# NGINX漏洞 CVE-2026-42945 防護實戰:由偵測到修復 Step-by-Step
如果你係做 IT ops 或者管 web server,最近一定要留意呢單嘢 — **NGINX漏洞** CVE-2026-42945 已經俾人喺野外大規模利用,可以導致 worker process crash,甚至 remote code execution。呢個 **NGINX漏洞** 影響範圍極大,因為 NGINX 係全世界最多人用嘅 web server 之一,Stack Overflow、Netflix、Cloudflare 全部都用緊。
👉 延伸閱讀:Linux Server 安全加固 6 步搞掂 — Defense in Depth 實戰指南
今日就同大家 step-by-step 由偵測到修復,教大家點樣保護你嘅 **NGINX漏洞** 風險。
## NGINX漏洞:🔍 第一步:確認你嘅 NGINX 版本有冇中招
呢個 **NGINX漏洞** 主要影響以下版本:
– NGINX 1.26.x(所有版本)
– NGINX 1.27.0 – 1.27.2
– NGINX Plus R30 – R32
即刻 check 你 server 上嘅版本:
# Check NGINX version
nginx -v
# 或者用 dpkg/rpm
dpkg -l | grep nginx
rpm -qa | grep nginx如果 output 係 `nginx version: nginx/1.27.1` 之類嘅受影響版本,就要即刻 upgrade。
## NGINX漏洞:🛡️ 第二步:臨時緩解措施
呢個 **NGINX漏洞** 係透過特製 HTTP/3 QUIC request 觸發,所以最直接嘅臨時 mitigation 就係暫時停用 HTTP/3:
# Backup config 先
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak.$(date +%Y%m%d)
# Edit nginx.conf,comment out HTTP/3 listen directive
# 原本:listen 443 quic reuseport;
# 改為:listen 443 ssl reuseport;
# 刪除或 comment out:quic 相關 directive記住 reload config:
nginx -t && nginx -s reload另外可以加一個 WAF rule block 可疑嘅 QUIC packet:
# 用 ModSecurity + nginx connector
# /etc/nginx/modsec/modsecurity.conf
SecRuleEngine On
SecRule REQUEST_HEADERS:Content-Type "@rx application/x-quic" \
"id:10001,deny,status:403,msg:'Potential CVE-2026-42945 exploit attempt'"## NGINX漏洞:🔧 第三步:Patch!正式修復
呢個 **NGINX漏洞** 嘅官方 fix 已經出咗,跟住做:
# Ubuntu/Debian
sudo apt update && sudo apt install --only-upgrade nginx
# RHEL/CentOS/Rocky
sudo dnf update nginx
# 如果用官方 repo
# 先加 official nginx repo
sudo tee /etc/yum.repos.d/nginx.repo << 'EOF'
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/\$releasever/\$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
EOF
sudo dnf update nginxUpgrade 完之後 restart:
sudo systemctl restart nginx
sudo systemctl status nginx確認新版本:
nginx -v
# 應該要見到 1.27.3 或以上## NGINX漏洞:📊 第四步:Detect!你有冇已經俾人打過?
呢個 **NGINX漏洞** 被 exploit 嘅時候會喺 error log 留低痕跡。Check error log:
# Check for crash signatures
grep -i "worker process.*exited on signal" /var/log/nginx/error.log | tail -20
# Check for QUIC-related crashes
grep -i "quic" /var/log/nginx/error.log | grep -i "error\|crash\|fatal" | tail -20
# Look for suspicious 444/400 responses
grep " 444 " /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -10如果見到大量 worker crash 又冇合理原因,好可能已經成為 **NGINX漏洞** 嘅目標。
## NGINX漏洞:🏁 第五步:Ongoing Monitoring
整條 cron job 定期 check:
# /etc/cron.d/nginx-cve-check
0 */6 * * * root /usr/local/bin/nginx_cve_check.shScript 內容:
#!/bin/bash
# nginx_cve_check.sh - Monitor for CVE-2026-42945 NGINX漏洞 exploitation
CRASH_COUNT=$(grep -c "worker process.*exited on signal" /var/log/nginx/error.log 2>/dev/null)
VERSION=$(nginx -v 2>&1 | grep -oP '\d+\.\d+\.\d+')
if [ "$CRASH_COUNT" -gt 5 ]; then
echo "[ALERT] NGINX漏洞: $CRASH_COUNT worker crashes detected on $(hostname)" \
| mail -s "NGINX CVE-2026-42945 Alert" admin@yourdomain.com
fi
if [[ "$VERSION" < "1.27.3" ]]; then
echo "[WARN] NGINX漏洞: Version $VERSION is vulnerable. Please upgrade!" \
| mail -s "NGINX Version Alert" admin@yourdomain.com
fi## NGINX漏洞:總結
**NGINX漏洞** CVE-2026-42945 係一個 critical level 嘅威脅,CVSS 評分 9.1。CISA 已經將佢加入 KEV catalog,聯邦機構必須喺指定 deadline 前修復。對於 private sector,強烈建議 48 小時內完成 patch。
記住鐵三角:**Detect → Mitigate → Patch**,三步做齊先叫完成 incident response。
#NGINX #CVE #WebServer安全 #資安防護 #漏洞修復
—
> 📌 **延伸閱讀:**
> – [2026年5月資安威脅速報](https://molious.com/?p=578) — Cisco、Grafana、Exchange Server 最新漏洞整理
> – [供應鏈攻擊殺到埋身!IT狗自保求生指南](https://molious.com/?p=573) — 打工仔必讀
> – [Linux Server 安全加固 6 大必做設定](https://molious.com/?p=464)
