Apache安全加固--修復(fù)SSL/TLS弱密碼漏洞（中危）和禁用TRACE/TRACK方法（高危）

先看看掃描到的漏洞截圖

下面是詳細(xì)的操作解決方案（以下的配置經(jīng)過了多次的修改才將漏洞真正修復(fù)完畢）：

安全配置一：

[root@liulingli html]# find / -name .htaccess

/var/www/html/wp-content/cache/autoptimize/.htaccess

vim /var/www/html/wp-content/cache/autoptimize/.htaccess

添加如下5行

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteCond %{REQUEST_METHOD}^(TRACE|TRACK)

RewriteRule .*-[F]

</ifModule>

重啟httpd服務(wù)

[root@liulingli html]# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

安全配置二：

echo "net.ipv4.tcp_timestamps = 0" >> /etc/sysctl.conf

sysctl -p

安全配置三：

vim /etc/httpd/conf.d/ssl.conf

原來的配置

#   SSL Protocol support:

# List the enable protocol levels with which clients will be able to

# connect.  Disable SSLv2 access by default:

SSLProtocol all -SSLv2

#   SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

修改成以下配置：

SSLProtocol all -SSLv2 -SSLv3

#   SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

SSLHonorCipherOrder on

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!MD5:!DSS:!RC4

并且添加以下三行

RewriteEngine on

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F]

</VirtualHost>

service httpd restart

注意}后面有空格，否則無法重啟httpd服務(wù)

再次對網(wǎng)站進(jìn)行掃描，發(fā)現(xiàn)高危和中危漏洞警報(bào)都已經(jīng)消除。

經(jīng)過了10次修改和掃描，才最終解決。