Nessusをパスするメモ(2018.5.3)作成中

公開サーバを作るためには、Nessusをパスする必要がある。設定忘れを防ぐためにメモを残す。CentOS7でyum updateで維持された環境を想定しています。

  • 85582 – Web Application Potentially Vulnerable to Clickjacking
    • /etc/httpd/conf/httpd.conf
      • Header always append X-Frame-Options SAMEORIGIN
      • 参考 https://developer.mozilla.org/ja/docs/Web/HTTP/X-Frame-Options
  • 11213 – HTTP TRACE / TRACK Methods Allowed [-/+]
    • /etc/httpd/conf/httpd.conf
      • TraceEnable offをどこか(最終行)に追加
      • 参考 https://qiita.com/tukiyo3/items/2eefc998d2adaf17794a
  • 40984 – Browsable Web Directories [-/+]
    • /etc/httpd/conf/httpd.conf or
    • /etc/httpd/conf.d/vhost.conf
      • Options Indexesを除ける
      • 例 Options Indexes FollowSymLinks=>Options FollowSymLinks
  • 42873 – SSL Medium Strength Cipher Suites Supported [-/+]
  • 65821 – SSL RC4 Cipher Suites Supported (Bar Mitzvah) [-/+] 
    • /etc/httpd/conf.d/vhost.conf
      • SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!3DES:!RC4:!DH
    • /etc/dovecot/conf.d/10-ssl.conf
      • ssl_cipher_list = HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!3DES:!RC4:!DH
  • 46803 – PHP expose_php Information Disclosure [-/+]
    • /etc/php.ini
      • expose_php = off  ※default設定を変更
  • 58751 – SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability (BEAST) [-/+]
    • /etc/httpd/conf.d/vhost.conf
      • SSLProtocol -all +TLSv1.1 +TLSv1.2
  • 70658 – SSH Server CBC Mode Ciphers Enabled
  • 90317 – SSH Weak Algorithms Supported  
    • /etc/ssh/sshd_config
      • Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@opens
        sh.com,chacha20-poly1305@openssh.com
  • 88098 – Apache Server ETag Header Information Disclosure
    • /etc/httpd/httpd_conf
      • FileETag None を追記
  • 10539 – DNS Server Recursive Query Cache Poisoning Weakness
  • 12217 – DNS Server Cache Snooping Remote Information Disclosure
  • 35450 – DNS Server Spoofed Request Amplification DDoS
  • 161948 – Apache 2.4.x < 2.4.54 Multiple Vulnerabilities
    • https://kojihub.stream.centos.org/koji/buildinfo?buildID=27763
  • 170113 – Apache 2.4.x < 2.4.55 Multiple Vulnerabilities
    • https://kojihub.stream.centos.org/koji/buildinfo?buildID=27763

公開サーバを作るためには、Nessusをパスする必要がある。設定忘れを防ぐためにメモを残す。Windows Server 2012環境を想定していますWindows Server 2012 SSL

  • 参考
    • https://garafu.blogspot.jp/2014/03/windows-servier-2012.html
    • http://mizunolab.sist.ac.jp/2017/04/windows-server-2012-r2upki.html
    • https://www.sidorenko.io/post/2014/02/secure-ssl-configuration-for-apache-postfix-dovecot/
  •