服务器漏洞处理、安全加固
一、linux安全加固
1.重命名root账户
vi /etc/passwd
jqadmin:x:0:0:root:/root:/bin/bash
vi /etc/shadow
jqadmin:$6$oqeq9zUV$MsYKf.0qhayr6XsHBPhda52nWe02M9.3qtc9G1UCQMtQEuttZerbT2Se/YM3zNDJmyMT/jvgP/mvlQJks2XKO/:19150:0:99999:7:::
#按esc键退出编辑状态,并输入:x!强制保存并退出2.配置密码有效期策略和密码复杂度策略
vi /etc/login.defs
#密码的最大有效期
PASS_MAX_DAYS 90
#是否可修改密码,多少天后可修改
PASS_MIN_DAYS 2
#密码最小长度,pam_pwquality设置优先
PASS_MIN_LEN 8
#密码失效前多少天在用户登录时通知用户修改密码
PASS_WARN_AGE 7
#以上设置只针对新用户生效,原来用户不生效。
chage -M 180 root
vi /etc/pam.d/system-auth
password required pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
#password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=5 enforce_for_root
#负数:代表最少出现次数,正数:代表最多出现次数
#minlen = 8,密码长度至少8位;
#lcredit=-1,至少包含一个小写字母;
#ucredit=-1,至少包含一个大写字母;
#dcredit=-1,至少包含要给数字;
#ocredit=-1,至少包含一个特殊字符;
#difok=5,新密码最多与旧密码重复5个字符;
#enforce_for_root,对root强制执行密码复杂度策略。3.配置登录失败处理功能
vi /etc/pam.d/system-auth
auth required pam_tally2.so even_deny_root deny=5 unlock_time=9004.配置超时自动退出功能
vi /etc/profile
TMOUT=600 #600秒超时5.未实现管理用户权限分离
#新建operator(操作员)和auditor
useradd operatorer
useradd auditor
echo "aasd!@#fa1sda" | passwd --stdin operatorer > /dev/null 2>&1
echo " aasd!@#fa1sda " | passwd --stdin auditor > /dev/null 2>&1
vi /etc/sudoers
auditor ALL = (root) NOPASSWD: /usr/bin/cat , /usr/bin/less , /usr/bin/more , /usr/bin/tail , /usr/bin/head
operatorer ALL=(ALL) NOPASSWD: ALL6.配置audit审计规则
auditctl -w /etc/shadow -p wa -k shadow_changes
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/sudoers -p wa -k sudoers_changes
auditctl -w /etc/ssh -p wa -k ssh_changes7.离线安装杀毒软件
#下载地址https://www.clamav.net/downloads
rpm -ivh --prefix=/opt/clamav clamav-0.105.1.linux.x86_64.rpm
groupadd clamav
useradd -g clamav clamav
mkdir -p /opt/clamav/logs
mkdir -p /opt/clamav/update
touch /opt/clamav/logs/clamd.log
touch /opt/clamav/logs/freshclam.log
chown clamav:clamav /opt/clamav/logs/clamd.log
chown clamav:clamav /opt/clamav/logs/freshclam.log
chown clamav:clamav /opt/clamav/update
cp /opt/clamav/etc/clamd.conf.sample /opt/clamav/etc/clamd.conf
cp /opt/clamav/etc/freshclam.conf.sample /opt/clamav/etc/freshclam.conf
#编辑配置文件
vim /opt/clamav/etc/clamd.conf
#Example //注释掉这一行
#添加以下内容
LogFile /opt/clamav/logs/clamd.log
PidFile /opt/clamav/update/clamd.pid
DatabaseDirectory /opt/clamav/update
vim /opt/clamav/etc/freshclam.conf
#Example //注释掉这一行
#添加以下内容
DatabaseDirectory /opt/clamav/update
UpdateLogFile /opt/clamav/logs/freshclam.log
PidFile /opt/clamav/update/freshclam.pid
cp /opt/clamav/etc/*.conf /usr/local/etc/
vi /etc/ld.so.conf.d/clamav.conf
/opt/clamav/lib64
ldconfig
#更新病毒库
/opt/clamav/bin/freshclam
#启动
ln -s /opt/clamav/bin/clamscan /usr/bin/clamscan
clamscan -r
crontab -e
2 3 * * * /opt/clamav/bin/freshclam --quiet
3 3 * * * /opt/clamav/bin/clamscan -r /usr/bin -i -l /opt/clamav/logs/clamscan.log
3 13 * * * /opt/clamav/bin/clamscan -r /usr/sbin -i -l /opt/clamav/logs/clamscan.log
3 23 * * * /opt/clamav/bin/clamscan -r /sbin -i -l /opt/clamav/logs/clamscan.log8.升级openssh
yum install -y pam* zlib* openssl-devel gcc make
cd openssh-9.1p1
cp -r /etc/ssh /tmp/
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-pam --without-openssl-header-check --with-ssl-dir=/usr/local/ssl --with-privsep-path=/var/lib/sshd
make -j4
systemctl stop sshd
rpm -e --nodeps `rpm -qa | grep openssh`
rm -rf /etc/ssh/*
make install
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
\\cp -av contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig sshd on
chkconfig --add sshd
systemctl enable sshd
systemctl restart sshd9.nginx修复ssl低版本漏洞
server {
listen 443 ssl;
server_name www.xxcvxvxv.cn;
ssl_certificate ../ssl/nginx.pem;
ssl_certificate_key ../ssl/nginx.key;
#charset koi8-r;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 ;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;10.nfs漏洞修复
# 在NFS服务器上:
vim /etc/hosts.allow
mountd:192.168.1.1,192.168.1.2,192.168.1.66
rpcbind:192.168.1.1,192.168.1.2,192.168.1.66:allow
vim /etc/hosts.deny
mountd:ALL
rpcbind:ALL:deny
service sshd restart
###
[root@BZ ~]# find /etc/ -name '*rpcbind.socket*'找到这个socket文件,并用vim编译器编辑它。
[Unit]
Description=RPCbind Server Activation Socket
[Socket]
ListenStream=/var/run/rpcbind.sock
ListenStream=[::]:111 #果然监听了ipv6地址,将这一行注释即可ListenStream=0.0.0.0:111
BindIPv6Only=ipv6-only
[Install]
WantedBy=sockets.target
重载一下再启动
[root@BZ ~]# systemctl daemon-reload
[root@BZ ~]# systemctl restart rpcbind.socket
[root@BZ ~]# systemctl start nfs
再挂载远程nfs即可。
一步到位脚本
a=`find /etc/ -name '*rpcbind.socket*'`
sed -i 's/ListenStream=[::]:111/#ListenStream=[::]:111/g' $a
systemctl daemon-reload
systemctl restart rpcbind.socket
systemctl start nfs
##查看linux操作系统所有挂载点 动态
cat /etc/mtab
##查看服务器本地存储
df -hl
#nfs写到fstab避免故障开机卡死
defaults,_netdev,nofail,x-systemd.mount-timeout=30,retry=120 0 011.apisix api创建路由、删除路由
curl -X PUT http://127.0.0.1:9180/apisix/admin/routes/155512 -H 'X-API-KEY: edd1c9f03433sada1231dsaadab625c8f1' -d '{"uri":"/nacos/*","methods":["GET","PUT","POST"],"upstream":{"type":"roundrobin","nodes":{"zzzr-nacos.tttt:8848":1}}}'
curl -X PUT http://127.0.0.1:9180/apisix/admin/routes/155512 -H 'X-API-KEY: edsdaad1213aassdadadasaasdsab62c8f' -d '{"uri":"/nacos/*","methods":["GET","PUT","POST"],"upstream":{"type":"roundrobin","nodes":{"tasda-nacos.asdad:8848":1}}}'
#删除路由
curl -X DELETE http://127.0.0.1:9180/apisix/admin/routes/155512 -H 'X-API-KEY: edsdaad1213aassdadadasad84b62c8f'
#获取路由
curl -X GET http://127.0.0.1:9080/apisix/admin/routes -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1'12.nginx 通过X-Forwarded-For 控制访问
#nginx conf文件
map $http_x_forwarded_for $accessip {
default false;
22.43.223.92 true;
}
location /phpadmin/ {
if ( $accessip = 'false' ) {return 403;}
proxy_pass http://proxy/phpadmin/;
}
13.nginx 处理csrf漏洞
#在location配置中加入 valid_referers 检查refer
location /auth {
valid_referers none blocked 127.0.0.1 127.0.0.1:80;
if ($invalid_referer) {
return 403;
}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://ip:port;
proxy_redirect off;
}
## 语义解析:
## 首先指定valid_referers,即合法的referer值;
## none:“Referer”字段在请求头中丢失;即允许没有http_refer的请求访问资源;
## blocked:“Referer”字段在请求头中存在,但其值已被防火墙或代理服务器删除;不以“http://”或“https://”开头的字符串;
## 如果“Referer”请求报头字段值能匹配valid_referers,$invalid_referer为空字符串,否则为“1”;
## 如果匹配到,$invalid_referer为空字符串,if判断语句后的内容不执行;
## 如果匹配不到,$invalid_referer值为1,执行if判断语句后的内容,即返回403跳转页面
## 建议查阅nginx官方文档:http://nginx.org/en/docs/http/ngx_http_referer_module.html 二、mysql数据库安全加固
1.设置密码复杂度校验功能
SELECT * from mysql.`plugin`;
INSTALL PLUGIN validate_password SONAME "validate_password.so";
show variables like "validate%";
set global validate_password_policy = 1;
set global validate_password_length = 8;2.配置密码有效期策略
SET GLOBAL default_password_lifetime = 90;3.配置登录失败处理功能
install plugin CONNECTION_CONTROL soname 'connection_control.so';
install plugin CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS soname 'connection_control.so';
show variables like 'connection_control%';
//单个用户密码登录失败的上限次数
set global connection_control_failed_connections_threshold=5;
//达到失败上限后等待30秒再次尝试登录
set global connection_control_min_connection_delay=90000;
UNINSTALL PLUGIN CONNECTION_CONTROL;
UNINSTALL PLUGIN CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS;4.配置连接超时功能
配置my.cnf
interactive_timeout=9005.实现管理用户权限分离
operator(操作员)和auditor
grant all on mysql.* to operator@'localhost' identified by 'Jqkj5350**)123QWE';
grant all on mysql.* to auditor@'localhost' identified by 'Jqkj5350**)123QWE';6.mysql启动审计功能
#插件地址
https://github.com/mcafee-enterprise/mysql-audit/releases
#将插件解压安装到mysql插件目录
mysql> show variables like 'plugin_dir';
cp -rp libaudit_plugin.so /usr/lib64/mysql/plugin/
#执行安装
mysql>install plugin audit soname 'libaudit_plugin.so';
#报错信息如下:
ERROR 1123 (HY000): Can’t initialize function ‘audit’; Plugin initialization function failed.
#解决办法:
yum install gcc gcc-c++ autoconf automake zlib zlib-devel openssl openssl-devel pcre pcre-devel texinfo
wget http://ftp.gnu.org/gnu/gdb/gdb-8.1.1.tar.gz
tar xvf gdb-8.1.1.tar.gz
cd gdb-8.1.1/
./configure
make
make install
gdb -v
cd audit-plugin-mysql-5.7-1.1.9-974/utils
chmod +x offset-extract.sh
./offset-extract.sh /usr/sbin/mysqld
//offsets for: /usr/sbin/mysqld (5.7.35)
{"5.7.35","90184c67ebbac99d3bd2641e28b1a302", 7832, 7880, 3640, 4800, 456, 360, 0, 32, 64, 160, 544, 7996, 4368, 3648, 3656, 3660, 6080, 2072, 8, 7064, 7104, 7088, 13480, 148, 672, 0}
#编辑my.conf
plugin-load=AUDIT=libaudit_plugin.so
audit_offsets = 7832, 7880, 3640, 4800, 456, 360, 0, 32, 64, 160, 544, 7996, 4368, 3648, 3656, 3660, 6080, 2072, 8, 7064, 7104, 7088, 13480, 148, 672, 0
audit_json_file = on
audit_record_cmds = 'insert,delete,update,create,drop,alter,grant,truncate'
audit_json_log_file = /var/lib/mysql/mysql-audit.jso
#重启mysqld
systemctl restart mysqld
#查询audit版本
mysql>show plugins;
mysql> show global status like 'AUDIT_version';
#######################################
#开启 general_log 日志
general_log=on |
general_log_file=/opt/mysql/log/audit.log
7.日志备份
建议对保存的日志定期备份,并保留6个月以上。
系统日志已配置保留26周
系统日志、审计日志已配置定时任务定时备份
vi /var/log/log_bak.sh
#!/bin/sh
mkdir -p /var/log/log_bak/audit/
/sbin/aureport -l -i -ts yesterday -te yesterday >> /var/log/log_bak/audit/login.log
/sbin/aureport -u -i -ts yesterday -te yesterday >> /var/log/log_bak/audit/cmd.log
/sbin/aureport -e -i -ts yesterday -te yesterday >> /var/log/log_bak/audit/event.log
mkdir -p /var/log/log_bak/audit/
chkconfig auditd on
auditctl -w /etc/shadow -p wa -k shadow_changes
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/sudoers -p wa -k sudoers_changes
auditctl -w /etc/ssh -p wa -k ssh_changes
cd /var/log/audit/
tar -zcvf audit.log_$(date -d "yesterday" +"%Y%m%d").tar.gz audit.log.*
mv audit.log_$(date -d "yesterday" +"%Y%m%d").tar.gz /var/log/log_bak
rm -rf audit.log.*
cd /var/log
tar -zcvf messages_$(date -d "yesterday" +"%Y%m%d").tar.gz messages-*
mv messages_$(date -d "yesterday" +"%Y%m%d").tar.gz /var/log/log_bak
rm -rf messages-*
chmod +x /var/log/log_bak.sh
crontab -l
1 4 * * * /var/log/log_bak.sh > /dev/null 2>&1
##\\
vi /etc/audit/auditd.conf
#
service auditd restart
####################33
#!/bin/sh
mkdir -p /var/log/log_bak/audit/
mkdir -p /var/log/log_bak/mysql_audit/
kubectl -nzhmz cp zhmz-mysql-radondb-mysql-1:/var/log/mysql/mysql-audit.log /var/log/log_bak/mysql_audit/mysql-audit.log__$(date -d "yesterday" +"%Y%m%d")
cd /var/log/log_bak/mysql_audit/
tar -zcvf mysql-audit.log__$(date -d "yesterday" +"%Y%m%d").tar.gz mysql-audit.log__$(date -d "yesterday" +"%Y%m%d")
rm -rf mysql-audit.log__$(date -d "yesterday" +"%Y%m%d")
/sbin/aureport -l -i -ts yesterday -te yesterday >> /var/log/log_bak/audit/login.log
/sbin/aureport -u -i -ts yesterday -te yesterday >> /var/log/log_bak/audit/cmd.log
/sbin/aureport -e -i -ts yesterday -te yesterday >> /var/log/log_bak/audit/event.log
cd /var/log
tar -zcvf messages_$(date -d "yesterday" +"%Y%m%d").tar.gz messages-*
mv messages_$(date -d "yesterday" +"%Y%m%d").tar.gz /var/log/log_bak
rm -rf messages-*8.nginx修复ssl低版本漏洞
server {
listen 443 ssl;
server_name www.tfsdfszt.cn;
ssl_certificate ../ssl/nginx.pem;
ssl_certificate_key ../ssl/nginx.key;
#charset koi8-r;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 ;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;9.nfs漏洞修复
# 在NFS服务器上:
vim /etc/hosts.allow
mountd:192.168.1.1,192.168.1.2,192.168.1.66
rpcbind:192.168.1.1,192.168.1.2,192.168.1.66:allow
vim /etc/hosts.deny
mountd:ALL
rpcbind:ALL:deny
service sshd restart三、K8S漏洞处理
1.etcd kube-api ssl漏洞处理
问题测试:
kubernetes的etcd、kubelet和kube-api CVE-2016-2183 漏洞解决
nmap --script ssl-enum-ciphers -p 6443 127.0.0.1
# 去除3DES,其他保留和之前一致
# kubelet 在config.yaml增加tlsCipherSuites属性
vi /var/lib/kubelet/config.yaml
tlsCipherSuites: ['TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256','TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384','TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305','TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256','TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA','TLS_RSA_WITH_AES_128_CBC_SHA','TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA','TLS_RSA_WITH_AES_128_GCM_SHA256','TLS_RSA_WITH_AES_256_CBC_SHA','TLS_RSA_WITH_AES_256_GCM_SHA384']
systemctl daemon-reload
systemctl restart kubelet.service
# kube-api 在kube-apiserver.yaml的command参数部分增加tls-cipher-suites
vi /etc/kubernetes/manifests/kube-apiserver.yaml
- --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384
# etcd 在etcd.yaml的command参数部分增加cipher-suites,注意没有tls前缀
# etcd有提示 unexpected TLS cipher suite "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",去除对应加密模式
vi /etc/kubernetes/manifests/etcd.yaml
- --cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384
ETCD_CIPHER_SUITES=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384
结果验证:
nmap --script ssl-enum-ciphers -p 10250 127.0.0.1
nmap --script ssl-enum-ciphers -p 6443 127.0.0.1
nmap --script ssl-enum-ciphers -p 2379 127.0.0.1
如上执行应该没有warnings
上面逻辑10250在所有节点执行(kubelet机器),6443和2379在所有master节点执行,修复完毕
--endpoints="https://192.168.39.177:2379" endpoint status \\
--cacert="$ETCDCTL_CA_FILE" \\
--cert="$ETCDCTL_CERT_FILE" \\
--key="$ETCDCTL_KEY_FILE"
2.docker register api 未授权访问漏洞
#本篇涉及到的数据文件都放在/data目录下, 其中会有三个子目录
#/data/auth/ 基本的用户名密码认证文件存放地址
#/data/certs/ docker registry 镜像https访问射击到的证书与密钥的存放地址
#/data/registry/ docker registry镜像的存放地址, 当push镜像到镜像服务器之后,镜像就是存放在这里
#Registry Server的登录认证有多种方式,这里我们使用常规情况下的一种认证,基本的用户名密码认证,这种认证方式也跟nginx的基本http认证相同, 使用一个htpasswd文件来存放认证的用户名跟密码, 这个文件的操作是通过htpasswd这个命令来添加与管理用户密码的.
#如果系统中没有这个命令,可通过下面命令安装
apt-get install apache2-utils
#通过htpasswd命令生成用户管理文件并添加一个用户
htpasswd -cBb auth/htpasswd
#往现有的文件里面添加一个用户
htpasswd -Bb auth/htpasswd
#外网访问必须要用https, 主要是涉及到证书的问题, 通常我们可以使用自签名证书,
#我们分docker register server端跟 docker pull 客户端两部分来讲
#server端不涉及根证书添加到信任区域问题,
#client端要访问自签名证书的服务器,必须添加根证书到client的信任区
#BUT: 当docker register server需要pull/push镜像的时候,就需要把根证书添加到信任区, 这里有个原则,就是哪里需要pull/push镜像,那台机器就需要添加根证书
#添加自签名根证书到linux信任区(Debian, 适用于Ubuntu)
#这个步骤只需要用到docker pull的机器上做, docker registry server非必须
证书存放区域: /usr/share/ca-certificates/
#Copy证书到证书存放地址:
wget http://agilelabs.net/certifications/publicauthorities/agilelabs_root_ca.pem/ –O /usr/share/ca-certificates/agilelabs_root_ca.crt
#重新加载新添加的跟证书:
#dpkg-reconfigure ca-certificates
#选择YES=>通过”空格”键选择刚添加的根证书=> Tab到底部的OK=>回车选择
#添加新的根证书之后需要重启Docker,让 Docker能识别新的证书
service docker restart
mkdir -p /data/registry \\
mkdir -p /data/auth \\
mkdir -p /data/certs
docker run -d \\
--restart=always \\
--name registry \\
-v /opt/docker/certs:/certs \\
-v /opt/docker/auth:/auth \\
-v /opt/docker/registry:/var/lib/registry \\
-e REGISTRY_AUTH=htpasswd \\
-e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \\
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \\
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \\
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \\
-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \\
-p 443:443 \\
registry:2
docker run -d \\
--restart=always \\
--name registry \\
-v /data/registry:/var/lib/registry \\
-v /data/auth:/auth \\
-e "REGISTRY_AUTH=htpasswd" \\
-e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \\
-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \\
-v /data/certs:/certs \\
-e REGISTRY_HTTP_ADDR=0.0.0.0:443 \\
-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.niusys.com.crt \\
-e REGISTRY_HTTP_TLS_KEY=/certs/niusys.key \\
-p 443:443 \\
registry:2四、windows安全加固
1.RC4 加密问题漏洞CVE-2015-2808 、TLS/SSL协议 RC4算法安全漏洞CVE-2013-2566
SSL/TLS 受诫礼(BAR-MITZVAH)攻击漏洞(CVE-2015-2808)
控制面板--->系统和安全--->管理工具--->本地安全策略--->本地策略--->安全选项--->系统加密:将FIPS兼容算法用于加密、哈希和签名; 右键--->属性--->点击“已启用”--->“确定”
网站访问出现: 此实现不是 Windows 平台 FIPS 验证的加密算法的一部分 错误
**解决办法:**
按Win+R(或点击开始-运行),并输入regedit后确定,启动注册表编辑器。
浏览到HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy,将Enabled的值改为0
关闭注册表编辑器后,重启服务器2.DES和Triple DES 信息泄露漏洞(CVE-2016-2183)
SSL/TLS协议信息泄露漏洞(CVE-2016-2183)【原理扫描】
SSL/TLS 服务器瞬时 Diffie-Hellman 公共密钥过弱【原理扫描】
解决方案,增强远程端口 ssl
组策略--管理模板--网络--SSL配置--SSL密码套件顺序--启用编辑
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA,WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_NULL_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA五、oracle问题处理
1.oracle数据库安装2020年补丁
Windows
a.停止oracle相关服务
b.备份oracle软件
c.更新Opatch
d.应用补丁
%ORACLE_HOME%/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -ph ./
%ORACLE_HOME%/OPatch/opatch apply
cd %ORACLE_HOME%\\rdbms\\admin
sqlplus /nolog
SQL> CONNECT / AS SYSDBA
SQL> STARTUP
SQL> @catbundle.sql PSU apply
SQL> @?/rdbms/admin/utlrp.sql
SQL> select count(*) from dba_objects where status='INVALID';e.查看补丁信息
%ORACLE_HOME%\\Opatch\\opatch lsinventory
select version, id, bundle_series, comments from dba_registry_history;Linux
#关库
dbshut $ORACLE_HOME
#查看补丁版本
cd $ORACLE_HOME/OPatch
./opatch version
#备份opatch
mv $ORACLE_HOME/OPatch $ORACLE_HOME/OPatch_bak
mv /home/oracle/update/OPatch $ORACLE_HOME/
$ORACLE_HOME/OPatch/opatch version
#备份数据库软件
cp -r /u01/app/oracle /u01_bak/app/oracle_bak
#升级
$ORACLE_HOME/OPatch/opatch lsinventory
$ORACLE_HOME/OPatch/opatch prereq CheckConflictAgainstOHWithDetail -ph /home/oracle/30670774
$ORACLE_HOME/OPatch/opatch apply
#升级数据字典
sqlplus / as sysdba
@?/rdbms/admin/catbundle.sql psu apply
/opt/u01/app/oracle/cfgtoollogs/catbundle/catbundle_PSU_SHJZDB_APPLY_2022Feb21_18_43_57.log
@?/rdbms/admin/utlrp.sql
@?/rdbms/admin/dbmsjdev.sql
exec dbms_java_dev.disable
select version, id, bundle_series, comments from dba_registry_history;
$ORACLE_HOME/OPatch/opatch version
$ORACLE_HOME/OPatch/opatch lsinventory
验证补丁修复情况
$ORACLE_HOME/OPatch/opatch lsinventory如果觉得我的文章对您有用,请点赞。您的支持将鼓励我继续创作!
赞1Ctrl+Enter 发表
添加新评论0 条评论