Apache Vulnerability Repair (NSFocus vulnerability)

Apache version: Apache 2.2.3, installation directory/usr/local/apache2

Vulnerability 1: Detected that the target server has the trace method enabled

Add traceenable off at the end of/usr/local/apache2/conf/httpd.conf
Restart Apache:
cd/usr/local/apache2/bin/
./apachectl Stop
./apachectl Start
Again scan the vulnerability disappears

========================================================
Vulnerability 2: Detection of possible slow HTTP denial of service attacks on target hosts

Baidu to the solution:
Limit the maximum allowable time for HTTP header transfers to the Web server, and add the following configuration to/usr/local/apache2/conf/httpd.conf:

Requestreadtimeout header=5-40,minrate=500 body=20,minrate=500

Restart Apache:
cd/usr/local/apache2/bin/
./apachectl Stop
./apachectl Start

Again scan, the loophole still exists.
It seems that the configuration is not effective, you should first load reqtimeout_module, in order to enter the conditions.
Add LoadModule reqtimeout_module modules/mod_reqtimeout.so in the Conf file above
Reboot the error. The module could not be found.

Enter Modules Directory
Cd/usr/local/apache2/modules
I can't find the mod_reqtimeout.so.

Then there are two ways to add this module:
1. Reinstall Apache, add the module to the installation
2. Do not reinstall, add only the required new modules

In the current situation of production machine operation, the decisive choice of the second, the process is as follows:

Apache does not reinstall the case, load the new module method:
Go to the root directory, view version
[Root@localhost/]# Httpd-v
Server version:apache/2.2.3
Server BUILT:APR 9 2010 15:05:43
Server ' s Module Magic number:20051115:3
Server loaded:apr 1.2.7, Apr-util 1.2.7
Compiled using:apr 1.2.7, Apr-util 1.2.7
Architecture:64-bit
Server Mpm:prefork
Threaded:no
Forked:yes (variable process count)
*server compiled with ....
-D apache_mpm_dir= "Server/mpm/prefork"
-D Apr_has_sendfile
-D Apr_has_mmap
-D Apr_have_ipv6 (ipv4-mapped addresses enabled)
-D Apr_use_sysvsem_serialize
-D Apr_use_pthread_serialize
-D single_listen_unserialized_accept
-D Apr_has_other_child
-D Ap_have_reliable_piped_logs
-D dynamic_module_limit=128
-D httpd_root= "/ETC/HTTPD"
-D suexec_bin= "/usr/sbin/suexec"
-D default_pidlog= "Run/httpd.pid"
-D default_scoreboard= "Logs/apache_runtime_status"
-D default_lockfile= "Logs/accept.lock"
-D default_errorlog= "Logs/error_log"
-D ap_types_config_file= "Conf/mime.types"
-D server_config_file= "conf/httpd.conf"
directory where the search module corresponds to the source code
[Root@localhost/]# Find. -name "mod_reqtimeout*"
./app/httpd-2.2.25/docs/manual/mod/mod_reqtimeout.html.en
./app/httpd-2.2.25/docs/manual/mod/mod_reqtimeout.html
./app/httpd-2.2.25/modules/filters/mod_reqtimeout.c
./APP/HTTPD-2.2.25/MODULES/FILTERS/MOD_REQTIMEOUT.DEP
./app/httpd-2.2.25/modules/filters/mod_reqtimeout.mak
./app/httpd-2.2.25/modules/filters/mod_reqtimeout.dsp

That is./app/httpd-2.2.25/modules/filters/mod_reqtimeout.c

[Root@localhost/]# CD./app/httpd-2.2.25/modules/filters
[Root@localhost filters]#
Compile to. o File (/usr/local/apache2/bin Apache directory)
[Root@localhost filters]#/usr/local/apache2/bin/apxs-c mod_reqtimeout.c
/usr/lib64/apr-1/build/libtool–silent–mode=compile gcc-prefer-pic-dlinux=2-d_reentrant-d_gnu_source-pthread-i/ Usr/local/apache2//include-i/usr/include/apr-1-i/usr/include/apr-1-c-o mod_reqtimeout.lo mod_reqtimeout.c & & Touch Mod_reqtimeout.slo
/usr/lib64/apr-1/build/libtool–silent–mode=link Gcc-o Mod_reqtimeout.la-rpath/usr/local/apache2//modules-module- Avoid-version Mod_reqtimeout.lo
Link into so library
[Root@localhost filters]# gcc-shared-o mod_reqtimeout.so MOD_REQTIMEOUT.O
Installation
[Root@localhost filters]#/usr/local/apache2/bin/apxs-i-a-n mod_reqtimeout mod_reqtimeout.so
/usr/local/apache2//build/instdso.sh sh_libtool= '/usr/lib64/apr-1/build/libtool ' mod_reqtimeout.so/usr/local/ Apache2//modules
/usr/lib64/apr-1/build/libtool–mode=install CP mod_reqtimeout.so/usr/local/apache2//modules/
CP mod_reqtimeout.so/usr/local/apache2//modules/mod_reqtimeout.so
warning! DLName not found in/usr/local/apache2//modules/mod_reqtimeout.so.
Assuming installing a. So rather than a libtool archive.
chmod 755/usr/local/apache2//modules/mod_reqtimeout.so
[Preparing module ' Mod_reqtimeout ' in/usr/local/apache2//conf/httpd.conf]
[Root@localhost filters]# ls-rlt/usr/local/apache2//modules/mod_reqtimeout.so
-rwxr-xr-x 1 root root 16279 02-18 21:05/usr/local/apache2//modules/mod_reqtimeout.so
[Root@localhost filters]# cd/usr/local/apache2//conf
[Root@localhost conf]# diff httpd.conf Httpd.conf.bak
434d433
< #LoadModule Mod_reqtimeout_module modules/mod_reqtimeout.so
[Root@localhost conf]# VI httpd.conf
Will #LoadModule Mod_reqtimeout_module modules/mod_reqtimeout.so
To
LoadModule Reqtimeout_module modules/mod_reqtimeout.so
and add

Requestreadtimeout header=20-40,minrate=500 body=20,minrate=500

Reboot Apache, scan again, the leak is gone