Nessusをパスするメモ(2018.5.3)作成中
公開サーバを作るためには、Nessusをパスする必要がある。設定忘れを防ぐためにメモを残す。CentOS7でyum updateで維持された環境を想定しています。
- 85582 – Web Application Potentially Vulnerable to Clickjacking
- /etc/httpd/conf/httpd.conf
- Header always append X-Frame-Options SAMEORIGIN
- 参考 https://developer.mozilla.org/ja/docs/Web/HTTP/X-Frame-Options
- /etc/httpd/conf/httpd.conf
- 11213 – HTTP TRACE / TRACK Methods Allowed [-/+]
- /etc/httpd/conf/httpd.conf
- TraceEnable offをどこか(最終行)に追加
- 参考 https://qiita.com/tukiyo3/items/2eefc998d2adaf17794a
- /etc/httpd/conf/httpd.conf
- 40984 – Browsable Web Directories [-/+]
- /etc/httpd/conf/httpd.conf or
- /etc/httpd/conf.d/vhost.conf
- Options Indexesを除ける
- 例 Options Indexes FollowSymLinks=>Options FollowSymLinks
- 42873 – SSL Medium Strength Cipher Suites Supported [-/+]
- 65821 – SSL RC4 Cipher Suites Supported (Bar Mitzvah) [-/+]
- /etc/httpd/conf.d/vhost.conf
- SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!3DES:!RC4:!DH
- /etc/dovecot/conf.d/10-ssl.conf
- ssl_cipher_list = HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!3DES:!RC4:!DH
- /etc/httpd/conf.d/vhost.conf
- 46803 – PHP expose_php Information Disclosure [-/+]
- /etc/php.ini
- expose_php = off ※default設定を変更
- /etc/php.ini
- 58751 – SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability (BEAST) [-/+]
- /etc/httpd/conf.d/vhost.conf
- SSLProtocol -all +TLSv1.1 +TLSv1.2
- /etc/httpd/conf.d/vhost.conf
- 70658 – SSH Server CBC Mode Ciphers Enabled
- 90317 – SSH Weak Algorithms Supported
- /etc/ssh/sshd_config
- Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@opens
sh.com,chacha20-poly1305@openssh.com
- Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@opens
- /etc/ssh/sshd_config
- 88098 – Apache Server ETag Header Information Disclosure
- /etc/httpd/httpd_conf
- FileETag None を追記
- /etc/httpd/httpd_conf
- 10539 – DNS Server Recursive Query Cache Poisoning Weakness
- 12217 – DNS Server Cache Snooping Remote Information Disclosure
- 35450 – DNS Server Spoofed Request Amplification DDoS
- 161948 – Apache 2.4.x < 2.4.54 Multiple Vulnerabilities
- https://kojihub.stream.centos.org/koji/buildinfo?buildID=27763
- 170113 – Apache 2.4.x < 2.4.55 Multiple Vulnerabilities
- https://kojihub.stream.centos.org/koji/buildinfo?buildID=27763
公開サーバを作るためには、Nessusをパスする必要がある。設定忘れを防ぐためにメモを残す。Windows Server 2012環境を想定していますWindows Server 2012 SSL
- 参考
- https://garafu.blogspot.jp/2014/03/windows-servier-2012.html
- http://mizunolab.sist.ac.jp/2017/04/windows-server-2012-r2upki.html
- https://www.sidorenko.io/post/2014/02/secure-ssl-configuration-for-apache-postfix-dovecot/