1、nginx使用OPTIONS方式请求报错,暴露nginx版本
nginx配置里加上
server_tokens off;
即可隐藏nginx版本
2、tomcat404、504等等报错时,暴露tomcat版本号
web.xml加上
<error-page>
<error-code>404</error-code>
<location>/404.html</location>
</error-page>
然后在该项目根目录放入404页面即可
3、druid监控平台页面暴露至外网
web.xml中原配置如下
<servlet>
<servlet-name>DruidStatView</servlet-name>
<servlet-class>com.alibaba.druid.support.http.StatViewServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>DruidStatView</servlet-name>
<url-pattern>/druid/*</url-pattern>
</servlet-mapping>
修改增加ip白名单限制以及账号密码登录限制才可访问
<servlet>
<servlet-name>DruidStatView</servlet-name>
<servlet-class>com.alibaba.druid.support.http.StatViewServlet</servlet-class>
<init-param>
<!-- 白名单 -->
<param-name>allow</param-name>
<param-value>127.0.0.1</param-value>
</init-param>
<init-param>
<!-- 账号 -->
<param-name>loginUsername</param-name>
<param-value>admin</param-value>
</init-param>
<init-param>
<!-- 密码 -->
<param-name>loginPassword</param-name>
<param-value>mydruid</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>DruidStatView</servlet-name>
<url-pattern>/druid/*</url-pattern>
</servlet-mapping>
4、某些cookie没有设置httponly或者secure属性
增加过滤器,拦截请求,设置cookie属性
package com.zjasm.filter;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* Servlet Filter implementation class CookieFilter
*
* 解决 Cookie未设置HttpOnly && Cookie未设置Secure标识 问题
*
*/
@WebFilter(filterName="cookieFilter",urlPatterns={"/*"})
public class CookieFilter implements Filter{
/**
* Default constructor.
*/
public CookieFilter() {
// TODO Auto-generated constructor stub
}
/**
* @see Filter#destroy()
*/
public void destroy() {
// TODO Auto-generated method stub
}
/**
* @see Filter#doFilter(ServletRequest, ServletResponse, FilterChain)
*/
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse resp = (HttpServletResponse)response;
Cookie[] cookies = req.getCookies();
if (cookies != null) {
for (Cookie cookie : cookies) {
String value = cookie.getValue();
StringBuilder builder = new StringBuilder();
builder.append(cookie.getName()+"="+value+";");
builder.append("Secure;");//Cookie设置Secure标识
builder.append("HttpOnly;");//Cookie设置HttpOnly
// Calendar cal = Calendar.getInstance();
// cal.add(Calendar.HOUR, 1);
// Date date = cal.getTime();
// Locale locale = Locale.CHINA;
// SimpleDateFormat sdf = new SimpleDateFormat("dd-MM-yyyy HH:mm:ss",locale);
// builder.append("Expires="+sdf.format(date));
resp.addHeader("Set-Cookie", builder.toString());
resp.addHeader("x-frame-options","SAMEORIGIN");//Header配置X-Frame-Options
}
}
chain.doFilter(request, response);
}
/**
* @see Filter#init(FilterConfig)
*/
public void init(FilterConfig fConfig) throws ServletException {
// TODO Auto-generated method stub
}
}
5、nginx404页面添加
如404为tomcat抛出,经过nginx需要配置
proxy_intercept_errors on;
404页面配置,root代表nginx目录根目录路径,404页面放在html目录下
error_page 404 /404.html;
location = /404.html {
root html;
}
6、tomcat启动环境异常
打开catalina.bat(windows环境),在setlocal下设置jdk环境
set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_91
set JRE_HOME=C:\Program Files\Java\jdk1.8.0_91\jre
7、tomcat运行内存不足
在“rem —– Execute The Requested Command ———————-”下加入
_JAVA_OPTS=”-server -Xms800m -Xmx800m -XXNewSize=256M -XX:PermSize=256M -XX:MaxNewSize=512m -XX:MaxPermSize=512m”_
8、tomcat版本泄露
解压catalina.jar,修改org\apache\catalina\util里的ServerInfo.properties,把版本去掉
重新打包
jar cvf counter.jar -C bin
根据第三方安全信息情报,polkit pkexec 本地提权漏洞(CVE-2021-4034)被利用可以使非授权用户可拥有root权限,请大家尽快修复。修复建议:
1、官方暂未发布软件修复包,可使用以下命令删除pkexec的SUID-bit权限来规避漏洞风险:
chmod 0755 /usr/bin/pkexec
2、CentOS 7的用户可通过yum update polkit升级修复,Centos 5、6、8官方已终止生命周期 (EOL)维护,建议停止使用;
3、RedHat用户建议联系红帽官方获取安全修复源后执行yum update polkit升级修复;
4、Ubuntu 18.04 LTS、Ubuntu 20.04 LTS的用户可通过apt update policykit-1升级修复,Ubuntu 14.04、16.04、12.04官方已终止生命周期 (EOL)维护,修复需要额外付费购买Ubuntu ESM(扩展安全维护)服务,建议停止使用;
5、其他Linux发行版操作系统OS建议联系官方寻求软件包修复源