linking
   - use the '-Wl,-rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to '/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
 /usr/bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/actions/'
 /usr/bin/install -c -m 644 ../headers/modsecurity/actions/action.h '/usr/local/modsecurity/include/modsecurity/actions/'
 /usr/bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/collection/'
 /usr/bin/install -c -m 644 ../headers/modsecurity/collection/collection.h ../headers/modsecurity/collection/collections.h '/usr/local/modsecurity/include/modsecurity/collection/'
 /usr/bin/mkdir -p '/usr/local/modsecurity/include/modsecurity'
 /usr/bin/install -c -m 644 ../headers/modsecurity/anchored_set_variable_translation_proxy.h ../headers/modsecurity/anchored_set_variable.h ../headers/modsecurity/anchored_variable.h ../headers/modsecurity/audit_log.h ../headers/modsecurity/debug_log.h ../headers/modsecurity/intervention.h ../headers/modsecurity/modsecurity.h ../headers/modsecurity/rule.h ../headers/modsecurity/rule_marker.h ../headers/modsecurity/rule_unconditional.h ../headers/modsecurity/rule_with_actions.h ../headers/modsecurity/rule_with_operator.h ../headers/modsecurity/rules.h ../headers/modsecurity/rule_message.h ../headers/modsecurity/rules_set.h ../headers/modsecurity/rules_set_phases.h ../headers/modsecurity/rules_set_properties.h ../headers/modsecurity/rules_exceptions.h ../headers/modsecurity/transaction.h ../headers/modsecurity/variable_origin.h ../headers/modsecurity/variable_value.h '/usr/local/modsecurity/include/modsecurity'
make[3]: 離開目錄「/opt/ModSecurity/src」
make[2]: 離開目錄「/opt/ModSecurity/src」
make[1]: 離開目錄「/opt/ModSecurity/src」
Making install in doc
make[1]: 進入目錄「/opt/ModSecurity/doc」
make[2]: 進入目錄「/opt/ModSecurity/doc」
make[2]: 對「install-exec-am」無需做任何事。
make[2]: 對「install-data-am」無需做任何事。
make[2]: 離開目錄「/opt/ModSecurity/doc」
make[1]: 離開目錄「/opt/ModSecurity/doc」
Making install in tools
make[1]: 進入目錄「/opt/ModSecurity/tools」
Making install in rules-check
make[2]: 進入目錄「/opt/ModSecurity/tools/rules-check」
make[3]: 進入目錄「/opt/ModSecurity/tools/rules-check」
 /usr/bin/mkdir -p '/usr/local/modsecurity/bin'
  /bin/sh ../../libtool   --mode=install /usr/bin/install -c modsec-rules-check '/usr/local/modsecurity/bin'
libtool: install: /usr/bin/install -c .libs/modsec-rules-check /usr/local/modsecurity/bin/modsec-rules-check
make[3]: 對「install-data-am」無需做任何事。
make[3]: 離開目錄「/opt/ModSecurity/tools/rules-check」
make[2]: 離開目錄「/opt/ModSecurity/tools/rules-check」
make[2]: 進入目錄「/opt/ModSecurity/tools」
make[3]: 進入目錄「/opt/ModSecurity/tools」
make[3]: 對「install-exec-am」無需做任何事。
make[3]: 對「install-data-am」無需做任何事。
make[3]: 離開目錄「/opt/ModSecurity/tools」
make[2]: 離開目錄「/opt/ModSecurity/tools」
make[1]: 離開目錄「/opt/ModSecurity/tools」
Making install in examples
make[1]: 進入目錄「/opt/ModSecurity/examples」
Making install in multiprocess_c
make[2]: 進入目錄「/opt/ModSecurity/examples/multiprocess_c」
make[3]: 進入目錄「/opt/ModSecurity/examples/multiprocess_c」
make[3]: 對「install-exec-am」無需做任何事。
make[3]: 對「install-data-am」無需做任何事。
make[3]: 離開目錄「/opt/ModSecurity/examples/multiprocess_c」
make[2]: 離開目錄「/opt/ModSecurity/examples/multiprocess_c」
Making install in reading_logs_with_offset
make[2]: 進入目錄「/opt/ModSecurity/examples/reading_logs_with_offset」
make[3]: 進入目錄「/opt/ModSecurity/examples/reading_logs_with_offset」
make[3]: 對「install-exec-am」無需做任何事。
make[3]: 對「install-data-am」無需做任何事。
make[3]: 離開目錄「/opt/ModSecurity/examples/reading_logs_with_offset」
make[2]: 離開目錄「/opt/ModSecurity/examples/reading_logs_with_offset」
Making install in reading_logs_via_rule_message
make[2]: 進入目錄「/opt/ModSecurity/examples/reading_logs_via_rule_message」
make[3]: 進入目錄「/opt/ModSecurity/examples/reading_logs_via_rule_message」
make[3]: 對「install-exec-am」無需做任何事。
make[3]: 對「install-data-am」無需做任何事。
make[3]: 離開目錄「/opt/ModSecurity/examples/reading_logs_via_rule_message」
make[2]: 離開目錄「/opt/ModSecurity/examples/reading_logs_via_rule_message」
Making install in simple_example_using_c
make[2]: 進入目錄「/opt/ModSecurity/examples/simple_example_using_c」
make[3]: 進入目錄「/opt/ModSecurity/examples/simple_example_using_c」
make[3]: 對「install-exec-am」無需做任何事。
make[3]: 對「install-data-am」無需做任何事。
make[3]: 離開目錄「/opt/ModSecurity/examples/simple_example_using_c」
make[2]: 離開目錄「/opt/ModSecurity/examples/simple_example_using_c」
Making install in using_bodies_in_chunks
make[2]: 進入目錄「/opt/ModSecurity/examples/using_bodies_in_chunks」
make[3]: 進入目錄「/opt/ModSecurity/examples/using_bodies_in_chunks」
make[3]: 對「install-exec-am」無需做任何事。
make[3]: 對「install-data-am」無需做任何事。
make[3]: 離開目錄「/opt/ModSecurity/examples/using_bodies_in_chunks」
make[2]: 離開目錄「/opt/ModSecurity/examples/using_bodies_in_chunks」
make[2]: 進入目錄「/opt/ModSecurity/examples」
make[3]: 進入目錄「/opt/ModSecurity/examples」
make[3]: 對「install-exec-am」無需做任何事。
 /usr/bin/mkdir -p '/usr/local/modsecurity/include/modsecurity'
 /usr/bin/install -c -m 644 reading_logs_via_rule_message/reading_logs_via_rule_message.h '/usr/local/modsecurity/include/modsecurity'
make[3]: 離開目錄「/opt/ModSecurity/examples」
make[2]: 離開目錄「/opt/ModSecurity/examples」
make[1]: 離開目錄「/opt/ModSecurity/examples」
make[1]: 進入目錄「/opt/ModSecurity」
make[2]: 進入目錄「/opt/ModSecurity」
make[2]: 對「install-exec-am」無需做任何事。
 /usr/bin/mkdir -p '/usr/local/modsecurity/lib/pkgconfig'
 /usr/bin/install -c -m 644 modsecurity.pc '/usr/local/modsecurity/lib/pkgconfig'
make[2]: 離開目錄「/opt/ModSecurity」
make[1]: 離開目錄「/opt/ModSecurity」
[root@localhost ModSecurity]# 



[root@localhost ModSecurity]# pwd
/opt/ModSecurity

[root@localhost ModSecurity]# ls /usr/local/modsecurity/lib
libmodsecurity.a   libmodsecurity.so    libmodsecurity.so.3.0.6  
libmodsecurity.la  libmodsecurity.so.3  pkgconfig
[root@localhost ModSecurity]# 

ModSecurity 3.x ( libModSecurity ) 安裝完成。

********************************************************************************

安裝 nginx connector

# ensure env vars are set
export MODSECURITY_INC="/opt/ModSecurity/headers/"
export MODSECURITY_LIB="/opt/ModSecurity/src/.libs/"
cd /opt/
git clone https://github.com/SpiderLabs/ModSecurity-nginx  
wget http://nginx.org/download/nginx-1.9.2.tar.gz
tar -xvzf nginx-1.9.2.tar.gz
cd /opt/nginx-1.9.2
/bin/cp -f /usr/sbin/nginx /usr/sbin/nginx_original_bkp
./configure --add-module=/opt/ModSecurity-nginx 
make
make install

****************************************

ngimx 有新版 1.9.9,換成

wget  http://nginx.org/download/nginx-1.9.9.tar.gz
tar  -xvzf  nginx-1.9.9.tar.gz
cd  /opt/nginx-1.9.9

make 失敗,問題如下

src/core/ngx_murmurhash.c: 在函式 「ngx_murmur_hash2」 中:
src/core/ngx_murmurhash.c:37:11: 錯誤:this statement may fall through [-Werror=implicit-fallthrough=]   
   37 |         h ^= data[2] << 16;
      |         ~~^~~~~~~~~~~~~~~~
src/core/ngx_murmurhash.c:38:5: 附註:here
   38 |     case 2:
      |     ^~~~
src/core/ngx_murmurhash.c:39:11: 錯誤:this statement may fall through [-Werror=implicit-fallthrough=]
   39 |         h ^= data[1] << 8;
      |         ~~^~~~~~~~~~~~~~~
src/core/ngx_murmurhash.c:40:5: 附註:here
   40 |     case 1:
      |     ^~~~
cc1:視所有警告為錯誤
make[1]: *** [objs/Makefile:462:objs/src/core/ngx_murmurhash.o] 錯誤 1
make[1]: 離開目錄「/opt/nginx-1.9.9」
make: *** [Makefile:8:build] 錯誤 2
[root@localhost nginx-1.9.9]# 



改回用 1.9.2,

cd  /opt/
wget  http://nginx.org/download/nginx-1.9.2.tar.gz
tar  -xvzf  nginx-1.9.2.tar.gz
cd  /opt/nginx-1.9.2

最後 make 依然失敗,待研究。

(待研究)


沒有留言:

張貼留言