先看看掃描到的漏洞截圖
下面是詳細的操作解決方案(以下的配置經過了多次的修改纔將漏洞真正修復完畢):
安全配置一:
[root@liulingli html]# find / -name .htaccess
/var/www/html/wp-content/cache/autoptimize/.htaccess
vim /var/www/html/wp-content/cache/autoptimize/.htaccess
添加如下5行
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD}^(TRACE|TRACK)
RewriteRule .*-[F]
</ifModule>
重啓httpd服務
[root@liulingli html]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
安全配置二:
echo "net.ipv4.tcp_timestamps = 0" >> /etc/sysctl.conf
sysctl -p
安全配置三:
vim /etc/httpd/conf.d/ssl.conf
原來的配置
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
修改成以下配置:
SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!MD5:!DSS:!RC4
並且添加以下三行
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>
service httpd restart
注意}後面有空格,否則無法重啓httpd服務
再次對網站進行掃描,發現高危和中危漏洞警報都已經消除。
經過了10次修改和掃描,才最終解決。