apache漏洞修复（绿盟科技漏洞）

apache版本：Apache 2.2.3，安装目录 /usr/local/apache2

漏洞1：检测到目标服务器启用了TRACE方法

在/usr/local/apache2/conf/httpd.conf 末尾添加 TraceEnable off 
重启apache: 
cd /usr/local/apache2/bin/ 
./apachectl stop 
./apachectl start 
再扫描漏洞消失

======================================================== 
漏洞2：检测到目标主机可能存在缓慢的http拒绝服务攻击

百度到解决办法： 
限制web服务器的HTTP头部传输的最大许可时间，在/usr/local/apache2/conf/httpd.conf中添加如下配置：

RequestReadTimeout header=5-40,MinRate=500 body=20,MinRate=500 

重启apache: 
cd /usr/local/apache2/bin/ 
./apachectl stop 
./apachectl start

再扫描，漏洞依然存在。 
看来配置没生效，应该要先加载reqtimeout_module，才能进入中的条件 。 
在上述conf文件中添加 LoadModule reqtimeout_module modules/mod_reqtimeout.so 
重启报错。找不到该模块。

进入 modules 目录 
cd /usr/local/apache2/modules 
确实找不到mod_reqtimeout.so

那么接下来就是要添加这个模块，方法有两种： 
1. 重新安装apache，将该模块安装时加进去 
2. 不重新安装，只添加所需新模块

在目前生产机运行的情况下，果断选择第二种，过程如下：

apache不重新安装的情况下，加载新模块方法： 
进入根目录，查看版本 
[root@localhost /]# httpd -V 
Server version: Apache/2.2.3 
Server built: Apr 9 2010 15:05:43 
Server’s Module Magic Number: 20051115:3 
Server loaded: APR 1.2.7, APR-Util 1.2.7 
Compiled using: APR 1.2.7, APR-Util 1.2.7 
Architecture: 64-bit 
Server MPM: Prefork 
threaded: no 
forked: yes (variable process count) 
*Server compiled with…. 
-D APACHE_MPM_DIR=”server/mpm/prefork” 
-D APR_HAS_SENDFILE 
-D APR_HAS_MMAP 
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) 
-D APR_USE_SYSVSEM_SERIALIZE 
-D APR_USE_PTHREAD_SERIALIZE 
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT 
-D APR_HAS_OTHER_CHILD 
-D AP_HAVE_RELIABLE_PIPED_LOGS 
-D DYNAMIC_MODULE_LIMIT=128 
-D HTTPD_ROOT=”/etc/httpd” 
-D SUEXEC_BIN=”/usr/sbin/suexec” 
-D DEFAULT_PIDLOG=”run/httpd.pid” 
-D DEFAULT_SCOREBOARD=”logs/apache_runtime_status” 
-D DEFAULT_LOCKFILE=”logs/accept.lock” 
-D DEFAULT_ERRORLOG=”logs/error_log” 
-D AP_TYPES_CONFIG_FILE=”conf/mime.types” 
-D SERVER_CONFIG_FILE=”conf/httpd.conf” 
搜索模块对应源代码所在目录 
[root@localhost /]# find . -name “mod_reqtimeout*” 
./app/httpd-2.2.25/docs/manual/mod/mod_reqtimeout.html.en 
./app/httpd-2.2.25/docs/manual/mod/mod_reqtimeout.html 
./app/httpd-2.2.25/modules/filters/mod_reqtimeout.c 
./app/httpd-2.2.25/modules/filters/mod_reqtimeout.dep 
./app/httpd-2.2.25/modules/filters/mod_reqtimeout.mak 
./app/httpd-2.2.25/modules/filters/mod_reqtimeout.dsp

即为 ./app/httpd-2.2.25/modules/filters/mod_reqtimeout.c

[root@localhost /]# cd ./app/httpd-2.2.25/modules/filters 
[root@localhost filters]# 
编译成.o文件 （/usr/local/apache2/bin apache的目录） 
[root@localhost filters]# /usr/local/apache2/bin/apxs -c mod_reqtimeout.c 
/usr/lib64/apr-1/build/libtool –silent –mode=compile gcc -prefer-pic -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -pthread -I/usr/local/apache2//include -I/usr/include/apr-1 -I/usr/include/apr-1 -c -o mod_reqtimeout.lo mod_reqtimeout.c && touch mod_reqtimeout.slo 
/usr/lib64/apr-1/build/libtool –silent –mode=link gcc -o mod_reqtimeout.la -rpath /usr/local/apache2//modules -module -avoid-version mod_reqtimeout.lo 
链接成so库 
[root@localhost filters]# gcc -shared -o mod_reqtimeout.so mod_reqtimeout.o 
安装 
[root@localhost filters]# /usr/local/apache2/bin/apxs -i -A -n mod_reqtimeout mod_reqtimeout.so
/usr/local/apache2//build/instdso.sh SH_LIBTOOL=’/usr/lib64/apr-1/build/libtool’ mod_reqtimeout.so /usr/local/apache2//modules 
/usr/lib64/apr-1/build/libtool –mode=install cp mod_reqtimeout.so /usr/local/apache2//modules/
cp mod_reqtimeout.so /usr/local/apache2//modules/mod_reqtimeout.so 
Warning! dlname not found in /usr/local/apache2//modules/mod_reqtimeout.so. 
Assuming installing a .so rather than a libtool archive. 
chmod 755 /usr/local/apache2//modules/mod_reqtimeout.so 
[preparing module `mod_reqtimeout’ in /usr/local/apache2//conf/httpd.conf] 
[root@localhost filters]# ls -rlt /usr/local/apache2//modules/mod_reqtimeout.so 
-rwxr-xr-x 1 root root 16279 02-18 21:05 /usr/local/apache2//modules/mod_reqtimeout.so 
[root@localhost filters]# cd /usr/local/apache2//conf 
[root@localhost conf]# diff httpd.conf httpd.conf.bak 
434d433 
< #LoadModule mod_reqtimeout_module modules/mod_reqtimeout.so 
[root@localhost conf]# vi httpd.conf 
将 #LoadModule mod_reqtimeout_module modules/mod_reqtimeout.so 
改为 
LoadModule reqtimeout_module modules/mod_reqtimeout.so 
再添加 

RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 

重启apache，再扫描，漏洞没有了