安全漏洞升级修复
时间:2019-05-20 22:57 来源:潇湘夜雨 作者:华嵩阳 点击:次
漏洞扫描技术的原理:
漏洞扫描技术是建立在端口扫描技术的基础之上的,从对黑客的攻击行为的分析和收集的漏洞来看,绝大多数都是针对某一个特定的端口的,所以漏洞扫描技术以与端口扫描技术同样的思路来开展扫描的。漏洞扫描技术的原理是主要通过以下两种方法来检查目标主机是否存在漏洞,在端口扫描后得知目标主机开启的端口以及端口上的网络服务,将这些相关信息与网络漏洞扫描系统提供的漏洞库进行匹配,查看是否有满足匹配条件的漏洞存在,通过模拟黑客的攻击手法,对目标主机系统进行攻击性的安全漏洞扫描,若模拟攻击成功,则表明目标主机系统存在安全漏洞。
修复漏洞的方法:1、升级版本到漏洞修复后的文档版,也可以直接升级到最新稳定版(最新版可能不稳定,但是升级本就影响稳定性)。
2、修改默认端口,隐藏服务的版本号等相关信息,可以提提高扫描或攻击的难度。
3、卸载或关闭不必要的服务,例如Apache服务会默认安装。
4、开启防火墙,做基本的安全防护。
1、tomcat漏洞修复
升级方法:升级到tomcat服务同系列的最新版
最新系列版本:7.0.93 8.5.38 6.0.53
升级步骤:
#查看原版本
[root@ipv6-1-22 ~]# /usr/local/Tomcat/bin/version.sh
Using CATALINA_BASE: /usr/local/Tomcat
Using CATALINA_HOME: /usr/local/Tomcat
Using CATALINA_TMPDIR: /usr/local/Tomcat/temp
Using JRE_HOME: /opt/jdk1.8.0_131
Using CLASSPATH: /usr/local/Tomcat/bin/bootstrap.jar:/usr/local/Tomcat/bin/tomcat-juli.jar
Using CATALINA_PID: /var/run/tomcat.pid
Server version: Apache Tomcat/8.5.34
Server built: Sep 4 2018 22:28:22 UTC
Server number: 8.5.34.0
OS Name: Linux
OS Version: 2.6.32-358.el6.x86_64
Architecture: amd64
JVM Version: 1.8.0_131-b11
JVM Vendor: Oracle Corporation
#下载tomcat8的新版本
[root@ipv6-1-22 Downloads]# wget http://mirrors.tuna.tsinghua.edu.cn/apache/tomcat/tomcat-8/v8.5.38/bin/apache-tomcat-8.5.38.tar.gz
[root@ipv6-1-22 Downloads]# tar -zxf apache-tomcat-8.5.38.tar.gz
[root@ipv6-1-22 local]# Tomcat/bin/catalina.sh stop
[root@ipv6-1-22 Downloads]# mv apache-tomcat-8.5.38 /usr/local/
#复制版本的配置文件
[root@ipv6-1-22 local]# cp -r Tomcat/conf/server.xml apache-tomcat-8.5.38/conf/
cp: overwrite `apache-tomcat-8.5.38/conf/server.xml'? y
[root@ipv6-1-22 local]# apache-tomcat-8.5.38/bin/catalina.sh start
Using CATALINA_BASE: /usr/local/apache-tomcat-8.5.38
Using CATALINA_HOME: /usr/local/apache-tomcat-8.5.38
Using CATALINA_TMPDIR: /usr/local/apache-tomcat-8.5.38/temp
Using JRE_HOME: /opt/jdk1.8.0_131
Using CLASSPATH: /usr/local/apache-tomcat-8.5.38/bin/bootstrap.jar:/usr/local/apache-tomcat-8.5.38/bin/tomcat-juli.jar
Tomcat started.
[root@ipv6-1-22 local]# ps -ef|grep java
root 16627 16626 48 15:09 pts/3 00:00:05 /opt/jdk1.8.0_131/bin/java -Djava.util.logging.config.file=/usr/local/apache-tomcat-8.5.38/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Dignore.endorsed.dirs= -classpath /usr/local/apache-tomcat-8.5.38/bin/bootstrap.jar:/usr/local/apache-tomcat-8.5.38/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/apache-tomcat-8.5.38 -Dcatalina.home=/usr/local/apache-tomcat-8.5.38 -Djava.io.tmpdir=/usr/local/apache-tomcat-8.5.38/temp org.apache.catalina.startup.Bootstrap start
#新本启动后,测试服务正常后,再替换原版本的安装路径。
2、openssl漏洞修复
修复方法:升级1.0.2k以上
#查看原版本
[root@ipv6-1-25 bin]# openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Thu Feb 21 23:42:57 UTC 2013
platform: linux-x86_64
#下载新版本
http://distfiles.macports.org/openssl/openssl-1.0.2q.tar.gz
tar -zxf openssl-1.0.2q.tar.gz
cd openssl-1.0.2q
#编译安装
./config --prefix=/usr/local/openssl
./config -t
make
make install
注意:编译检查可能会报依赖错误,根据提示信息安装依赖包即可
#查看新版
[root@ipv6-1-25 openssl-1.0.2q]# /usr/local/openssl/bin/openssl version -a
OpenSSL 1.0.2q 20 Nov 2018
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/openssl/ssl"
[root@ipv6-1-25 openssl-1.0.2q]# ldd /usr/local/openssl/bin/openssl
linux-vdso.so.1 => (0x00007fffe47ff000)
libdl.so.2 => /lib64/libdl.so.2 (0x0000003690c00000)
libc.so.6 => /lib64/libc.so.6 (0x0000003691000000)
/lib64/ld-linux-x86-64.so.2 (0x0000003690800000)
#备份原版本
[root@ipv6-1-25 openssl-1.0.2q]# mv /usr/bin/openssl /usr/bin/openssl2
#为新版本创建链接,替换旧版本
[root@ipv6-1-25 openssl-1.0.2q]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
[root@ipv6-1-25 openssl-1.0.2q]# openssl version -a
OpenSSL 1.0.2q 20 Nov 2018
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/openssl/ssl"
3、openssh漏洞修复
修复方法:升级到7.5以上
修复步骤:
#安装telnet服务(也可以跳过此步骤)
说明:ssh升级过程中,可能导致ssh不能远程连接,这时还可以通过telnet登录服务器。
[root@ipv6-1-25 Downloads]# rpm -ivh telnet-server-0.17-47.el6_3.1.x86_64.rpm
warning: telnet-server-0.17-47.el6_3.1.x86_64.rpm: Header V3 RSA/SHA1 Signature, key ID c105b9de: NOKEY
Preparing... ########################################### [100%]
package telnet-server-1:0.17-47.el6_3.1.x86_64 is already installed
#开启telnet服务
vim /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
[root@ipv6-1-25 ~]# service xinetd status
xinetd (pid 14627) is running...
#重新启动xinetd即可启动telnet服务
[root@ipv6-1-25 ~]# service xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
#备份原版本配置文件
[root@ipv6-1-25 Downloads]# cp -r /etc/ssh/ ./
#下载和解压新版本openssh
http://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
[root@ipv6-1-25 Downloads]# tar -zxf openssh-7.9p1.tar.gz
[root@ipv6-1-25 Downloads]# ls
openssh-7.9p1 openssh-7.9p1.tar.gz openssl-1.0.2q openssl-1.0.2q.tar.gz telnet-server-0.17-47.el6_3.1.x86_64.rpm
[root@ipv6-1-25 Downloads]# cd openssh-7.9p1
#编译安装
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --without-hardening
[root@ipv6-1-25 openssh-7.9p1]# make && make install
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8
/bin/mkdir -p /etc/ssh
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
ssh-keygen: generating new host keys: ECDSA ED25519
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 82: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 84: Unsupported option GSSAPICleanupCredentials
#替换sshd启动服务脚本
[root@ipv6-1-25 openssh-7.9p1]# cp -r contrib/redhat/sshd.init /etc/init.d/sshd
cp: overwrite `/etc/init.d/sshd'? y
[root@ipv6-1-25 openssh-7.9p1]# chmod +x /etc/init.d/sshd
#设置允许root用户登录(openssh升级后,root默认被禁用)
打开vi /etc/ssh/sshd_config文件,将PermitRootLogin设置为yes
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
PermitRootLogin yes
#重启ssh服务
[root@ipv6-1-25 openssh-7.9p1]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd:/etc/ssh/sshd_config line 82: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 84: Unsupported option GSSAPICleanupCredentials
[ OK ]
#上面启动,有提醒,修改一下配置文件即可
[root@ipv6-1-25 openssh-7.9p1]# sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
[root@ipv6-1-25 openssh-7.9p1]# sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
[root@ipv6-1-25 openssh-7.9p1]# sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
[root@ipv6-1-25 openssh-7.9p1]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
#查看版本
[root@ipv6-1-25 ~]# sshd -V
unknown option -- V
OpenSSH_7.9p1, OpenSSL 1.0.2q 20 Nov 2018
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
4、memcached漏洞修复
2016年10月31日(当地时间),思科Talos团队在其官网 http://www.talosintelligence.com 上公布了三个Memcached服务器的整数溢出漏洞。其中,CVE-2016-8704位于函数process_bin_append_prepend中;CVE-2016-8705位于函数process_bin_update中;CVE-2016-8706位于函数process_bin_sasl_auth中。这三个漏洞都可以导致堆溢出从而允许远程代码执行。
[root@ipv6-1-22 ~]# service memcached stop
Stopping memcached: [ OK ]
[root@ipv6-1-22 ~]# wget http://rpmfind.net/linux/remi/enterprise/6/remi/x86_64/memcached-1.5.12-1.el6.remi.x86_64.rpm
--2019-03-04 14:41:42-- http://rpmfind.net/linux/remi/enterprise/6/remi/x86_64/memcached-1.5.12-1.el6.remi.x86_64.rpm
Resolving rpmfind.net... 195.220.108.108
Connecting to rpmfind.net|195.220.108.108|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 134608 (131K) [application/x-rpm]
Saving to: “memcached-1.5.12-1.el6.remi.x86_64.rpm”
100%[==============================================================================>] 134,608 143K/s in 0.9s
2019-03-04 14:41:44 (143 KB/s) - “memcached-1.5.12-1.el6.remi.x86_64.rpm” saved [134608/134608]
[root@ipv6-1-22 ~]# ls
anaconda-ks.cfg Documents install.log memcached-1.5.12-1.el6.remi.x86_64.rpm Pictures Templates
Desktop Downloads install.log.syslog Music Public Videos
[root@ipv6-1-22 ~]# rpm -Uvh memcached-1.5.12-1.el6.remi.x86_64.rpm
[root@ipv6-1-22 ~]# service memcached start
Starting memcached: [ OK ]
[root@ipv6-1-22 ~]# netstat -tnlp|grep memcached
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 15100/memcached
tcp 0 0 :::11211 :::* LISTEN 15100/memcached
5、mysql漏洞升级修复
[root@ipv6-1-25 Downloads]# ls
mysql-5.6.43-linux-glibc2.12-x86_64.tar.gz openssl-1.0.2q telnet-server-0.17-47.el6_3.1.x86_64.rpm
[root@ipv6-1-25 Downloads]# cd mysql-5.6.43-linux-glibc2.12-x86_64
[root@ipv6-1-25 mysql-5.6.43-linux-glibc2.12-x86_64]# ls
bin COPYING data docs include lib man mysql-test README scripts share sql-bench support-files
[root@ipv6-1-25 mysql-5.6.43-linux-glibc2.12-x86_64]# cp -r docs include lib man mysql-test README scripts share sql-bench support-files bin /usr/local/mysql/
[root@ipv6-1-25 mysql-5.6.43-linux-glibc2.12-x86_64]#
[root@ipv6-1-25 mysql-5.6.43-linux-glibc2.12-x86_64]# ldconfig -v
[root@ipv6-1-25 mysql-5.6.43-linux-glibc2.12-x86_64]# chown -R mysql.mysql /usr/local/mysql
[root@ipv6-1-25 mysql-5.6.43-linux-glibc2.12-x86_64]# ls -lh /usr/local/mysql
total 176K
drwxr-xr-x. 2 mysql mysql 4.0K Jan 7 2017 bin
-rw-r--r--. 1 mysql mysql 18K Jan 7 2017 COPYING
drwxr-xr-x. 6 mysql mysql 4.0K Mar 19 20:42 data
drwxr-xr-x. 2 mysql mysql 4.0K Jan 7 2017 docs
drwxr-xr-x. 3 mysql mysql 4.0K Jan 7 2017 include
-rw-r--r--. 1 mysql mysql 103K Jan 7 2017 INSTALL-BINARY
drwxr-xr-x. 3 mysql mysql 4.0K Mar 19 21:03 lib
drwxr-xr-x. 4 mysql mysql 4.0K Jan 7 2017 man
-rw-r--r--. 1 mysql mysql 1.1K Jan 7 2017 my.cnf
drwxr-xr-x. 10 mysql mysql 4.0K Mar 19 21:03 mysql-test
-rw-r--r--. 1 mysql mysql 2.5K Mar 19 21:03 README
drwxr-xr-x. 2 mysql mysql 4.0K Jan 7 2017 scripts
drwxr-xr-x. 28 mysql mysql 4.0K Jan 7 2017 share
drwxr-xr-x. 4 mysql mysql 4.0K Jan 7 2017 sql-bench
drwxr-xr-x. 2 mysql mysql 4.0K Jan 7 2017 support-files
servi mysql start
[root@ipv6-1-25 mysql]# /usr/local/mysql/bin/mysql_upgrade -u root -pUcap7890&*()
Enter password:
Looking for 'mysql' as: /usr/local/mysql/bin/mysql
Looking for 'mysqlcheck' as: /usr/local/mysql/bin/mysqlcheck
Running 'mysqlcheck with default connection arguments
Warning: Using a password on the command line interface can be insecure.
Running 'mysqlcheck with default connection arguments
Warning: Using a password on the command line interface can be insecure.
mysql.columns_priv OK
mysql.db OK
mysql.event OK
mysql.func OK
mysql.general_log OK
mysql.help_category OK
mysql.help_keyword OK
mysql.help_relation OK
mysql.help_topic OK
mysql.innodb_index_stats OK
mysql.innodb_table_stats OK
mysql.ndb_binlog_index OK
mysql.plugin OK
mysql.proc OK
mysql.procs_priv OK
mysql.proxies_priv OK
mysql.servers OK
mysql.slave_master_info OK
mysql.slave_relay_log_info OK
mysql.slave_worker_info OK
mysql.slow_log OK
mysql.tables_priv OK
mysql.time_zone OK
mysql.time_zone_leap_second OK
mysql.time_zone_name OK
mysql.time_zone_transition OK
mysql.time_zone_transition_type OK
mysql.user OK
Running 'mysql_fix_privilege_tables'...
Warning: Using a password on the command line interface can be insecure.
Running 'mysqlcheck with default connection arguments
Warning: Using a password on the command line interface can be insecure.
Running 'mysqlcheck with default connection arguments
Warning: Using a password on the command line interface can be insecure.
cpmdb.cloud_casereferenceinfo OK
cpmdb.cloud_count_day_area OK
cpmdb.cloud_count_day_index OK
cpmdb.cloud_count_day_info OK
cpmdb.cloud_count_day_nullresult OK
cpmdb.cloud_count_day_view OK
cpmdb.cloud_count_day_word OK
cpmdb.cloud_count_echartdata OK
cpmdb.cloud_count_hour_info OK
cpmdb.cloud_count_searchword OK
cpmdb.cloud_count_url_word OK
cpmdb.cloud_custominfo OK
cpmdb.cloud_customwordgroup OK
cpmdb.cloud_debuginfo OK
cpmdb.cloud_deleteindexinfo OK
cpmdb.cloud_disablesearchip OK
cpmdb.cloud_disableword OK
cpmdb.cloud_domain_config OK
cpmdb.cloud_domain_config_extend OK
cpmdb.cloud_domain_config_indexdb OK
cpmdb.cloud_domain_group OK
cpmdb.cloud_domain_group_cloud_domain_info OK
cpmdb.cloud_domain_group_cloud_domain_user OK
cpmdb.cloud_domain_info OK
cpmdb.cloud_domain_operation_log OK
cpmdb.cloud_domain_user OK
cpmdb.cloud_domain_user_cloud_domain_info OK
cpmdb.cloud_domain_user_cloud_message_info OK
cpmdb.cloud_domaincustominfo OK
cpmdb.cloud_domainsite OK
cpmdb.cloud_err_index_onceinfo OK
cpmdb.cloud_err_indexdelloginfo OK
cpmdb.cloud_err_indexinfo OK
cpmdb.cloud_extendinfo OK
cpmdb.cloud_feedback OK
cpmdb.cloud_forbiddenword OK
cpmdb.cloud_forbiddenwordgroup OK
cpmdb.cloud_frameinfo OK
cpmdb.cloud_frameinfo_cloud_frameword OK
cpmdb.cloud_frameword OK
cpmdb.cloud_hotword OK
cpmdb.cloud_indexdbinfo OK
cpmdb.cloud_indexinfo OK
cpmdb.cloud_indexvirtualdb OK
cpmdb.cloud_indexvirtualdb_cloud_indexdbinfo OK
cpmdb.cloud_message OK
cpmdb.cloud_message_cloud_message_info OK
cpmdb.cloud_message_info OK
cpmdb.cloud_module OK
cpmdb.cloud_module_cloud_domain_user OK
cpmdb.cloud_module_cloud_user OK
cpmdb.cloud_module_cloud_usergroup OK
cpmdb.cloud_no_update_sitecodeinfo OK
cpmdb.cloud_nullsearchsitecodeinfo OK
cpmdb.cloud_pinyininfo OK
cpmdb.cloud_platinfo OK
cpmdb.cloud_popularinfo OK
cpmdb.cloud_problemloginfo OK
cpmdb.cloud_real_time_sync OK
cpmdb.cloud_relatedinfo OK
cpmdb.cloud_relatedinfo_cloud_thumbnailinfo OK
cpmdb.cloud_search_common_config OK
cpmdb.cloud_siteanalysisinfo OK
cpmdb.cloud_siteanalysisinfo_cloud_casereferenceinfo OK
cpmdb.cloud_siteanalysisinfo_cloud_problemloginfo OK
cpmdb.cloud_sitemap OK
cpmdb.cloud_synonymsinfo OK
cpmdb.cloud_syslog OK
cpmdb.cloud_systemcategory OK
cpmdb.cloud_thumbnailinfo OK
cpmdb.cloud_topinfo OK
cpmdb.cloud_topinfo_cloud_topword OK
cpmdb.cloud_topword OK
cpmdb.cloud_tryinfo OK
cpmdb.cloud_user OK
cpmdb.cloud_user_cloud_message OK
cpmdb.cloud_usergroup OK
cpmdb.cloud_usergroup_cloud_systemcategory OK
cpmdb.cloud_usergroup_cloud_user OK
cpmdb.cloud_userlog OK
cpmdb.test OK
OK
(责任编辑:liangzh) |