[研究]ModSecurity 3.x ( libModSecurity ) 安裝 (CentOS Stream 9 Linux )
2022-05-17
介紹請看這篇
[研究] ModSecurity 2.x 與 libModSecurity 3.x - 網頁應用程式防火牆(WAF)
https://shaurong.blogspot.com/2022/05/modsecurity-2x-libmodsecurity-3x-waf.html
CentOS 9 預設沒有 ModSecurity 3 可以安裝,只有 ModSecurity 2.9.3
[user1@localhost ~]$ yum list | grep mod | grep ecurity mod_security.x86_64 2.9.3-12.el9 appstream mod_security-mlogc.x86_64 2.9.3-12.el9 appstream mod_security_crs.noarch 3.3.0-3.el9 appstream [user1@localhost ~]$ |
本篇安裝參考
https://github.com/SpiderLabs/ModSecurity/wiki/Compilation-recipes-for-v3.x
參考 Centos 7 Minimal - libModSecurity 部分
yum install gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre-devel cd /opt/ git clone https://github.com/SpiderLabs/ModSecurity cd ModSecurity git checkout -b v3/master origin/v3/master sh build.sh git submodule init git submodule update ./configure yum install https://archives.fedoraproject.org/pub/archive/fedora/linux/updates/23/x86_64/b/bison-3.0.4-3.fc23.x86_64.rpm make make install |
實際測試
****************************************
建議用 root 權限安裝,切換方法
sudo passwd root
su
不然 git clone 時候建立目錄會失敗
****************************************
yum install 問題:
錯誤:找不到符合項目: yajl-devel GeoIP-devel
解法:先不理會,因為某些套件非必須,而是選擇性安裝
****************************************
sh build.sh 問題:
build.sh: 列 6: libtoolize:指令找不到
build.sh: 列 7: autoreconf:指令找不到
build.sh: 列 8: autoheader:指令找不到
build.sh: 列 9: automake:指令找不到
build.sh: 列 10: autoconf:指令找不到
解法:
yum install -y epel-release
yum -y install libtool autoconf
libtoolize 在 CentOS 上實際套件名稱是 libtool,要 epel-release 後才能安裝
****************************************
./configure 問題:
checking whether the C++ compiler works... no
解法:
yum -y install gcc-c++
yum -y install libtoolize autoreconf autoheader automake autoconf
****************************************
./configure 問題:
hecking for libcurl config script... no
configure: *** curl library not found.
checking for libxml2 config script... no
configure: *** libxml2 library not found.
checking for libpcre config script... no
configure: *** pcre library not found.
configure: error: pcre library is required
解法:
yum -y install libcurl libcurl-devel libxml2 libxml2-devel pcre pcre-devel
ModSecurity - v3.0.6-51-g76c0c864 for Linux Mandatory dependencies + libInjection ....v3.0.6-51-g76c0c864 + SecLang tests ....76c0c864 Optional dependencies + GeoIP/MaxMind ....not found + LibCURL ....found v7.76.1 -lcurl, -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL + YAJL ....not found + LMDB ....not found + LibXML2 ....found v2.9.13 -lxml2 -lz -llzma -lm, -I/usr/include/libxml2 -DWITH_LIBXML2 + SSDEEP ....not found + LUA ....not found + PCRE2 ....not found Other Options + Test Utilities ....disabled + SecDebugLog ....enabled + afl fuzzer ....disabled + library examples ....enabled + Building parser ....disabled + Treating pm operations as critical section ....disabled [root@localhost ModSecurity]# |
解法:選擇性安裝的可先不理會
修改後如下
sudo passwd root su yum install -y epel-release yum -y install git-core libtool autoconf gcc-c++ flex bison yajl yajl-devel curl-devel curl GeoIP-devel doxygen zlib-devel pcre pcre-devel libcurl libcurl-devel libxml2 libxml2-devel cd /opt/ git clone https://github.com/SpiderLabs/ModSecurity cd ModSecurity git checkout -b v3/master origin/v3/master sh build.sh git submodule init git submodule update ./configure make make install |
最後 make install 安裝成功資訊
[root@localhost ModSecurity]# make install Making install in others make[1]: 進入目錄「/opt/ModSecurity/others」 make[2]: 進入目錄「/opt/ModSecurity/others」 make[2]: 對「install-exec-am」無需做任何事。 make[2]: 對「install-data-am」無需做任何事。 make[2]: 離開目錄「/opt/ModSecurity/others」 make[1]: 離開目錄「/opt/ModSecurity/others」 Making install in src make[1]: 進入目錄「/opt/ModSecurity/src」 make[2]: 進入目錄「/opt/ModSecurity/src」 make[3]: 進入目錄「/opt/ModSecurity/src」 /usr/bin/mkdir -p '/usr/local/modsecurity/lib' /bin/sh ../libtool --mode=install /usr/bin/install -c libmodsecurity.la '/usr/local/modsecurity/lib' libtool: install: /usr/bin/install -c .libs/libmodsecurity.so.3.0.6 /usr/local/modsecurity/lib/libmodsecurity.so.3.0.6 libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.6 libmodsecurity.so.3 || { rm -f libmodsecurity.so.3 && ln -s libmodsecurity.so.3.0.6 libmodsecurity.so.3; }; }) libtool: install: (cd /usr/local/modsecurity/lib && { ln -s -f libmodsecurity.so.3.0.6 libmodsecurity.so || { rm -f libmodsecurity.so && ln -s libmodsecurity.so.3.0.6 libmodsecurity.so; }; }) libtool: install: /usr/bin/install -c .libs/libmodsecurity.lai /usr/local/modsecurity/lib/libmodsecurity.la libtool: install: /usr/bin/install -c .libs/libmodsecurity.a /usr/local/modsecurity/lib/libmodsecurity.a libtool: install: chmod 644 /usr/local/modsecurity/lib/libmodsecurity.a libtool: install: ranlib /usr/local/modsecurity/lib/libmodsecurity.a libtool: finish: PATH="/root/.local/bin:/root/bin:/home/user1/.local/bin:/home/user1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/sbin" ldconfig -n /usr/local/modsecurity/lib ---------------------------------------------------------------------- Libraries have been installed in: /usr/local/modsecurity/lib If you ever happen to want to link against installed libraries in a given directory, LIBDIR, you must either use libtool, and specify the full pathname of the library, or use the '-LLIBDIR' flag during linking and do at least one of the following: - add LIBDIR to the 'LD_LIBRARY_PATH' environment variable during execution - add LIBDIR to the 'LD_RUN_PATH' environment variable during linking - use the '-Wl,-rpath -Wl,LIBDIR' linker flag - have your system administrator add LIBDIR to '/etc/ld.so.conf' See any operating system documentation about shared libraries for more information, such as the ld(1) and ld.so(8) manual pages. ---------------------------------------------------------------------- /usr/bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/actions/' /usr/bin/install -c -m 644 ../headers/modsecurity/actions/action.h '/usr/local/modsecurity/include/modsecurity/actions/' /usr/bin/mkdir -p '/usr/local/modsecurity/include/modsecurity/collection/' /usr/bin/install -c -m 644 ../headers/modsecurity/collection/collection.h ../headers/modsecurity/collection/collections.h '/usr/local/modsecurity/include/modsecurity/collection/' /usr/bin/mkdir -p '/usr/local/modsecurity/include/modsecurity' /usr/bin/install -c -m 644 ../headers/modsecurity/anchored_set_variable_translation_proxy.h ../headers/modsecurity/anchored_set_variable.h ../headers/modsecurity/anchored_variable.h ../headers/modsecurity/audit_log.h ../headers/modsecurity/debug_log.h ../headers/modsecurity/intervention.h ../headers/modsecurity/modsecurity.h ../headers/modsecurity/rule.h ../headers/modsecurity/rule_marker.h ../headers/modsecurity/rule_unconditional.h ../headers/modsecurity/rule_with_actions.h ../headers/modsecurity/rule_with_operator.h ../headers/modsecurity/rules.h ../headers/modsecurity/rule_message.h ../headers/modsecurity/rules_set.h ../headers/modsecurity/rules_set_phases.h ../headers/modsecurity/rules_set_properties.h ../headers/modsecurity/rules_exceptions.h ../headers/modsecurity/transaction.h ../headers/modsecurity/variable_origin.h ../headers/modsecurity/variable_value.h '/usr/local/modsecurity/include/modsecurity' make[3]: 離開目錄「/opt/ModSecurity/src」 make[2]: 離開目錄「/opt/ModSecurity/src」 make[1]: 離開目錄「/opt/ModSecurity/src」 Making install in doc make[1]: 進入目錄「/opt/ModSecurity/doc」 make[2]: 進入目錄「/opt/ModSecurity/doc」 make[2]: 對「install-exec-am」無需做任何事。 make[2]: 對「install-data-am」無需做任何事。 make[2]: 離開目錄「/opt/ModSecurity/doc」 make[1]: 離開目錄「/opt/ModSecurity/doc」 Making install in tools make[1]: 進入目錄「/opt/ModSecurity/tools」 Making install in rules-check make[2]: 進入目錄「/opt/ModSecurity/tools/rules-check」 make[3]: 進入目錄「/opt/ModSecurity/tools/rules-check」 /usr/bin/mkdir -p '/usr/local/modsecurity/bin' /bin/sh ../../libtool --mode=install /usr/bin/install -c modsec-rules-check '/usr/local/modsecurity/bin' libtool: install: /usr/bin/install -c .libs/modsec-rules-check /usr/local/modsecurity/bin/modsec-rules-check make[3]: 對「install-data-am」無需做任何事。 make[3]: 離開目錄「/opt/ModSecurity/tools/rules-check」 make[2]: 離開目錄「/opt/ModSecurity/tools/rules-check」 make[2]: 進入目錄「/opt/ModSecurity/tools」 make[3]: 進入目錄「/opt/ModSecurity/tools」 make[3]: 對「install-exec-am」無需做任何事。 make[3]: 對「install-data-am」無需做任何事。 make[3]: 離開目錄「/opt/ModSecurity/tools」 make[2]: 離開目錄「/opt/ModSecurity/tools」 make[1]: 離開目錄「/opt/ModSecurity/tools」 Making install in examples make[1]: 進入目錄「/opt/ModSecurity/examples」 Making install in multiprocess_c make[2]: 進入目錄「/opt/ModSecurity/examples/multiprocess_c」 make[3]: 進入目錄「/opt/ModSecurity/examples/multiprocess_c」 make[3]: 對「install-exec-am」無需做任何事。 make[3]: 對「install-data-am」無需做任何事。 make[3]: 離開目錄「/opt/ModSecurity/examples/multiprocess_c」 make[2]: 離開目錄「/opt/ModSecurity/examples/multiprocess_c」 Making install in reading_logs_with_offset make[2]: 進入目錄「/opt/ModSecurity/examples/reading_logs_with_offset」 make[3]: 進入目錄「/opt/ModSecurity/examples/reading_logs_with_offset」 make[3]: 對「install-exec-am」無需做任何事。 make[3]: 對「install-data-am」無需做任何事。 make[3]: 離開目錄「/opt/ModSecurity/examples/reading_logs_with_offset」 make[2]: 離開目錄「/opt/ModSecurity/examples/reading_logs_with_offset」 Making install in reading_logs_via_rule_message make[2]: 進入目錄「/opt/ModSecurity/examples/reading_logs_via_rule_message」 make[3]: 進入目錄「/opt/ModSecurity/examples/reading_logs_via_rule_message」 make[3]: 對「install-exec-am」無需做任何事。 make[3]: 對「install-data-am」無需做任何事。 make[3]: 離開目錄「/opt/ModSecurity/examples/reading_logs_via_rule_message」 make[2]: 離開目錄「/opt/ModSecurity/examples/reading_logs_via_rule_message」 Making install in simple_example_using_c make[2]: 進入目錄「/opt/ModSecurity/examples/simple_example_using_c」 make[3]: 進入目錄「/opt/ModSecurity/examples/simple_example_using_c」 make[3]: 對「install-exec-am」無需做任何事。 make[3]: 對「install-data-am」無需做任何事。 make[3]: 離開目錄「/opt/ModSecurity/examples/simple_example_using_c」 make[2]: 離開目錄「/opt/ModSecurity/examples/simple_example_using_c」 Making install in using_bodies_in_chunks make[2]: 進入目錄「/opt/ModSecurity/examples/using_bodies_in_chunks」 make[3]: 進入目錄「/opt/ModSecurity/examples/using_bodies_in_chunks」 make[3]: 對「install-exec-am」無需做任何事。 make[3]: 對「install-data-am」無需做任何事。 make[3]: 離開目錄「/opt/ModSecurity/examples/using_bodies_in_chunks」 make[2]: 離開目錄「/opt/ModSecurity/examples/using_bodies_in_chunks」 make[2]: 進入目錄「/opt/ModSecurity/examples」 make[3]: 進入目錄「/opt/ModSecurity/examples」 make[3]: 對「install-exec-am」無需做任何事。 /usr/bin/mkdir -p '/usr/local/modsecurity/include/modsecurity' /usr/bin/install -c -m 644 reading_logs_via_rule_message/reading_logs_via_rule_message.h '/usr/local/modsecurity/include/modsecurity' make[3]: 離開目錄「/opt/ModSecurity/examples」 make[2]: 離開目錄「/opt/ModSecurity/examples」 make[1]: 離開目錄「/opt/ModSecurity/examples」 make[1]: 進入目錄「/opt/ModSecurity」 make[2]: 進入目錄「/opt/ModSecurity」 make[2]: 對「install-exec-am」無需做任何事。 /usr/bin/mkdir -p '/usr/local/modsecurity/lib/pkgconfig' /usr/bin/install -c -m 644 modsecurity.pc '/usr/local/modsecurity/lib/pkgconfig' make[2]: 離開目錄「/opt/ModSecurity」 make[1]: 離開目錄「/opt/ModSecurity」 [root@localhost ModSecurity]# |
[root@localhost ModSecurity]# pwd /opt/ModSecurity [root@localhost ModSecurity]# ls /usr/local/modsecurity/lib libmodsecurity.a libmodsecurity.so libmodsecurity.so.3.0.6 libmodsecurity.la libmodsecurity.so.3 pkgconfig [root@localhost ModSecurity]# |
ModSecurity 3.x ( libModSecurity ) 安裝完成。
********************************************************************************
安裝 nginx connector
# ensure env vars are set export MODSECURITY_INC="/opt/ModSecurity/headers/" export MODSECURITY_LIB="/opt/ModSecurity/src/.libs/" cd /opt/ git clone https://github.com/SpiderLabs/ModSecurity-nginx wget http://nginx.org/download/nginx-1.9.2.tar.gz tar -xvzf nginx-1.9.2.tar.gz cd /opt/nginx-1.9.2 /bin/cp -f /usr/sbin/nginx /usr/sbin/nginx_original_bkp ./configure --add-module=/opt/ModSecurity-nginx make make install |
****************************************
ngimx 有新版 1.9.9,換成
wget http://nginx.org/download/nginx-1.9.9.tar.gz
tar -xvzf nginx-1.9.9.tar.gz
cd /opt/nginx-1.9.9
make 失敗,問題如下
src/core/ngx_murmurhash.c: 在函式 「ngx_murmur_hash2」 中: src/core/ngx_murmurhash.c:37:11: 錯誤:this statement may fall through [-Werror=implicit-fallthrough=] 37 | h ^= data[2] << 16; | ~~^~~~~~~~~~~~~~~~ src/core/ngx_murmurhash.c:38:5: 附註:here 38 | case 2: | ^~~~ src/core/ngx_murmurhash.c:39:11: 錯誤:this statement may fall through [-Werror=implicit-fallthrough=] 39 | h ^= data[1] << 8; | ~~^~~~~~~~~~~~~~~ src/core/ngx_murmurhash.c:40:5: 附註:here 40 | case 1: | ^~~~ cc1:視所有警告為錯誤 make[1]: *** [objs/Makefile:462:objs/src/core/ngx_murmurhash.o] 錯誤 1 make[1]: 離開目錄「/opt/nginx-1.9.9」 make: *** [Makefile:8:build] 錯誤 2 [root@localhost nginx-1.9.9]# |
改回用 1.9.2,
cd /opt/
wget http://nginx.org/download/nginx-1.9.2.tar.gz
tar -xvzf nginx-1.9.2.tar.gz
cd /opt/nginx-1.9.2
最後 make 依然失敗,待研究。
(待研究)
沒有留言:
張貼留言