Linux相关安全漏洞处理
Posted Luxf0
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux相关安全漏洞处理相关的知识,希望对你有一定的参考价值。
一、前言
近期甲方使用漏洞软件扫描网络环境下所有主机,扫描出一大堆安全漏洞,最好的处理方式当然是升级系统相关组件至最新的软件版本。
然而,整个软件系统引用了部分第三方开源组件,且操作系统官方源提供的软件版本相对陈旧,生产环境贸然升级这么多组件动作太大,与此同时,甲方使用的是内网网络环境,安全系数相对较高。
综合以上因素考虑,考虑使用以下几种方式规避安全漏洞处理:
- 修改服务端口号
- 修改软件版本号或者banner信息
- 通过防火墙封禁不相关的外部访问
二、常见漏洞处理
1、ftp服务
1.1、漏洞信息
-
漏洞名称
FTP服务器版本信息可被获取(CVE-1999-0614) -
解决办法
建议您采取以下措施以降低威胁:
修改源代码或者配置文件改变缺省banner信息。
1.2、检测手段
使用telnet访问主机21端口,可探测到主机使用ftp软件版本(vsftpd 3.0.3)
[root@node111 ~]# telnet 172.16.21.61 21
Trying 172.16.21.61...
Connected to 172.16.21.61.
Escape character is '^]'.
220 (vsFTPd 3.0.3)
1.3、处理措施
处理措施有以下两种:
- 如不使用ftp服务,可关闭vsftpd服务,此时使用telnet连接超时
systemctl stop vsftpd
systemctl disable vsftpd
- 如需要使用ftp服务,可尝试修改vsftpd服务banner信息,此时无法使用telnet探测到软件版本号
注:不同操作系统,软件配置文件路径有所不同(可能为/etc/vsftpd.conf
或/etc/vsftpd/vsftpd.conf
)
echo "ftpd_banner=this is vsftpd" >> /etc/vsftpd.conf
systemctl restart vsftpd
2、nfs服务
2.1、漏洞信息
-
漏洞名称
目标主机showmount -e信息泄露(CVE-1999-0554) -
详细描述
可以对目标主机进行"showmount -e"操作,此操作将泄露目标主机大量敏感信息,比如目录结构。更糟糕的是,如果访问控制不严的话,攻击者有可能直接访问到目标主机上的数据。 -
解决办法
建议您采取以下措施以降低威胁:
限制可以获取NFS输出列表的IP和用户。
除非绝对必要,请关闭NFS服务、MOUNTD。
2.2、检测手段
使用任意一个客户端对主机IP进行showmount -e <nfs-server-ip>
操作,可以查看到nfs共享信息
root@node111:~# showmount -e 172.16.21.62
Export list for 172.16.21.62:
/cephfuse/test5 *
2.3、处理措施
默认情况下,nfs服务端未做任何限制,任意主机都可以对nfs服务端进行"showmount -e"操作。
一个IP请求连入,linux的检查策略是先看/etc/hosts.allow中是否允许,如果允许直接放行;如果没有,则再看/etc/hosts.deny中是否禁止,如果禁止那么就禁止连入。
两个配置文件的关系为:/etc/hosts.allow 的设定优先于/etc/hosts.deny
service_name 必须与/etc/rc.d/init.d/* 里面的程序名称要相同
- 1、修改/etc/hosts.deny配置文件,默认不允许任何客户端rpcbind服务
echo "rpcbind:ALL:deny" >> /etc/hosts.deny
- 2、修改/etc/hosts.allow配置文件,添加允许访问rpcbind服务的客户端IP地址
注:添加完成后,在白名单的客户端可以正常进行showmount -e <nfs-server-ip>
操作,而不在白名单的客户端禁止访问
echo "rpcbind:172.16.21.62,172.16.21.86:allow" >> /etc/hosts.allow
3、nginx服务
3.1、漏洞信息
-
漏洞名称
可通过HTTP获取远端WWW服务信息(CVE-1999-0633) -
详细描述
本插件检测远端HTTP Server信息。这可能使得攻击者了解远程系统类型以便进行下一步的攻击。
3.2、检测手段
使用任意一个客户端对主机IP进行curl -i <server-ip>
操作,可以获取到nginx版本信息(nginx/1.10.3 (Ubuntu))
[root@node111 ~]# curl -i 172.16.21.62
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
3.3、处理措施
隐藏nginx版本信息
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
sed -i '29i server_tokens off;' /etc/nginx/nginx.conf
systemctl restart nginx
4、ICMP
4.1、漏洞信息
-
漏洞名称
ICMP timestamp请求响应漏洞(CVE-1999-0524) -
详细描述
远程主机会回复ICMP_TIMESTAMP查询并返回它们系统的当前时间。
这可能允许攻击者攻击一些基于时间认证的协议。 -
解决方法
在您的防火墙上过滤外来的ICMP timestamp(类型 13)报文以及外出的ICMP timestamp回复报文。 -
返回信息
初始时间戳:00000000
接收时间戳:01da0ff0
传递时间戳:01da0ff0
4.2、检测手段
- 客户端编译timestamp软件程序(存放于./unp/program/icmp/icmptime/timestamp)
git clone https://gitee.com/ivan_allen/unp.git
cd unp/program
yum install lksctp-tools-devel.x86_64 -y
make
- 客户端执行
./timestamp <server-ip>
,服务端可以响应icmp请求
[root@node134 icmptime]# ./timestamp 172.16.21.62
orig = 19375242, recv = 20757775, send = 20757775, rtt = 0 ms, diff = 1382533 ms, from 172.16.21.62
4.3、处理措施
- 开启防火墙,过滤外来的ICMP timestamp(类型 13)报文以及外出的ICMP timestamp回复报文
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-reply -m comment --comment "deny ICMP timestamp" -j DROP
firewall-cmd --reload
- 查看防火墙规则
root@node63:~# iptables -L -n
Chain INPUT_direct (1 references)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13 /* deny ICMP timestamp */
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 14 /* deny ICMP timestamp */
- 查看添加的防火墙规则
root@node63:~# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-request -m comment --comment 'deny ICMP timestamp' -j DROP
ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-reply -m comment --comment 'deny ICMP timestamp' -j DROP
5、Traceroute
5.1、漏洞信息
-
漏洞名称
允许Traceroute探测 -
详细描述
本插件使用Traceroute探测来获取扫描器与远程主机之间的路由信息。攻击者也可以利用这些信息来了解目标网络的网络拓扑。 -
解决方法
在防火墙出站规则中禁用echo-reply(type 0)、time-exceeded(type 11)、destination-unreachable(type 3)类型的ICMP包。 -
返回信息
Traceroute Lists::
4.21.1.72
5.2、处理措施
- 开启防火墙,出站规则中禁用echo-reply(type 0)、time-exceeded(type 11)、destination-unreachable(type 3)类型的ICMP包。
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 11 -m comment --comment "deny traceroute" -j DROP
firewall-cmd --reload
- 查看防火墙规则
root@node63:~# iptables -L -n
Chain INPUT_direct (1 references)
target prot opt source destination
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* deny traceroute */
- 查看添加的防火墙规则
root@node63:~# firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p ICMP --icmp-type 11 -m comment --comment 'deny traceroute' -j DROP
Linux服务及安全管理第九周作业Linux微职位
1、请描述一次完整的http请求处理过程;
(1)建立或处理连接:接收请求或拒绝请求;
(2)接收请求:接收来自于网络上的主机请求报文中对某特定资源的一次请求的过程;
(3)处理请求:对请求报文进行解析,获取客户端请求的资源及请求方法等相关信息;
(4)访问资源:获取请求报文中请求的资源;
(5)构建响应报文:
(6)发送响应报文:
(7)记录日志:
2、httpd所支持的处理模型有哪些,他们的分别使用于哪些环境。
MPM:Multipath Processing Modules(多路处理模块)
(1)prefork:多进程模型,每个进程响应一个请求;
一个主进程:负责生成子进程及回收子进程;负责创建套接字;负责接收请求,并将其派发给某子进程进行处理;
n个子进程:每个子进程处理一个请求;
工作模型:会预先生成几个空闲进程,随时等待用于响应用户请求;最大空闲和最小空闲;
特点及运用环境:每个工作进程响应一个用户请求,即使当前没有用户请求,它亦会预先生成多个空闲进程,随时等待请求连接,这样的好处是服务器不用等到请求到达时,才去临时建立进程,缩短了进程创建的时间,提高连接效率。但受限于linux的特性,工作进程数上限为1024个,如果超出该数量,服务器性能会急剧降低。因而,prefork模型的最大并发连接数量为1024。由于每个工作进程相对独立,就算崩溃了也不会对其它进程有明显影响。所以,该模型的特点是稳定可靠,适合于并发量适中而又追求稳定的用户使用。
(2)worker:多进程多线程模型,每线程处理一个用户请求;
一个主进程:负责生成子进程;负责创建套接字;负责接收请求,并将其派发给某子进程进行处理;
多个子进程:每个子进程负责生成多个线程;
每个线程:负责响应用户请求;
并发响应数量:m*n
m:子进程数量
n:每个子进程所能创建的最大线程数量;
特点及运用环境:由于在linux中,原生不支持线程,且进程本身就足够轻量化,与线程的区别不是很大,因而worker模型在linux环境中的实际性能表现与prefork相差无几。
(3)event:事件驱动模型,多进程模型,每个进程响应多个请求;
一个主进程 :负责生成子进程;负责创建套接字;负责接收请求,并将其派发给某子进程进行处理;
子进程:基于事件驱动机制直接响应多个请求;
并发响应数量:m*n
m:子进程数量
n:每个子进程所能响应客户请求数量;
httpd-2.2(CentOS 6):仍为测试使用模型;
httpd-2.4(CentOS 7):event可生产环境中使用;
特点及运用环境:event的并发数量和worker类似,同样可达到m*n个。同时,因为event的子进程为一对多,节省大量CPU进程切换上下文的时间,也没有了linux系统的1024个进程限制。所以,event模型是三种模型中效率最高的一种,可以突破10K的限制(即并发数1W),对海量的系统特别适用。
3、源码编译安装LAMP环境(基于wordpress程序),并写出详细的安装、配置、测试过程。
实验环境:CentOS 7.2(192.168.1.11) + httpd-2.4.9 + mariadb-5.5.57 + php-5.4.26 + wordpress-4.8.1
1、安装开发环境包组
[[email protected] ~]# yum groupinstall -y "Development Tools" "Server Platform Development"
2、安装开发程序包
[[email protected] ~]# yum install -y openssl-devel pcre-devel
3、编译安装httpd-2.4.9(由于安装http-2.4依赖于apr及apr-util 1.4以上版本,先对这2个软件包进行编译安装)
(1)编译安装apr-1.5.0
[[email protected] ~]# tar xf apr-1.5.0.tar.bz2 [[email protected] ~]# cd apr-1.5.0/ [[email protected] apr-1.5.0]# ./configure --prefix=/usr/local/apr [[email protected] apr-1.5.0]# make && make install
(2)编译安装apr-util-1.5.3
[[email protected] ~]# tar xf apr-util-1.5.3.tar.bz2 [[email protected] ~]# cd apr-util-1.5.3/ [[email protected] apr-util-1.5.3]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr [[email protected] apr-util-1.5.3]# make && make install
(3)编译安装httpd-2.4.9
[[email protected] ~]# tar xf httpd-2.4.9.tar.bz2 [[email protected] ~]# cd httpd-2.4.9/ [[email protected] httpd-2.4.9]# ./configure --prefix=/usr/local/apache24 --sysconfdir=/etc/httpd24 --enable-so --enable-ssl --enable-cgi --enable-rewrite --enable-zlib --with-pcre --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --enable-modules=most --enable-mpms-shared=all --with-mpm=prefork [[email protected] httpd-2.4.9]# make && make install
(4)将新编译的httpd24的bin目录加入PATH环境变量并重新读取该配置文件
[[email protected] ~]# vim /etc/profile.d/httpd24.sh export PATH=/usr/local/apache24/bin:$PATH [[email protected] ~]# . /etc/profile.d/httpd24.sh
(5)导出httpd头文件链接至系统头文件路径/usr/include/apache24
[[email protected] ~]# ln -sv /usr/local/apache24/include/ /usr/include/apache24 ‘/usr/include/apache24’ -> ‘/usr/local/apache24/include/’
(6)用apache自带的apachectl启动编译好的httpd,查看端口并测试自带的测试页面
[[email protected] ~]# apachectl start [[email protected] ~]# ss -tnl | grep :80 LISTEN 0 128 :::80 :::* [[email protected] ~]# curl http://192.168.1.11 <html><body><h1>It works!</h1></body></html>
4、编译安装mariadb-5.5.57
(1)准备数据目录/mydata/data
[[email protected] ~]# mkdir -pv /mydata/data
(2)创建mysql用户并修改数据目录权限
[[email protected] ~]# id mysql id: mysql: no such user [[email protected] ~]# useradd -r mysql [[email protected] ~]# id mysql uid=988(mysql) gid=983(mysql) groups=983(mysql) [[email protected] ~]# chown -R mysql.mysql /mydata/data/ [[email protected] ~]# ls -ld /mydata/data/ drwxr-xr-x. 2 mysql mysql 6 Sep 23 16:44 /mydata/data/
(3)编译安装mariadb-5.5.57
[[email protected] ~]# tar xf mariadb-5.5.57-linux-systemd-x86_64.tar.gz -C /usr/local/ [[email protected] ~]# cd /usr/local/ [[email protected] local]# ln -sv mariadb-5.5.57-linux-systemd-x86_64/ mysql ‘mysql’ -> ‘mariadb-5.5.57-linux-systemd-x86_64/’ [[email protected] local]# cd mysql/ [[email protected] mysql]# chown -R root.mysql ./* [[email protected] mysql]# scripts/mysql_install_db --user=mysql --datadir=/mydata/data [[email protected] mysql]# ls /mydata/data/ aria_log.00000001 aria_log_control mysql performance_schema test
(4)为mysql提供配置文件
[[email protected] mysql]# cp support-files/my-large.cnf /etc/my.cnf cp: overwrite ‘/etc/my.cnf’? y [[email protected] mysql]# vim /etc/my.cnf
在[mysqld]下添加以下3个选项
datadir = /mydata/data innodb_file_per_table = ON skip_name_resolve = ON
(5)为mysql提供SysV服务
[[email protected] mysql]# cp support-files/mysql.server /etc/rc.d/init.d/mysqld [[email protected] mysql]# chkconfig --add mysqld
(6)将新编译的mysql的bin目录加入PATH环境变量并重新读取该配置文件
[[email protected] mysql]# vim /etc/profile.d/mysql.sh export PATH=/usr/local/mysql/bin:$PATH [[email protected] mysql]# . /etc/profile.d/mysql.sh
(7)导出mysql头文件链接至系统头文件路径/usr/include/mysql
[[email protected] ~]# ln -sv /usr/local/mysql/include /usr/include/mysql ‘/usr/include/mysql’ -> ‘/usr/local/mysql/include’
(8)添加mysql库文件链接至系统头文件路径/usr/include/mysql
[[email protected] ~]# vim /etc/ld.so.conf.d/mysql.conf /usr/local/mysql/lib [[email protected] ~]# ldconfig -v [[email protected] ~]# ldconfig -p | grep mysql libmysqld.so.18 (libc6,x86-64) => /usr/local/mysql/lib/libmysqld.so.18 libmysqld.so (libc6,x86-64) => /usr/local/mysql/lib/libmysqld.so libmysqlclient.so.18 (libc6,x86-64) => /usr/lib64/mysql/libmysqlclient.so.18 libmysqlclient.so.18 (libc6,x86-64) => /usr/local/mysql/lib/libmysqlclient.so.18 libmysqlclient.so (libc6,x86-64) => /usr/local/mysql/lib/libmysqlclient.so
(9)启动编译好的mysqld服务,查看3306端口是否运行
[[email protected] ~]# service mysqld start [[email protected] ~]# ss -tnl | grep 3306 LISTEN 0 50 *:3306 *:*
5、编译安装php-5.4.26
(1)安装编译php需要用到的软件包
[[email protected] ~]# yum install -y libxml2-devel libmcrypt-devel bzip2-devel
(2)编译安装php-5.4.26
[[email protected] ~]# tar xf php-5.4.26.tar.bz2 [[email protected] ~]# cd php-5.4.26/ [[email protected] php-5.4.26]# ./configure --prefix=/usr/local/php --with-mysql=/usr/local/mysql --with-openssl --with-mysqli=/usr/local/mysql/bin/mysql_config --enable-mbstring --with-png-dir --with-jpeg-dir --with-freetype-dir --with-zlib --with-libxml-dir=/usr --enable-xml --enable-sockets --with-apxs2=/usr/local/apache24/bin/apxs --with-mcrypt --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --with-bz2 [[email protected] php-5.4.26]# make && make install
(3)为php提供配置文件,编辑httpd配置文件使其支持php,并提供php测试页
[[email protected] php-5.4.26]# cp php.ini-production /etc/php.ini [[email protected] php-5.4.26]# vim /etc/httpd24/httpd.conf AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps DirectoryIndex index.php index.html [[email protected] php-5.4.26]# vim /usr/local/apache24/htdocs/index.php <h1>phptest</h1> <?php phpinfo(); ?>
(4)重启httpd服务,测试php测试页是否能正常访问
[[email protected] php-5.4.26]# apachectl restart
6、安装配置wordpress-4.8.1
(1)下载并解压wordpress-4.8.1至/usr/local/apache24/htdocs
[[email protected] ~]# wget https://cn.wordpress.org/wordpress-4.8.1-zh_CN.tar.gz [[email protected] ~]# tar xf wordpress-4.8.1-zh_CN.tar.gz -C /usr/local/apache24/htdocs/ [[email protected] ~]# chown -R root.root /usr/local/apache24/htdocs/wordpress/ [[email protected] ~]# cd /usr/local/apache24/htdocs/wordpress/
(2)为wordpress提供php配置文件,创建wpdb数据库及授权相关权限
[[email protected] wordpress]# cp wp-config-sample.php wp-config.php [[email protected] wordpress]# vim wp-config.php define(‘DB_NAME‘, ‘wpdb‘); define(‘DB_USER‘, ‘wpuser‘); define(‘DB_PASSWORD‘, ‘wppassword‘); [[email protected] ~]# mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 2 Server version: 5.5.57-MariaDB MariaDB Server Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others. Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement. MariaDB [(none)]> create database wpdb; Query OK, 1 row affected (0.08 sec) MariaDB [(none)]> grant all on wpdb.* to ‘wpuser‘@‘localhost‘ identified by ‘wppassword‘; Query OK, 0 rows affected (0.05 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.04 sec) MariaDB [(none)]> exit Bye
(3)网页浏览器中键入http://192.168.1.11/wordpress/,设置注册用户的用户名和密码,完成安装wordPress
4、建立httpd服务器(基于编译的方式进行),要求:
提供两个基于名称的虚拟主机:
(a)www1.stuX.com,页面文件目录为/web/vhosts/www1;错误日志为/var/log/httpd/www1.err,访问日志为/var/log/httpd/www1.access;
(b)www2.stuX.com,页面文件目录为/web/vhosts/www2;错误日志为/var/log/httpd/www2.err,访问日志为/var/log/httpd/www2.access;
(c)为两个虚拟主机建立各自的主页文件index.html,内容分别为其对应的主机名;
(d)通过www1.stuX.com/server-status输出httpd工作状态相关信息,且只允许提供帐号密码才能访问(status:status);
1、编译安装httpd请参考第3题
2、编辑配置httpd配置文件注视DocumentRoot并开启vhosts
[[email protected] ~]# vim /etc/httpd24/httpd.conf #DocumentRoot "/usr/local/apache24/htdocs" Include /etc/httpd24/extra/httpd-vhosts.conf
3、创建2个虚拟主机页面文件目录、日志目录,并提供主页文件index.html
[[email protected] ~]# mkdir -pv /web/vhosts/www{1,2} [[email protected] ~]# mkdir /var/log/httpd/ [[email protected] ~]# echo www1.stu110.com > /web/vhosts/www1/index.html [[email protected] ~]# echo www2.stu110.com > /web/vhosts/www2/index.html
4、编辑vhosts配置文件,创建两个基于名称的虚拟主机,指定相应的日志文件,并设置server-status
[[email protected] ~]# vim /etc/httpd24/extra/httpd-vhosts.conf <VirtualHost *:80> DocumentRoot "/web/vhosts/www1" ServerName www1.stu110.com ErrorLog "/var/log/httpd/www1.err" CustomLog "/var/log/httpd/www1.access" common <Directory "/web/vhosts/www1"> Options None AllowOverride None Require all granted </Directory> <Location /server-status> SetHandler server-status AuthType Basic AuthName "Server Status" AuthUserFile "/etc/httpd24/.htpasswd" Require valid-user </Location> </VirtualHost> <VirtualHost *:80> DocumentRoot "/web/vhosts/www2" ServerName www2.stu110.com ErrorLog "/var/log/httpd/www2.err" CustomLog "/var/log/httpd/www2.access" common <Directory "/web/vhosts/www2"> Options None AllowOverride None Require all granted </Directory> </VirtualHost>
5、生成server-status认证用到的密码文件
[[email protected] ~]# htpasswd -c -m /etc/httpd24/.htpasswd status New password: Re-type new password: Adding password for user status
6、编辑hosts文件,添加主机记录
[[email protected] ~]# vim /etc/hosts 192.168.1.11 www1.stu100.com 192.168.1.11 www2.stu100.com
7、检查配置文件,重启httpd服务并测试
[[email protected] ~]# httpd -t Syntax OK [[email protected] ~]# apachectl restart [[email protected] ~]# curl www1.stu100.com www1.stu110.com [[email protected] ~]# curl www2.stu100.com www2.stu110.com
5、为第4题中的第2个虚拟主机提供https服务,使得用户可以通过https安全的访问此web站点;
(1)要求使用证书认证,证书中要求使用的国家(CN)、州(HA)、城市(ZZ)和组织(MageEdu);
(2)设置部门为Ops,主机名为www2.stuX.com,邮件为[email protected];
1、创建私有CA,签署并颁发证书
[[email protected] ~]# cd /etc/pki/CA/ [[email protected] CA]# touch index.txt [[email protected] CA]# echo 01 > serial [[email protected] CA]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..........................................................+++ .................................................................................+++ e is 65537 (0x10001) [[email protected] CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 365 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server‘s hostname) []:www2.stu110.com Email Address []:[email protected] [[email protected] CA]# cd /etc/httpd24/ [[email protected] httpd24]# mkdir ssl [[email protected] httpd24]# cd ssl [[email protected] ssl]# (umask 077;openssl genrsa -out httpd.key 2048) Generating RSA private key, 2048 bit long modulus .....................................+++ ...................................+++ e is 65537 (0x10001) [[email protected] ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server‘s hostname) []:www2.stu110.com Email Address []:[email protected] Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []: [[email protected] ssl]# openssl ca -in /etc/httpd24/ssl/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 23 14:02:30 2017 GMT Not After : Sep 23 14:02:30 2018 GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = MageEdu organizationalUnitName = Ops commonName = www2.stu110.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F1:62:C9:95:0C:45:BA:BC:83:D7:41:54:F1:5C:93:7B:25:BB:6A:FB X509v3 Authority Key Identifier: keyid:D0:5E:8F:AD:FC:62:2C:0E:46:78:C0:A7:7E:EC:95:7A:80:00:D9:3D Certificate is to be certified until Sep 23 14:02:30 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [[email protected] ssl]# cp /etc/pki/CA/certs/httpd.crt /etc/httpd24/ssl/ [[email protected] ssl]# ls httpd.crt httpd.csr httpd.key
2、安装ssl模块,删除www2.stu110.com在httpd-vhosts中的定义,在主配置文件中启用ssl模块,并为www2.stu110.com配置ssl
[[email protected] ~]# yum install -y mod_ssl [[email protected] ~]# vim /etc/httpd24/httpd.conf LoadModule ssl_module modules/mod_ssl.so Include /etc/httpd24/extra/httpd-ssl.conf [[email protected] ~]# vim /etc/httpd24/extra/httpd-ssl.conf Listen 443 SSLPassPhraseDialog builtin <VirtualHost *:443> DocumentRoot "/web/vhosts/www2" ServerName www2.stu110.com:443 ErrorLog "/var/log/httpd/www2.err" CustomLog "/var/log/httpd/www2.access" common SSLEngine on SSLCertificateFile /etc/httpd24/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd24/ssl/httpd.key <Directory "/web/vhosts/www2"> Options None AllowOverride None Require all granted </Directory> </VirtualHost>
3、检查配置文件,重启httpd服务并测试
[[email protected] ~]# httpd -t Syntax OK [[email protected] ~]# apachectl restart
网页浏览器中键入https://www2.stu100.com/
6、在LAMP架构中,请分别以php编译成httpd模块形式和php以fpm工作为独立守护进程的方式来支持httpd,列出详细的过程。
实验环境:CentOS 7.2(192.168.1.11) + httpd-2.4.9 + mariadb-5.5.57 + php-5.4.26
1、编译安装httpd、mariadb参考第3题
2、安装编译php需要用到的软件包
[[email protected] ~]# yum install -y libxml2-devel libmcrypt-devel bzip2-devel
3、下载并解压php-5.4.26
[[email protected] ~]# tar xf php-5.4.26.tar.bz2 [[email protected] ~]# cd php-5.4.26/
4、php编译成httpd模块形式
(1)通过--with-apxs2=/usr/local/apache24/bin/apxs选项,指定将php编译成http的模块形式
[[email protected] php-5.4.26]# ./configure --prefix=/usr/local/php --with-mysql=/usr/local/mysql --with-openssl --with-mysqli=/usr/local/mysql/bin/mysql_config --enable-mbstring --with-png-dir --with-jpeg-dir --with-freetype-dir --with-zlib --with-libxml-dir=/usr --enable-xml --enable-sockets --with-apxs2=/usr/local/apache24/bin/apxs --with-mcrypt --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --with-bz2 [[email protected] php-5.4.26]# make && make install
(2)为php提供配置文件,编辑httpd配置文件使其支持php,并提供php测试页
[[email protected] php-5.4.26]# cp php.ini-production /etc/php.ini [[email protected] php-5.4.26]# vim /etc/httpd24/httpd.conf
添加php文件类型
AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps DirectoryIndex index.php index.html [[email protected] php-5.4.26]# vim /usr/local/apache24/htdocs/index.php <h1>phptest</h1> <?php phpinfo(); ?>
(3)重启httpd服务,测试php测试页是否能正常访问
[[email protected] php-5.4.26]# apachectl restart
5、php以fpm工作为独立守护进程的方式来支持httpd
(1)通过--enable-fpm选项,指定php以fpm工作为独立守护进程的方式来支持httpd
[[email protected] php-5.4.26]# ./configure --prefix=/usr/local/php --with-mysql=/usr/local/mysql --with-openssl --with-mysqli=/usr/local/mysql/bin/mysql_config --enable-mbstring --with-png-dir --with-jpeg-dir --with-freetype-dir --with-zlib --with-libxml-dir=/usr --enable-xml --enable-sockets --enable-fpm --with-mcrypt --with-config-file-path=/etc --with-config-file-scan-dir=/etc/php.d --with-bz2 [[email protected] php-5.4.26]# make && make install
(2)为php-fpm提供配置文件
[[email protected] php-5.4.26]# cp php.ini-production /etc/php.ini [[email protected]ocalhost php-5.4.26]# cp /usr/local/php/etc/php-fpm.conf.default /usr/local/php/etc/php-fpm.conf
(3)为php-fpm提供SysV服务
[[email protected] php-5.4.26]# cp sapi/fpm/init.d.php-fpm /etc/rc.d/init.d/php-fpm [[email protected] php-5.4.26]# chmod +x /etc/rc.d/init.d/php-fpm [[email protected] php-5.4.26]# chkconfig --add php-fpm [[email protected] php-5.4.26]# service php-fpm start Starting php-fpm done [[email protected] php-5.4.26]# netstat -antup | grep php-fpm tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 35116/php-fpm: mast
(4)编辑httpd配置文件使其启用php-fpm模块,并提供php测试页
[[email protected] php-5.4.26]# vim /etc/httpd24/httpd.conf
取消以下2行前的注释
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
添加php文件类型,并使php文件通过fpm访问
AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps DirectoryIndex index.php index.html ProxyRequests Off ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/usr/local/apache24/htdocs/$1 [[email protected] php-5.4.26]# vim /usr/local/apache24/htdocs/index.php <h1>phpfpmtest</h1> <?php phpinfo(); ?>
(5)重启httpd服务,测试php测试页是否能正常访问
[[email protected] php-5.4.26]# apachectl restart
以上是关于Linux相关安全漏洞处理的主要内容,如果未能解决你的问题,请参考以下文章
Linux&网络安全Linux操作系统安全配置(超全超详细)
第2阶段 2019网络安全训练营 第二阶段-环境配置 2-3Linux下权限相关命令