centos7漏洞修复 ICMP timestamp请求响应漏洞 和TLS/SSL 弱的信息验证码密码套件

一 ICMP timestamp请求响应漏洞

修复方法centos系统
ICMP timestamp请求响应漏洞

- 方式一
firewall-cmd --add-icmp-block=time-exceeded --permanent

- 方式二
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-request -m comment --comment "deny ICMP timestamp" -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type timestamp-reply -m comment --comment "deny ICMP timestamp" -j DROP

二 Traceroute探测漏洞

- 方式一
firewall-cmd --add-icmp-block=timestamp-reply --permanent
firewall-cmd --add-icmp-block=timestamp-request --permanent
- 方式二
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p ICMP --icmp-type 11 -m comment --comment "deny traceroute" -j DROP
 

四、防火墙支持的类型

firewall-cmd --get-icmptypes

 

五、重启生效扩展指令

 

# 重新加载生效
firewall-cmd --reload

查看规则
firewall-cmd --direct --get-all-rules


检查新添加的规则是否有效，检查命令：iptables -L -n

三 TLS/SSL 弱的信息验证码密码套件

宝塔用户找到网站配置文件

ssl_protocols TLSv1 TLSv1.1 TLSv1.2修改为

ssl_protocols TLSv1.2 TLSv1.3

删除TLSv1 TLSv1.1 


激进做法只郧西tls1.3加密

ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:!MD5;

TLSv1.2 TLSv1.3

ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';