绿盟科技 linux漏洞,apache漏洞修复(绿盟科技漏洞)

apache版本:Apache 2.2.3,安装目录 /usr/local/apache2

漏洞1:检测到目标服务器启用了TRACE方法

在/usr/local/apache2/conf/httpd.conf 末尾添加 TraceEnable off

重启apache:

cd /usr/local/apache2/bin/

./apachectl stop

./apachectl start

再扫描漏洞消失

========================================================

漏洞2:检测到目标主机可能存在缓慢的http拒绝服务攻击

百度到解决办法:

限制web服务器的HTTP头部传输的最大许可时间,在/usr/local/apache2/conf/httpd.conf中添加如下配置:

RequestReadTimeout header=5-40,MinRate=500 body=20,MinRate=500

重启apache:

cd /usr/local/apache2/bin/

./apachectl stop

./apachectl start

再扫描,漏洞依然存在。

看来配置没生效,应该要先加载reqtimeout_module,才能进入中的条件 。

在上述conf文件中添加 LoadModule reqtimeout_module modules/mod_reqtimeout.so

重启报错。找不到该模块。

进入 modules 目录

cd /usr/local/apache2/modules

确实找不到mod_reqtimeout.so

那么接下来就是要添加这个模块,方法有两种:

1. 重新安装apache,将该模块安装时加进去

2. 不重新安装,只添加所需新模块

在目前生产机运行的情况下,果断选择第二种,过程如下:

apache不重新安装的情况下,加载新模块方法:

进入根目录,查看版本

[root@localhost /]# httpd -V

Server version: Apache/2.2.3

Server built: Apr 9 2010 15:05:43

Server’s Module Magic Number: 20051115:3

Server loaded: APR 1.2.7, APR-Util 1.2.7

Compiled using: APR 1.2.7, APR-Util 1.2.7

Architecture: 64-bit

Server MPM: Prefork

threaded: no

forked: yes (variable process count)

*Server compiled with….

-D APACHE_MPM_DIR=”server/mpm/prefork”

-D APR_HAS_SENDFILE

-D APR_HAS_MMAP

-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)

-D APR_USE_SYSVSEM_SERIALIZE

-D APR_USE_PTHREAD_SERIALIZE

-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT

-D APR_HAS_OTHER_CHILD

-D AP_HAVE_RELIABLE_PIPED_LOGS

-D DYNAMIC_MODULE_LIMIT=128

-D HTTPD_ROOT=”/etc/httpd”

-D SUEXEC_BIN=”/usr/sbin/suexec”

-D DEFAULT_PIDLOG=”run/httpd.pid”

-D DEFAULT_SCOREBOARD=”logs/apache_runtime_status”

-D DEFAULT_LOCKFILE=”logs/accept.lock”

-D DEFAULT_ERRORLOG=”logs/error_log”

-D AP_TYPES_CONFIG_FILE=”conf/mime.types”

-D SERVER_CONFIG_FILE=”conf/httpd.conf”

搜索模块对应源代码所在目录

[root@localhost /]# find . -name “mod_reqtimeout*”

./app/httpd-2.2.25/docs/manual/mod/mod_reqtimeout.html.en

./app/httpd-2.2.25/docs/manual/mod/mod_reqtimeout.html

./app/httpd-2.2.25/modules/filters/mod_reqtimeout.c

./app/httpd-2.2.25/modules/filters/mod_reqtimeout.dep

./app/httpd-2.2.25/modules/filters/mod_reqtimeout.mak

./app/httpd-2.2.25/modules/filters/mod_reqtimeout.dsp

即为 ./app/httpd-2.2.25/modules/filters/mod_reqtimeout.c

[root@localhost /]# cd ./app/httpd-2.2.25/modules/filters

[root@localhost filters]#

编译成.o文件 (/usr/local/apache2/bin apache的目录)

[root@localhost filters]# /usr/local/apache2/bin/apxs -c mod_reqtimeout.c

/usr/lib64/apr-1/build/libtool –silent –mode=compile gcc -prefer-pic -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/local/apache2//include -I/usr/include/apr-1 -I/usr/include/apr-1 -c -o mod_reqtimeout.lo mod_reqtimeout.c && touch mod_reqtimeout.slo

/usr/lib64/apr-1/build/libtool –silent –mode=link gcc -o mod_reqtimeout.la -rpath /usr/local/apache2//modules -module -avoid-version mod_reqtimeout.lo

链接成so库

[root@localhost filters]# gcc -shared -o mod_reqtimeout.so mod_reqtimeout.o

安装

[root@localhost filters]# /usr/local/apache2/bin/apxs -i -A -n mod_reqtimeout mod_reqtimeout.so

/usr/local/apache2//build/instdso.sh SH_LIBTOOL=’/usr/lib64/apr-1/build/libtool’ mod_reqtimeout.so /usr/local/apache2//modules

/usr/lib64/apr-1/build/libtool –mode=install cp mod_reqtimeout.so /usr/local/apache2//modules/

cp mod_reqtimeout.so /usr/local/apache2//modules/mod_reqtimeout.so

Warning! dlname not found in /usr/local/apache2//modules/mod_reqtimeout.so.

Assuming installing a .so rather than a libtool archive.

chmod 755 /usr/local/apache2//modules/mod_reqtimeout.so

[preparing module `mod_reqtimeout’ in /usr/local/apache2//conf/httpd.conf]

[root@localhost filters]# ls -rlt /usr/local/apache2//modules/mod_reqtimeout.so

-rwxr-xr-x 1 root root 16279 02-18 21:05 /usr/local/apache2//modules/mod_reqtimeout.so

[root@localhost filters]# cd /usr/local/apache2//conf

[root@localhost conf]# diff httpd.conf httpd.conf.bak

434d433

< #LoadModule mod_reqtimeout_module modules/mod_reqtimeout.so

[root@localhost conf]# vi httpd.conf

将 #LoadModule mod_reqtimeout_module modules/mod_reqtimeout.so

改为

LoadModule reqtimeout_module modules/mod_reqtimeout.so

再添加

RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

重启apache,再扫描,漏洞没有了

你可能感兴趣的:(绿盟科技,linux漏洞)