一、Slow HTTP Denial of Service Attack
俗稱的DDOS攻擊,解決方法有很多種。
iptables -I INPUT -p tcp --dport 80 \ -m connlimit --connlimit-above 20 --connlimit-mask 40 -j DROP
二、RC4 cipher suites detected、SSL weak ciphers
在conf檔裡加上以下的設定:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
# Compression is disabled by default on my distribution (CentOS 6)
# SSLCompression off
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
三、The FREAK attack (export cipher suites supported)
四、SSL certificate public key less than 2048 bit
openssl genrsa -out test.key 2048
openssl genrsa -des3 -out test.key 2048
openssl req -new -key test.key -out test.csr
俗稱的DDOS攻擊,解決方法有很多種。
- 方法一:以Apache來說的話,可安裝套件 Mod_Antiloris。
1. 下載檔案
cd /usr/local/src
wget http://sourceforge.net/projects/mod-antiloris/files/mod_antiloris-0.4.tar.bz2
tar -xvjf mod_antiloris-0.4.tar.bz2
cd mod_antiloris-*
apxs -a -i -c mod_antiloris.c
2. 重啟apache
service httpd restart
3. 檢查是否有掛載mod_antiloris
httpd -M | grep antiloris
- 方法二:更改防火牆設定
iptables -I INPUT -p tcp --dport 80 \ -m connlimit --connlimit-above 20 --connlimit-mask 40 -j DROP
二、RC4 cipher suites detected、SSL weak ciphers
在conf檔裡加上以下的設定:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
# Compression is disabled by default on my distribution (CentOS 6)
# SSLCompression off
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
四、SSL certificate public key less than 2048 bit
openssl genrsa -out test.key 2048
openssl genrsa -des3 -out test.key 2048
openssl req -new -key test.key -out test.csr
留言
張貼留言