[LAMP]——mod_security和mod_evasive模块的安装

Posted Jelly_lyj

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[LAMP]——mod_security和mod_evasive模块的安装相关的知识,希望对你有一定的参考价值。

系统版本:Red Hat 6

httpd版本:httpd-2.4.20

tar包:modsecurity-apache_2.5.9.tar.gz   mod_evasive_1.10.1.tar.gz

关于apxs:http://itlab.idcquan.com/linux/manual/ApacheManual/programs/apxs.html

 

mod_evasive模块的安装

# tar xf mod_evasive_1.10.1.tar.gz
# cd mod_evasive
# ls
CHANGELOG      mod_evasive20.c   mod_evasive20.o    mod_evasiveNSAPI.c
LICENSE        mod_evasive20.la  mod_evasive20.slo  README
Makefile.tmpl  mod_evasive20.lo  mod_evasive.c      test.pl

# apxs -i -a -c mod_evasive20.c 
/usr/lib/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -Wformat-security -fno-strict-aliasing  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -pthread -I/usr/include/httpd  -I/usr/include/apr-1   -I/usr/include/apr-1   -c -o mod_evasive20.lo mod_evasive20.c && touch mod_evasive20.slo
mod_evasive20.c: 在函数‘create_hit_list’中:
mod_evasive20.c:118: 警告:在有返回值的函数中未发现 return 语句
mod_evasive20.c: 在函数‘access_checker’中:
mod_evasive20.c:212: 警告:隐式声明函数‘getpid’
mod_evasive20.c:212: 警告:格式‘%ld’需要类型‘long int’,但实参 3 的类型为‘int’
mod_evasive20.c:229: 警告:忽略声明有 warn_unused_result 属性的‘system’的返回值
mod_evasive20.c: 在函数‘destroy_hit_list’中:
mod_evasive20.c:301: 警告:在有返回值的函数中未发现 return 语句
/usr/lib/apr-1/build/libtool --silent --mode=link gcc -o mod_evasive20.la  -rpath /usr/lib/httpd/modules -module -avoid-version    mod_evasive20.lo
/usr/lib/httpd/build/instdso.sh SH_LIBTOOL=\'/usr/lib/apr-1/build/libtool\' mod_evasive20.la /usr/lib/httpd/modules
/usr/lib/apr-1/build/libtool --mode=install cp mod_evasive20.la /usr/lib/httpd/modules/
libtool: install: cp .libs/mod_evasive20.so /usr/lib/httpd/modules/mod_evasive20.so
libtool: install: cp .libs/mod_evasive20.lai /usr/lib/httpd/modules/mod_evasive20.la
libtool: install: cp .libs/mod_evasive20.a /usr/lib/httpd/modules/mod_evasive20.a
libtool: install: chmod 644 /usr/lib/httpd/modules/mod_evasive20.a
libtool: install: ranlib /usr/lib/httpd/modules/mod_evasive20.a
libtool: finish: PATH="/usr/lib/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/inotify/bin:/root/bin:/sbin" ldconfig -n /usr/lib/httpd/modules
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/lib/httpd/modules   ------>#被安装到了这里

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR\'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH\' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH\' environment variable
     during linking
   - use the `-Wl,-rpath -Wl,LIBDIR\' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf\'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/lib/httpd/modules/mod_evasive20.so

之后,配置文件中可以看到这样一行(因为是apxs方法加载的模块所以会自动生成)

# vim /usr/local/httpd/conf/httpd.conf
  LoadModule evasive20_module   modules/mod_evasive20.so

 

补充

1. 如果遇到这样的错误:

# /usr/local/httpd/bin/apxs -i -a -c mod_evasive20.c
/usr/local/apr/build-1/libtool --silent --mode=compile gcc -std=gnu99 -prefer-pic   -DLINUX -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -O2 -pg -pthread -I/usr/local/httpd/include  -I/usr/local/apr/include/apr-1   -I/usr/local/apr-util/include/apr-1  -I/usr/local/apr-iconv/include/apr-1 -I/usr/local/apr-iconv/include  -c -o mod_evasive20.lo mod_evasive20.c && touch mod_evasive20.slo
mod_evasive20.c: In function \'access_checker\':
mod_evasive20.c:142: error: \'conn_rec\' has no member named \'remote_ip\'
mod_evasive20.c:146: error: \'conn_rec\' has no member named \'remote_ip\'
mod_evasive20.c:158: error: \'conn_rec\' has no member named \'remote_ip\'
mod_evasive20.c:165: error: \'conn_rec\' has no member named \'remote_ip\'
mod_evasive20.c:180: error: \'conn_rec\' has no member named \'remote_ip\'
mod_evasive20.c:187: error: \'conn_rec\' has no member named \'remote_ip\'
mod_evasive20.c:208: error: \'conn_rec\' has no member named \'remote_ip\'
mod_evasive20.c:212: warning: implicit declaration of function \'getpid\'
mod_evasive20.c:215: error: \'conn_rec\' has no member named \'remote_ip\'
mod_evasive20.c:221: error: \'conn_rec\' has no member named \'remote_ip\'
mod_evasive20.c:222: error: \'conn_rec\' has no member named \'remote_ip\'
mod_evasive20.c:228: error: \'conn_rec\' has no member named \'remote_ip\'
apxs:Error: Command failed with rc=65536

解决方法是把对应行的“remote”改成“client”

 

2.apxs选项说明:
      -c 执行编译操作
      -i 安装操作,安装一个或多个动态共享对象到服务器的modules目录
      -a 自动增加一个LoadModule行到httpd.conf文件,以激活此模块,若此行存在则启用之
      -A 与-a类似,但是它增加的LoadModule行前有井号前缀(#)
      -e 需要执行编辑操作,可与-a和-A选项配合使用,与-i操作类似,修改httpd.conf文件,但并不安装此模块

 

mod_security模块的安装

# tar xf modsecurity-apache_2.5.9.tar.gz
# ls
apache2  doc      modsecurity.conf-minimal         README.TXT  tools
CHANGES  LICENSE  MODSECURITY_LICENSING_EXCEPTION  rules
# cd apache2/

# apxs -i -a -c mod_security2.c 
/usr/lib/apr-1/build/libtool --silent --mode=compile gcc -prefer-pic -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -Wformat-security -fno-strict-aliasing  -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -pthread -I/usr/include/httpd  -I/usr/include/apr-1   -I/usr/include/apr-1   -c -o mod_security2.lo mod_security2.c && touch mod_security2.slo
在包含自 modsecurity.h:38 的文件中,
                 从 mod_security2.c:24:
msc_pcre.h:24:18: 错误:pcre.h:没有那个文件或目录
在包含自 modsecurity.h:40 的文件中,
                 从 mod_security2.c:24:
msc_xml.h:25:31: 错误:libxml/xmlschemas.h:没有那个文件或目录
msc_xml.h:26:26: 错误:libxml/xpath.h:没有那个文件或目录
In file included from modsecurity.h:40,
                 from mod_security2.c:24:

 ===>报错

# yum install libxml*
# ./configure --with-apxs=/usr/local/httpd/bin/apxs --with-httpd-src=/usr/local/httpd/ --with-pcre=/usr/local/pcre/ --with-apr=/usr/local/apr/bin/apr-1-config  --with-libxml=/usr/     ------>通过编译安装的方法

# make ; make install
make: *** [mod_security2.la] 错误 1
/usr/local/apr/build-1/libtool --silent --mode=compile gcc -std=gnu99 -prefer-pic   -DLINUX -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -O2 -pg -pthread -I/usr/local/httpd/include  -I/usr/local/apr/include/apr-1   -I/usr/local/apr-util/include/apr-1  -I/usr/local/apr-iconv/include/apr-1 -I/usr/local/apr-iconv/include -O2 -g -Wall -I/usr/local/httpd/include -I/usr/local/httpd/include -I. -I/usr/local/apr/include/apr-1 -I/usr/local/apr-util/include/apr-1 -I/usr/local/apr-iconv/include/apr-1 -I/usr/local/apr-iconv/include -I/usr/local/pcre/include -I/usr/local/httpd//srclib/pcre -I/usr/local/pcre/include -I/usr/include/libxml2  -c -o mod_security2.lo mod_security2.c && touch mod_security2.slo
mod_security2.c: In function \'create_tx_context\':
mod_security2.c:345: error: \'conn_rec\' has no member named \'remote_ip\'
mod_security2.c:346: error: \'conn_rec\' has no member named \'remote_addr\'    ------>#报错的地方
mod_security2.c: In function \'register_hooks\':
mod_security2.c:1118: warning: passing argument 1 of \'ap_hook_error_log\' from incompatible pointer type
/usr/local/httpd/include/http_core.h:948: note: expected \'void (*)(const struct ap_errorlog_info *, const char *)\' but argument is of type \'void (*)(const char *, int,  int,  apr_status_t,  const struct server_rec *, const struct request_rec *, struct apr_pool_t *, const char *)\'
apxs:Error: Command failed with rc=65536

 ===>报错

# vim mod_security2.c

把原来的“remote“改成了client:

         

===>后面还出现过一次类似这样的错误,也是同样的方法解决:

        

然后安装成功:

Libraries have been installed in:
   /usr/local/httpd/modules    ------>#安装到了这里

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR\'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH\' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH\' environment variable
     during linking
   - use the `-Wl,-rpath -Wl,LIBDIR\' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf\'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /usr/local/httpd/modules/mod_security2.so

===>在启动服务的时候报错:

# ./apachectl start
httpd: Syntax error on line 169 of /usr/local/httpd/conf/httpd.conf: Cannot load modules/mod_security2.so into server: /usr/local/httpd/modules/mod_security2.so: undefined symbol: unixd_set_global_mutex_perms

169行的内容是这样的:LoadModule security2_module  modules/mod_security2.so
未解决......

以上是关于[LAMP]——mod_security和mod_evasive模块的安装的主要内容,如果未能解决你的问题,请参考以下文章

如何在 .htaccess 文件中禁用 mod_security?

在Apache 上,有个非常重要的安全模块Mod_Security,下面那些是这个模块具备的功能

在防御 DDOS 时,Apache2 mod_evasive vs mod_security 与 OWASP crs?

Apache mod_secure,禁用包含“1---”的cookie规则

在 Amazon Elastic Beanstalk(Apache、EC2)上安装 Mod_security

是否可以安装 Apache mod_security Amazon Elastic Beanstalk