1、 修復ssh相關漏洞
漏洞列表:
OpenSSH do_setup_env函數權限提升漏洞(CVE-2015-8325)
OpenSSH auth_password函數拒絕服務漏洞(CVE-2016-6515)
OpenSSH sshd mm_answer_pam_free_ctx釋放後重利用漏洞(CVE-2015-6564)
Openssh MaxAuthTries限制繞過漏洞(CVE-2015-5600)
OpenSSH 安全漏洞(CVE-2016-1908)
OpenSSH 遠程代碼執行漏洞(CVE-2016-10009)
OpenSSH 安全限制繞過漏洞(CVE-2016-10012)
OpenSSH 'schnorr.c'遠程內存破壞漏洞(CVE-2014-1692)
OpenSSH J-PAKE授權問題漏洞(CVE-2010-4478)
升級方案:
前提是已經升級了yum源
現在情況:
# cat /etc/redhat-release
CentOS release 6.7 (Final)
# rpm -qa | grep openssh
openssh-server-5.3p1-123.el6_9.x86_64
openssh-5.3p1-123.el6_9.x86_64
openssh-clients-5.3p1-123.el6_9.x86_64
直接執行更新
yum update -y openssh
2、 修復mysql相關漏洞
漏洞列表:
MySQL遠程代碼執行及權限提升漏洞(CVE-2016-6662)
Oracle MySQL Client組件任意代碼執行漏洞(CVE-2016-0546)
Oracle MySQL Server: Pluggable Authentication子組件安全漏洞(CVE-2016-0639)
Oracle MySQL Server 安全漏洞(CVE-2018-2696)
Oracle MySQL Server組件安全漏洞(CVE-2018-2562)
Oracle MySQL Server組件安全漏洞(CVE-2018-2612)
Oracle MySQL Server組件安全漏洞(CVE-2018-2647)
Oracle MySQL Server遠程安全漏洞(CVE-2017-3599)
Oracle MySQL 安全漏洞(CVE-2016-0705)
修復方法分爲兩種分別對應兩種情況:
2.1、rpm包安裝方式(mysql-5.7.18-1.el7.x86_64.rpm-bundle.tar)
下載mysql比較新的包mysql-5.7.26
更新安裝(服務不用停止)
yum update -y mysql-community-*.rpm
2.2、tar包解壓(mysql-5.7.26-linux-glibc2.12-x86_64.tar.gz)
tar -zxf mysql-5.7.26-linux-glibc2.12-x86_64.tar.gz -C /usr/local
停止現有的服務
service mysql stop
然後備份
cd /usr/local
mv mysql mysql-5.7.17
切換
mv mysql-5.7.26-linux-glibc2.12-x86_64 mysql
啓動服務
service mysql start
異常解決:
問題1、應用查詢報錯:
Caused by: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Expression #2 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'c.PRODUCT_LINE' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by
mysql> select @@sql_mode;
+-------------------------------------------------------------------------------------------------------------------------------------------+
| @@sql_mode |
+-------------------------------------------------------------------------------------------------------------------------------------------+
| ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION |
修改my.cnf
在[mysqld]下修改
sql_mode=STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
使配置生效
問題2、
2019-06-03T02:16:18.169901Z 2 [ERROR] Invalid (old?) table or database name 'lost+found'
2019-06-03T02:16:18.169942Z 2 [ERROR] Invalid (old?) table or database name 'mysql-5.6.28-linux-glibc2.5-x86_64
修改配置
ignore-db-dir=lost+found
ignore-db-dir=mysql-5.6.28-linux-glibc2.5-x86_64
使配置生效
問題3、[Warning] IP address 'xxx.xxx.xxx.xxx' could not be resolved: Name or service not known
修改配置
skip-name-resolve
使配置生效
3、修復ntp相關漏洞
漏洞列表:
NTP CRYPTO_ASSOC 內存泄漏導致拒絕服務漏洞 (CVE-2015-7701)
NTPD PRNG弱加密漏洞(CVE-2014-9294)
NTPD PRNG無效熵漏洞(CVE-2014-9293)
ntpd 安全漏洞(CVE-2016-1548)
ntpd 拒絕服務漏洞(CVE-2016-2516)
NTPD 棧緩衝區溢出漏洞(CVE-2014-9295)
NTP Kiss-o'-Death拒絕服務漏洞 (CVE-2015-7705)
NTP ntpd 代碼注入漏洞(CVE-2014-9751)
NTP ntpd緩衝區溢出漏洞 (CVE-2015-7853)
NTP NULL Pointer Dereference 拒絕服務漏洞(CVE-2016-9311)
NTP Resource Exhaustion 拒絕服務漏洞(CVE-2016-9310)
NTP 安全漏洞(CVE 2016-2516)
NTP 身份驗證繞過漏洞(CVE-2015-7871)
更新
停止服務
service ntpd stop
安裝基礎包
yum install gcc gcc-c++ openssl-devel libstdc++* libcap* -y
備份
cp /etc/ntp.conf /etc/ntp.conf.bak
cp /etc/init.d/ntpd /etc/init.d/ntpd.bak
cp /etc/sysconfig/ntpd /etc/sysconfig/ntpd.bak
cp /etc/sysconfig/ntpdate /etc/sysconfig/ntpdate.bak
編譯安裝
mkdir /data/usr/src
tar -zxf ntp-4.2.8p12.tar.gz -C /data/usr/src
cd /data/usr/src/ntp-4.2.8p12
./configure --prefix=/data/usr/ntpd --bindir=/usr/sbin --enable-all-clocks --enable-parse-clocks --docdir=/usr/share/doc/ntp-4.2.8p12
make && make install
啓動服務
cp /etc/ntp.conf.bak /etc/ntp.conf
/usr/sbin/ntpd -c /etc/ntp.conf
開機自啓動
echo '/usr/sbin/ntpd -c /etc/ntp.conf' >> /etc/rc.d/rc.local
4、修復http相關漏洞
漏洞列表:
Apache HTTP Server ap_get_basic_auth_pw身份驗證繞過漏洞(CVE-2017-3167)
Apache HTTP Server mod_mime緩衝區溢出漏洞(CVE-2017-7679)
Apache HTTP Server mod_ssl空指針間接引用漏洞(CVE-2017-3169)
現有環境:
CentOS release 6.9 (Final)
rpm -qa | grep httpd
httpd-2.2.15-69.el6.centos.x86_64
httpd-tools-2.2.15-69.el6.centos.x86_64
現有配置
Listen 8080
User http
Group http
DocumentRoot "/"
<Directory />
Options FollowSymLinks
AllowOverride None
Header set Access-Control-Allow-Origin *
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
更新:
停止服務並備份
service httpd stop
備份
mv /etc/httpd /etc/httpd_bak
編譯安裝
tar -zxf apr-1.6.5.tar.gz -C /data/usr/src
cd /data/usr/src/apr-1.6.5
./configure --prefix=/data/usr/apr
make && make install
tar -zxf apr-util-1.6.1.tar.gz -C /data/usr/src
cd /data/usr/src/apr-util-1.6.1/
./configure --prefix=/data/usr/apr-util --with-apr=/data/usr/apr
make && make install
tar -zxf httpd-2.4.39.tar.gz -C /data/usr/src
cd /data/usr/src/httpd-2.4.39/
./configure --prefix=/data/usr/httpd --sysconfdir=/etc/httpd --with-apr=/data/usr/apr --with-apr-util=/data/usr/apr-util
make && make install
更改配置(配置按照實際情況做修改)
vi /etc/httpd/httpd.conf
Listen 8080
User http
Group http
ServerName localhost:8080
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/"
<Directory "/">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
Header set Access-Control-Allow-Origin *
</Directory>
啓動服務並驗證
cd /data/usr/httpd/bin
./apachectl start
5、 修復weblogic相關
weblogic打補丁參考:
https://blog.csdn.net/maple_fix/article/details/80351527
漏洞列表:
Oracle Fusion Middleware Oracle WebLogic Server組件任意代碼執行漏洞(CVE-2016-0572)
Oracle Fusion Middleware Oracle WebLogic Server組件遠程安全漏洞(CVE-2016-3505)
Oracle Fusion Middleware Oracle WebLogic Server組件遠程安全漏洞(CVE-2016-5531)
Oracle Fusion Middleware Oracle WebLogic Server組件遠程安全漏洞(CVE-2016-5535)
Oracle Fusion Middleware WebLogic Server安全漏洞(CVE-2016-3586)
Oracle Fusion Middleware WebLogic Server組件信息泄露漏洞(CVE-2016-0577)
Oracle Fusion Middleware WebLogic Server組件安全漏洞(CVE-2017-5645)
Oracle Fusion Middleware WebLogic Server組件安全漏洞(CVE-2018-2893)
Oracle Fusion Middleware WebLogic Server組件安全漏洞(CVE-2018-2935)
Oracle Fusion Middleware WebLogic Server組件遠程安全漏洞(CVE-2016-0573)
Oracle Fusion Middleware WebLogic Server組件遠程安全漏洞(CVE-2016-0574)
Oracle Fusion Middleware WebLogic Server遠程安全漏洞(CVE-2016-0638)
Oracle WebLogic Server WLS Security組件安全漏洞(CVE-2017-10271)
Oracle WebLogic Server WLS Security組件安全漏洞(CVE-2017-10271)【原理掃描】
Oracle WebLogic Server WLS 組件安全漏洞(CVE-2018-2893)【原理掃描】
Oracle WebLogic Server 任意代碼執行漏洞(CVE-2014-2470)
Oracle WebLogic Server 反序列化漏洞(CVE-2018-2628)
Oracle WebLogic Server 反序列化漏洞(CVE-2018-2628)【原理掃描】
Oracle WebLogic Server 安全漏洞(CVE-2013-2186)
Oracle WebLogic Server 安全漏洞(CVE-2017-3248)
Oracle WebLogic Server 遠程安全漏洞(CVE-2017-3506)
Oracle WebLogic Server 遠程安全漏洞(CVE-2017-5638)(cpuapr2017-3236618)
WebLogic Commons Collections組件反序列化漏洞(CVE-2015-4852)【原理掃描】
環境情況:
系統:centos6.9
jdk1.7
雙核,4G內存
升級:
查看weblogic信息
cd /wls/wls81/Oracle/Middleware/utils/bsu
$ sh bsu.sh -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3 -status=applied -verbose -view
ProductName: WebLogic Server
ProductVersion: 10.3 MP6
Components: WebLogic Server/Core Application Server,WebLogic Server/Admi
nistration Console,WebLogic Server/Configuration Wizard and
Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
ic Server/Evaluation Database,WebLogic Server/Workshop Code
Completion Support
BEAHome: /wls/wls81/Oracle/Middleware
ProductHome: /wls/wls81/Oracle/Middleware/wlserver_10.3
PatchSystemDir: /wls/wls81/Oracle/Middleware/utils/bsu
PatchDir: /wls/wls81/Oracle/Middleware/patch_wls1036
Profile: Default
DownloadDir: /wls/wls81/Oracle/Middleware/utils/bsu/cache_dir
JavaVersion: 1.6.0_29
JavaVendor: Sun
停止服務並備份
$ cd /wls/wls81/Oracle/Middleware/user_projects/domains/base_domain/bin
$ sh stopWebLogic.sh
$ cd /wls
$ cp -r wls81 wls81_bak
$ cd wls81/Oracle/Middleware/utils/bsu/cache_dir
$ wget xxxx/patch/p29204678_1036_Generic.tgz
$ wget xxxx/patch/p29694149_10360190416_Generic.tgz
這裏是使用公司內網的補丁連接地址,大家可以上網找找其他資源下載。
修復U5I2
$ tar -zxf p29204678_1036_Generic.tgz
$ ll
總用量 338412
-rw-r----- 1 wls81 wls 101161413 5月 30 17:16 p29204678_1036_Generic.tgz
-rw-r----- 1 wls81 wls 15777418 5月 30 17:16 p29694149_10360190416_Generic.tgz
-rw-r----- 1 wls81 wls 136403408 2月 4 04:30 patch-catalog_26516.xml
-rw-r----- 1 wls81 wls 61197 4月 15 17:56 README.txt
-rw-r----- 1 wls81 wls 93124490 2月 4 04:30 U5I2.jar
$ cd ..
$ ./bsu.sh -install -patch_download_dir=/wls/wls81/Oracle/Middleware/utils/bsu/cache_dir -patchlist=U5I2 -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3
如果上邊一步出現報錯“java.lang.OutOfMemoryError: GC overhead limit exceeded”
則增加內存配置:
$ vi bsu.sh
MEM_ARGS="-Xms256m -Xmx512m"
"$JAVA_HOME/bin/java" ${MEM_ARGS} -jar patch-client.jar $*
>>
MEM_ARGS="-Xms2048m -Xmx3072m"
"$JAVA_HOME/bin/java" ${MEM_ARGS} -jar patch-client.jar $*
再次執行
$ ./bsu.sh -install -patch_download_dir=/wls/wls81/Oracle/Middleware/utils/bsu/cache_dir -patchlist=U5I2 -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3
檢查衝突........
未檢測到衝突
正在安裝補丁程序 ID: U5I2..
結果: 成功
查看信息
$ sh bsu.sh -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3 -status=applied -verbose -view
ProductName: WebLogic Server
ProductVersion: 10.3 MP6
Components: WebLogic Server/Core Application Server,WebLogic Server/Admi
nistration Console,WebLogic Server/Configuration Wizard and
Upgrade Framework,WebLogic Server/Web 2.0 HTTP Pub-Sub Serve
r,WebLogic Server/WebLogic SCA,WebLogic Server/WebLogic JDBC
Drivers,WebLogic Server/Third Party JDBC Drivers,WebLogic S
erver/WebLogic Server Clients,WebLogic Server/WebLogic Web S
erver Plugins,WebLogic Server/UDDI and Xquery Support,WebLog
ic Server/Evaluation Database,WebLogic Server/Workshop Code
Completion Support
BEAHome: /wls/wls81/Oracle/Middleware
ProductHome: /wls/wls81/Oracle/Middleware/wlserver_10.3
PatchSystemDir: /wls/wls81/Oracle/Middleware/utils/bsu
PatchDir: /wls/wls81/Oracle/Middleware/patch_wls1036
Profile: Default
DownloadDir: /wls/wls81/Oracle/Middleware/utils/bsu/cache_dir
JavaVersion: 1.6.0_29
JavaVendor: Sun
Patch ID: U5I2
PatchContainer: U5I2.jar
Checksum: 1091735558
Severity: optional
Category: General
CR/BUG: 29204678
Restart: true
Description: WLS PATCH SET UPDATE 10.3.6.0.190416
WLS PATCH SET UPDATE 10
.3.6.0.190416
修復6JJ4
$ cd cache_dir/
$ tar -zxf p29694149_10360190416_Generic.tgz
$ cd ..
$ ./bsu.sh -install -patch_download_dir=/wls/wls81/Oracle/Middleware/utils/bsu/cache_dir -patchlist=6JJ4 -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3
如果需要刪除補丁
./bsu.sh -remove -patchlist=6JJ4 -prod_dir=/wls/wls81/Oracle/Middleware/wlserver_10.3
6、 redis相關
漏洞列表:
Redis 未授權訪問漏洞【原理掃描】
6.1、主從
主節點修改配置文件:
添加(密碼自定義)
requirepass Redis2019!
從節點修改配置文件
添加
requirepass Redis2019!
Masterauth Redis2019!
重啓主從服務
6.2、cluster集羣
IP分別是(假設):
192.168.121,121
192.168.121,122
192.168.121,123
redis-cli –h 192.168.121.121 –c –p 7001
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
redis-cli –h 192.168.121.121 –c –p 7002
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
redis-cli –h 192.168.121.122 –c –p 7001
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
redis-cli –h 192.168.121.122 –c –p 7002
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
redis-cli –h 192.168.121.123 –c –p 7001
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
redis-cli –h 192.168.121.123 –c –p 7002
config set masterauth Redis2019!
config set requirepass Redis2019!
config rewrite
當然主從也可以使用上邊的方法,執行相應的命令就可以。
異常:
使用上面的方法修復了漏洞之後,當執行redis-trib.rb check 命令後會報錯:
Sorry, can’t connect ro node
解決:
修改配置文件client.rb
find / -name “client.rb”
vi /usr/local/ruby/lib/ruby/gems/2.5.0/gems/redis-4.0.1/lib/redis/client.rb
:password => nil
>>
:password => “Redis2019!”
如果是單個節點只需要添加下面一行配置就可以
requirepass Redis2019!
7、 nginx相關
漏洞列表:
nginx resolver 釋放後重利用漏洞(CVE-2016-0746)
nginx 安全漏洞(CVE-2018-16843
修復前:
# rpm -qa | grep nginx
nginx-mod-stream-1.12.2-2.el7.x86_64
nginx-mod-http-perl-1.12.2-2.el7.x86_64
nginx-mod-mail-1.12.2-2.el7.x86_64
nginx-mod-http-image-filter-1.12.2-2.el7.x86_64
nginx-mod-http-geoip-1.12.2-2.el7.x86_64
nginx-all-modules-1.12.2-2.el7.noarch
nginx-mod-http-xslt-filter-1.12.2-2.el7.x86_64
nginx-filesystem-1.12.2-2.el7.noarch
nginx-1.12.2-2.el7.x86_64
修復儘量升級到高版本
首先查看nginx管理賬戶和組
使用 nginx –V 查看編譯配置參數
更新:
安裝依賴
yum install gcc gcc-c++ autoconf automake
yum install pcre pcre-devel
yum install openssl openssl-devel
yum install zlib-devel
yum install perl-devel perl-ExtUtils-Embed
編譯安裝
tar -zxf nginx-1.14.2.tar.gz -C /data/usr/src
cd /data/usr/src/nginx-1.14.2/
./configure --user=nginx --group=nginx --prefix=/data/usr/nginx --with-http_stub_status_module --without-http-cache --with-http_ssl_module --with-http_gzip_static_module
make && make install
按照實際情況修改配置文件 /data/usr/nginx/conf/nginx.conf
chown -R nginx:nginx /data/usr/nginx
停止老服務
systemctl stop nginx.service
啓動新服務
cd /data/usr/nginx/sbin
./nginx -t
./nginx