绿盟科技安全漏洞解决办法

IIS.net 版
一、web.config配置
A、)configuration>system.webServer>security>requestFiltering> 节点下

                          <requestLimits maxAllowedContentLength="2072576000">

				<!--缓慢的HTTP拒绝服务攻击-->

				<headerLimits >

					<add header="Content-type" sizeLimit="100"/>

				</headerLimits>

			</requestLimits>

B、)configuration>system.webServer>security>requestFiltering> 节点下

                                <verbs allowUnlisted="true">

				<add verb="POST" allowed="true"/>
				<add verb="GET" allowed="true"/>
				<add verb="HEAD" allowed="false"/>
				<add verb="DEBUG" allowed="false"/>
				<add verb="PUT" allowed="false"/>
				<add verb="DELETE" allowed="false"/>
				<add verb="PATCH" allowed="false"/>
				<add verb="OPTIONS" allowed="false"/>
				<add verb="SEARCH" allowed="false"/>
				<add verb="COPY" allowed="false"/>
				<add verb="MOVE" allowed="false"/>
				<add verb="PROPFIND" allowed="false"/>
				<add verb="PROPPATCH" allowed="false"/>
				<add verb="MKCOL" allowed="false"/>
				<add verb="LOCK" allowed="false"/>
				<add verb="UNLOCK" allowed="false"/>

			</verbs>

C、)configuration>system.webServer> httpProtocol> customHeaders 节点下

                            <add name="X-Content-Type-Options" value="nosniff" />

			<!--检测到目标X-XSS-Protection响应头缺失-->
			<add name="X-XSS-Protection" value="1" />
			<!--检测到目标Content-Security-Policy响应头缺失 default-src 'self'-->
			 <add name="Content-Security-Policy" value="frame-ancestors 'self'" /> 
			<!--检测到目标Strict-Transport-Security响应头缺失-->
			<!--<add name="Strict-Transport-Security"  value="max-age=63072000; includeSubdomains; preload"/>-->
			<add name="Strict-Transport-Security" value="max-age=31536000" />
			<!--检测到目标Referrer-Policy响应头缺失-->
			<add name="Referrer-Policy" value="origin-when-cross-origin" />
			<!--检测到目标X-Permitted-Cross-Domain-Policies响应头缺失-->
			<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
			<!--检测到目标X-Download-Options响应头缺失-->
			<add name="X-Download-Options" value="noopen" />
			<!--点击劫持:X-Frame-Options未配置 iframe  deny:不允许,sameorigin:同源-->

			<add name="X-Frame-Options" value="sameorigin" />

其他、缓慢http拒绝服务攻击问题
最好请求代理配置,若请求代理不配置,找到系统下
applicationHost.config(C:\Windows\System32\inetsrv\config),修改配置,注意备份此文件

<system.applicationHost>
	<webLimits
		connectionTimeout="00:00:30" 
		headerWaitTimeout="00:00:10" 
		demandStartThreshold="150" 
		minBytesPerSecond="512"/>  
</system.applicationHost>
posted @ 2022-08-29 11:19  newbigapple  阅读(562)  评论(0)    收藏  举报