apache安全漏洞修复方法

---

Apache httpOnly Cookie 泄露漏洞修复方法
Apache配置：(httpd.conf)
ErrorDocument 400 " 您访问的页面不存在！ "

---

开启安全模块：(httpd.conf)
开启模块LoadModule security_module modules/mod_security.so
Include conf/mod_security.conf

---

禁用TRACE Method防范XSS跨站攻击 （中危）(httpd.conf)
TraceEnable off

---

禁用iframe引用(httpd.conf)
开启模块LoadModule headers_module modules/mod_headers.so
Header always append X-Frame-Options: SAMEORIGIN
（1）append X-Frame-Options: DENY --- 表示该页面不允许在 frame 中展示，即便是在相同域名的页面中嵌套也不允许。
（2）append X-Frame-Options: SAMEORIGIN --- 表示该页面可以在相同域名页面的 frame 中展示。
（3）append X-Frame-Options:ALLOW-FROM https://example.com/ --- 表示该页面可以在指定来源的 frame 中展示

---

隐藏apache版本号(httpd.conf)
ServerTokens Prod
ServerSignature Off

参考文献：
用mod_security增强web安全性
http://blog.csdn.net/jiangxinyu/article/details/1473411

参考：
mod_security.conf文件

    SecFilterEngine On
    SecFilterDefaultAction "deny,log,status:502"
    SecFilterScanPOST On
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding On

    # Require HTTP_USER_AGENT and HTTP_HOST headers
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"

    #SecUploadDir /tmp
    SecUploadKeepFiles Off

    SecAuditEngine RelevantOnly
    SecAuditLog logs/mod_sec.log

   #SQL INJECT
    SecFilter "delete[[:space:]]+from"
    SecFilter "drop+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "select.+from"
    SecFilter "union.+from"
    #SecFilter "'"
    #ƥƤand[µ¥ؖ·
    SecFilter "and\++"
    SecFilter "( |\n)*function"

    SecFilter /etc/*passwd
    SecFilter /bin/*sh
    SecFilter "/././"
    SecFilter "\.\./"

    #SecFilter "<( |\n)*script"
    #SecFilter "<( |\n)*object"
    SecFilter "<( |\n)*input"
    #SecFilter "( |\n)*script"
    SecFilter "<(.|\n)*iframe"
    SecFilter "<(.|\n)*IFRAME"
    SecFilter "<(.|\n)*img"
    SecFilter "<(.|\n)*IMG"
    #SecFilter "<(.|\n)+>"

    SecFilter "(.|\n)<src*>"
    #SecFilter "<(.|\n)*"
    SecFilter "(.|\n)*</input"
    SecFilter "(.|\n)[[:space:]]*scr\x69pt"
    SecFilter %26quot;%26lt;(.©¦\n)+%26gt;%26quot;
    SecFilter "<(.©¦\n)+>"
    SecFilter "<(.©¦\n)+>"
    SecFilter "<"
    SecFilter ">"
    #SecFilter "<[[:space:]]*script"
    SecFilter "<[[:space:]]*alert"

    ###new filters
    SecFilter "alert\(.+"
    SecFilter %27--+
    SecFilter %27%27\|
    SecFilter "'--+"
    SecFilter "''\|+"
    SecFilter %22%2B+
    SecFilter %2B*%2B*+
    SecFilter ".\+.\+"
    SecFilter "alert+"
    #SecFilter %22alert+

httpd-mpm.conf文件优化
优化以下部分：

    StartServers          20
    MinSpareServers       50
    MaxSpareServers      100
    ServerLimit         2000
    MaxClients          2000
    MaxRequestsPerChild   10000