apache版本:Apache 2.2.3,安装目录 /usr/local/apache2
漏洞1:检测到目标服务器启用了TRACE方法
在/usr/local/apache2/conf/httpd.conf 末尾添加 TraceEnable off
重启apache:
cd /usr/local/apache2/bin/
./apachectl stop
./apachectl start
再扫描漏洞消失
========================================================
漏洞2:检测到目标主机可能存在缓慢的http拒绝服务攻击
百度到解决办法:
限制web服务器的HTTP头部传输的最大许可时间,在/usr/local/apache2/conf/httpd.conf中添加如下配置:
RequestReadTimeout header=5-40,MinRate=500 body=20,MinRate=500
重启apache:
cd /usr/local/apache2/bin/
./apachectl stop
./apachectl start
再扫描,漏洞依然存在。
看来配置没生效,应该要先加载reqtimeout_module,才能进入中的条件 。
在上述conf文件中添加 LoadModule reqtimeout_module modules/mod_reqtimeout.so
重启报错。找不到该模块。
进入 modules 目录
cd /usr/local/apache2/modules
确实找不到mod_reqtimeout.so
那么接下来就是要添加这个模块,方法有两种:
1. 重新安装apache,将该模块安装时加进去
2. 不重新安装,只添加所需新模块
在目前生产机运行的情况下,果断选择第二种,过程如下:
apache不重新安装的情况下,加载新模块方法:
进入根目录,查看版本
[root@localhost /]# httpd -V
Server version: Apache/2.2.3
Server built: Apr 9 2010 15:05:43
Server’s Module Magic Number: 20051115:3
Server loaded: APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture: 64-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
*Server compiled with….
-D APACHE_MPM_DIR=”server/mpm/prefork”
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT=”/etc/httpd”
-D SUEXEC_BIN=”/usr/sbin/suexec”
-D DEFAULT_PIDLOG=”run/httpd.pid”
-D DEFAULT_SCOREBOARD=”logs/apache_runtime_status”
-D DEFAULT_LOCKFILE=”logs/accept.lock”
-D DEFAULT_ERRORLOG=”logs/error_log”
-D AP_TYPES_CONFIG_FILE=”conf/mime.types”
-D SERVER_CONFIG_FILE=”conf/httpd.conf”
搜索模块对应源代码所在目录
[root@localhost /]# find . -name “mod_reqtimeout*”
./app/httpd-2.2.25/docs/manual/mod/mod_reqtimeout.html.en
./app/httpd-2.2.25/docs/manual/mod/mod_reqtimeout.html
./app/httpd-2.2.25/modules/filters/mod_reqtimeout.c
./app/httpd-2.2.25/modules/filters/mod_reqtimeout.dep
./app/httpd-2.2.25/modules/filters/mod_reqtimeout.mak
./app/httpd-2.2.25/modules/filters/mod_reqtimeout.dsp
即为 ./app/httpd-2.2.25/modules/filters/mod_reqtimeout.c
[root@localhost /]# cd ./app/httpd-2.2.25/modules/filters
[root@localhost filters]#
编译成.o文件 (/usr/local/apache2/bin apache的目录)
[root@localhost filters]# /usr/local/apache2/bin/apxs -c mod_reqtimeout.c
/usr/lib64/apr-1/build/libtool –silent –mode=compile gcc -prefer-pic -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/local/apache2//include -I/usr/include/apr-1 -I/usr/include/apr-1 -c -o mod_reqtimeout.lo mod_reqtimeout.c && touch mod_reqtimeout.slo
/usr/lib64/apr-1/build/libtool –silent –mode=link gcc -o mod_reqtimeout.la -rpath /usr/local/apache2//modules -module -avoid-version mod_reqtimeout.lo
链接成so库
[root@localhost filters]# gcc -shared -o mod_reqtimeout.so mod_reqtimeout.o
安装
[root@localhost filters]# /usr/local/apache2/bin/apxs -i -A -n mod_reqtimeout mod_reqtimeout.so
/usr/local/apache2//build/instdso.sh SH_LIBTOOL=’/usr/lib64/apr-1/build/libtool’ mod_reqtimeout.so /usr/local/apache2//modules
/usr/lib64/apr-1/build/libtool –mode=install cp mod_reqtimeout.so /usr/local/apache2//modules/
cp mod_reqtimeout.so /usr/local/apache2//modules/mod_reqtimeout.so
Warning! dlname not found in /usr/local/apache2//modules/mod_reqtimeout.so.
Assuming installing a .so rather than a libtool archive.
chmod 755 /usr/local/apache2//modules/mod_reqtimeout.so
[preparing module `mod_reqtimeout’ in /usr/local/apache2//conf/httpd.conf]
[root@localhost filters]# ls -rlt /usr/local/apache2//modules/mod_reqtimeout.so
-rwxr-xr-x 1 root root 16279 02-18 21:05 /usr/local/apache2//modules/mod_reqtimeout.so
[root@localhost filters]# cd /usr/local/apache2//conf
[root@localhost conf]# diff httpd.conf httpd.conf.bak
434d433
< #LoadModule mod_reqtimeout_module modules/mod_reqtimeout.so
[root@localhost conf]# vi httpd.conf
将 #LoadModule mod_reqtimeout_module modules/mod_reqtimeout.so
改为
LoadModule reqtimeout_module modules/mod_reqtimeout.so
再添加
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
重启apache,再扫描,漏洞没有了