Security vulnerability Remediation Solutions

Note: All of the following actions must be confirmed and implemented in conjunction with the actual situation.
1. OpenSSH Related Vulnerabilities
Solution Solutions

Upgrade OpenSSH to the latest version, currently 5.9, first to the official website (http://www.openssh.com/portable.html#http) Download: openssh-5.9p1.tar.gz

To upload the OpenSSH to the server, first check the pre-upgrade version (all of the following are done under root):

shell> ssh-v # This command displays the detailed version number of OpenSSL, OpenSSH

First install the OpenSSH:

Shell> Tar xvf openssh-5.9p1.tar.gz

Shell> CD OPENSSH-5.9P1

Shell> sed-i-E ' s/_5.9//' version.h

To query whether a trust pack is installed:

Shell> Rpm-qa | grep zlib #如果能看到zlib, zlib-devel, continue, otherwise install and continue.

Shell>./configure–sysconfdir=/etc/ssh

Shell> make && make install

To start the configuration:

Shell>/bin/cp/usr/local/sbin/sshd/etc/init.d/sshd

Shell> Mkdir/root/ssh_bak #创建备份目录

shell> mv/etc/ssh/*/root/ssh_bak/#移动到备份目录

Shell>/bin/cp/usr/local/etc/*/etc/ssh/

shell> sed-e ' [email protected]/usr/bin/ssh-keygen.*@#@ '/etc/init.d/sshd

shell>/etc/init.d/sshd Restart

Shell> Ssh-v checks to see if the OPENSSHP1 starts, and if so, the OpenSSH upgrade succeeds.



2./robots.txt file exists on the remote Web server
Solution:

Solution: Can be deleted directly (refer to: Http://zh.wikipedia.org/wiki/Robots.txt)



3.ICMP Timestamp Request Response VulnerabilitySolution:

shell> echo "1″>/proc/sys/net/ipv4/icmp_echo_ignore_all

shell> echo "echo" 1″>/proc/sys/net/ipv4/icmp_echo_ignore_all ">>/etc/rc.local

Windows Server 2008 Reference: Http://hi.baidu.com/%BA%D3%C4%CF%CD%F8%C2%B7/blog/item/91076a62831cdb4aebf8f807.html

Windows Server 2003 Reference: http://zhidao.baidu.com/question/41992099



4. Apache Tomcat-related vulnerability solution:
According to the security vendor's solution Link: http://www.ocert.org/advisories/ocert-2011-003.html from this page, the problematic version of Tomcat is as follows:

<= 5.5.34, <= 6.0.34, <= 7.0.22, the version of Tomcat without security vulnerability is as follows: 5.5.35, >= 6.0.35, >= 7.0.23

Access: http://tomcat.apache.org/index.html Download the corresponding Tomcat version, for example, by using Tomcat 5.5.34, download the corresponding Tomcat 5.5.35;

If you are using Tomcat 6.0.34, download the corresponding Tomcat 6.0.35, and so on.

4.1 Apache Tomcat sendfile Request Security Restriction Bypass and denial of service vulnerability: This vulnerability is also addressed through the above version upgrade method. For details, please refer to the official explanation:

http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.35 and http://secunia.com/advisories/45232/



5.SNMP Service has a readable passwordSolution:

Can follow the vulnerability scan results in the process of operation, such as difficulty, you can ask the System team colleagues.



6. RPC-related vulnerabilitiesSolution:

(and the project group confirms that no NFS is used before operation)

Shell>/etc/init.d/portmap Stop && chkconfig portmap off

Shell>/ETC/INIT.D/RPCIDMAPD Stop && chkconfig RPCIDMAPD off

Shell>/etc/init.d/nfslock Stop && chkconfig nfslock off



7. Use the SMTP/EXPN command to guess the user name on the target hostSolutions (Pending confirmation):



8.Oracle database server Create any directory privilege elevation vulnerability There is no solution for the moment.



9. SNMP Service can access the solution via SNMPV1 (pending confirmation)



Apache HTTP Server-related vulnerability solution:

Use Apache HTTP Server 2.2.22 or above to resolve by downloading, details reference: Http://mail-archives.apache.org/mod_mbox/httpd-announce/201201.mbox/browser

This page shows which security vulnerabilities were fixed by this version of 2.2.22 or above. Official: http://www.apache.org/dyn/closer.cgi

10.1 Apache Apache::status and Apache2::status module cross-site Scripting vulnerability

Http://mail-archives.apache.org/mod_mbox/perl-advocacy/200904.mbox/%[email protected]%3e

10.2 Apache Server Incomplete HTTP request Denial of service vulnerability [exact scan]:

Change the value of TimeOut in httpd.conf to 30 seconds



11. The Remote WWW service supports trace request solution please refer to 10th.



12.Oracle Tnslsnr does not have a password set solution:

The scan report has clearly written out the detailed steps, or the DBA completes it himself.



13. Guess the remote FTP service has a user name password solution that can be logged in:

Confirm the password complexity of the account, for example, check if there are 123456 similar passwords, if there is a simple password, confirm and then modify.



14. Target host SHOWMOUNT-E Information Disclosure solution:

Verify that there is an NFS service running, such as when the run confirmation is off, and if there is a business impact, clearly write the reason in the corrective report (but never extranet access to NFS).



15. The remote Rlogin service is detected in a running solution:

In the case of an AIX system, clearly write down the reason in the corrective report (but not the extranet login).



16. The Ident service solution is running remotely:

Detailed procedures are already in the vulnerability Scan report.



17. The remote RSH service is detected in a running solution:

In the case of an AIX system, clearly write down the reason in the corrective report (but not the extranet login).



18. The remote Rexec service is detected in a running solution:

Detailed procedures are already in the vulnerability Scan report.



19. There is an available remote proxy server solution pending confirmation.



20. The remote web host has a directory traversal vulnerability solution pending confirmation.



21. Remote host allows anonymous FTP login solution:

Modify the configuration file, anonymous login is not allowed, due to the type of FTP more, specific steps can consult the system team colleagues.



22.FTP Server version information can be obtained without rectification (due to modification of the source code to recompile).



23. Remote SSH server allows the use of the Low version SSH protocol solution:

Refer to the procedure in the vulnerability Scan report, or refer to the 1th Direct Upgrade OpenSSH version (highly recommended).



24. The remote XDMCP service is detected in a running solution:

Close XDMCP Service



PHP-Related Vulnerability solutions:

According to Http://www.venustech.com.cn/NewsInfo/124/6459.Html, the affected version is:

PHP 5.2 <= 5.2.13

PHP 5.3 <= 5.3.2

The best way to do this now is to upgrade the PHP version. The latest official stability is: PHP 5.3.10. The 5.2.X maximum version is: PHP 5.2.17

Reprinted from: http://blog.163.com/hlz_2599/blog/static/14237847420126911747599/

Security vulnerability Remediation Solutions