一封突如其来的简短的邮件,某生产环境IP的443端口漏洞,一阵莫名其妙,看了看IP找了找xshell发现有这个IP,那就不用再去问同事(因为我是新来的),直接开干,由于信息包含省略一些敏感内容
1.第一步,找端口:
[root@localhost ~]# netstat -tunlp |grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3095/nginx tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3095/nginx
#443端口存在,运行的是nginx
2.第二步,查看进程并找到程序的路径
[root@localhost ~]# ps -ef |grep nginx |grep -v grep nginx 3085 3078 0 Mar01 ? 00:11:28 php-fpm: pool www nginx 3086 3078 0 Mar01 ? 00:11:26 php-fpm: pool www nginx 3087 3078 0 Mar01 ? 00:11:26 php-fpm: pool www nginx 3088 3078 0 Mar01 ? 00:11:26 php-fpm: pool www nginx 3089 3078 0 Mar01 ? 00:11:25 php-fpm: pool www root 3095 1 0 Mar01 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf nginx 3096 3095 0 Mar01 ? 00:09:36 nginx: worker process nginx 3248 3078 0 Mar01 ? 00:11:25 php-fpm: pool www nginx 3480 3078 0 11:10 ? 00:00:03 php-fpm: pool www nginx 4461 3078 0 Mar01 ? 00:11:24 php-fpm: pool www nginx 4555 3078 0 11:10 ? 00:00:03 php-fpm: pool www nginx 4574 3078 0 11:10 ? 00:00:02 php-fpm: pool www nginx 4575 3078 0 11:10 ? 00:00:03 php-fpm: pool www nginx 4591 3078 0 11:10 ? 00:00:03 php-fpm: pool www nginx 4592 3078 0 11:10 ? 00:00:03 php-fpm: pool www nginx 4610 3078 0 11:10 ? 00:00:02 php-fpm: pool www
#运行命令是:/usr/sbin/nginx -c /etc/nginx/nginx.conf
#程序的配置目录是:/etc/nginx/nginx.conf
#相关运行的程序是php
3.查看nginx的安装路径
#nginx安装是以rpm包的方式安装的 [root@localhost ~]# rpm -qa |grep nginx nginx-1.2.3-1.el6.x86_64 [root@localhost ~]# rpm -ql nginx /etc /etc/logrotate.d /etc/logrotate.d/nginx /etc/nginx /etc/nginx/conf.d /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/ssl.conf /etc/nginx/conf.d/virtual.conf /etc/nginx/fastcgi.conf /etc/nginx/fastcgi.conf.default /etc/nginx/fastcgi_params /etc/nginx/fastcgi_params.default /etc/nginx/html /etc/nginx/html/50x.html /etc/nginx/html/index.html /etc/nginx/koi-utf /etc/nginx/koi-win /etc/nginx/mime.types /etc/nginx/mime.types.default /etc/nginx/nginx.conf /etc/nginx/nginx.conf.default /etc/nginx/scgi_params /etc/nginx/scgi_params.default /etc/nginx/uwsgi_params /etc/nginx/uwsgi_params.default /etc/nginx/win-utf /etc/rc.d /etc/rc.d/init.d /etc/rc.d/init.d/nginx /etc/sysconfig /etc/sysconfig/nginx /usr/sbin/nginx /usr/share/doc/nginx-1.2.3 /usr/share/doc/nginx-1.2.3/CHANGES /usr/share/doc/nginx-1.2.3/LICENSE /usr/share/doc/nginx-1.2.3/README /usr/share/nginx /usr/share/nginx/html /usr/share/nginx/html/404.html /usr/share/nginx/html/50x.html /usr/share/nginx/html/index.html /usr/share/nginx/html/nginx-logo.png /usr/share/nginx/html/poweredby.png /var/cache/nginx /var/lib/nginx /var/lib/nginx/tmp /var/log/nginx
#版本号是nginx-1.2.3
4.查看nginx的配置文件
#启动配置文件并没有配置相关信息,可以看到配置文件在conf.d目录下 [root@localhost nginx]# cat nginx.conf
http{ ...........省略................. include /etc/nginx/conf.d/*.conf; ...........省略................. }
#进入conf.d的目录查看配置,找到有443端口ssl配置的文件
[root@localhost nginx]# cd conf.d/ [root@localhost conf.d]# ls server { listen 443; server_name gg.abc.com; ssl on; ssl_certificate /etc/local/ssl/abc.crt; ssl_certificate_key /etc/local/ssl/abc.rsa; ssl_session_timeout 5m; ...........省略................. }
#域名是随便设置,不是自用的域名,看到域名了,那就测试访问:https://gg.abc.com,可以访问
#接下来就是扫描漏洞了。
#使用了,windows漏洞扫描工具,Acunetix Web Vulnerability Scaner 10.5的版本
#扫描结果显示
#1.打开Acunetix
#2.点击New SCAN,Scan single website→Website URL:输入地址 next
#3.默认,下一步,一直到结束
Vulnerability description The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (×××s). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. What versions of the OpenSSL are affected? Status of different versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug. This vulnerability affects Web Server. Discovered by: Scripting (Heartbleed_Bug.script). Attack details First 512 bytes of data we pulled from the server memory: 十六进制信息.....省略.... ....................... Retest alert(s) Mark this alert as a false positive The impact of this vulnerability An attacker can read the memory of the systems protected by the vulnerable versions of the OpenSSL software. How to fix this vulnerability Upgrade to the latest version of OpenSSL. Classification CWE CWE-200 CVE CVE-2014-0160 CVSS Base Score: 6.4 - AV:N/AC:L/Au:N/C:P/I:P/A:N Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None CVSS3 Base Score: 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: None Availability Impact: None
#可以看出是openssl的版本问题:
What versions of the OpenSSL are affected? Status of different versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
#这个是漏洞的编号,点击版本号就可以看得见详细描述
Classification CWE CWE-200 CVE CVE-2014-0160 CVSS Base Score: 6.4 - AV:N/AC:L/Au:N/C:P/I:P/A:N Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None CVSS3 Base Score: 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: None Availability Impact: None
openssl现有版本
#openssl这版本有大bug
[root@localhost software]# rpm -qa |grep openssl openssl-1.0.1e-15.el6.x86_64 [root@localhost software]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
虚拟机上测试nginx1.2.3版本兼容的openssl版本
#接下来就是找openssl已经修复的版本号,因为nginx版本比较低,找的openssl可能会受到影响。
#openssl-1.1.1 ,测试编译不通过
#openssl-1.0.2o ,测试编译安装通过
#下载openssl版本 wget https://www.openssl.org/source/openssl-1.1.1-pre6.tar.gz wget https://www.openssl.org/source/openssl-1.0.2o.tar.gz #创建nignx运行用户 useradd www -s /sbin/nologin #配置 ./configure \ --user=www \ --group=www \ --prefix=/usr/local/nginx-1.2.3 \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-openssl=/home/software/nginx/openssl_update/openssl-1.0.2o \ --with-pcre=/home/software/nginx/openssl_update/pcre-7.8 \ --with-zlib=/home/software/nginx/openssl_update/zlib-1.2.3 #编译与安装 make && make install #运行nginx /usr/local/nginx-1.2.3/sbin/nginx #验证开启成功 [root@tsung-client ~]# curl -I http://127.0.0.1:80 HTTP/1.1 200 OK Server: nginx/1.2.3 Date: Wed, 23 May 2018 14:05:26 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Fri, 09 Mar 2018 06:30:39 GMT Connection: keep-alive Accept-Ranges: bytes
linux生产机器上修复的openssl漏洞
#查看是否安装zlib [root@localhost software]# rpm -qa |grep zlib zlib-1.2.3-29.el6.x86_64 #查看是否按gcc,无安装 [root@localhost openssl-1.0.2o]# rpm -qa |grep gcc libgcc-4.4.7-4.el6.x86_64 #centos安装gcc,red hat更改yum源,或者手动安装 [root@localhost openssl-1.0.2o]# yum -y install gcc gcc-c++ #配置openssl [root@localhost openssl-1.0.2o]# ./config --prefix=/usr/local/openssl -enable-shared #编译openssl [root@localhost openssl-1.0.2o]# make #安装openssl [root@localhost openssl-1.0.2o]# make install #备份原openssl文件 [root@localhost openssl-1.0.2o]# mv /usr/bin/openssl /usr/bin/openssl-1.0.1.e-bak [root@localhost openssl-1.0.2o]# mv /usr/include/openssl/ /usr/include/openssl-1.0.1.e-bak #将安装的新版本的链接到,旧版本的路径上 [root@localhost openssl-1.0.2o]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl [root@localhost openssl-1.0.2o]# ln -s /usr/local/openssl/include/openssl/ /usr/include/openssl #动态库路径配置 [root@localhost openssl-1.0.2o]# cat /etc/ld.so.conf include ld.so.conf.d/*.conf #将目录追加到ld.so.conf文件 [root@localhost openssl-1.0.2o]# ls -d /usr/local/openssl/lib/ >> /etc/ld.so.conf #查看 [root@tsung-client etc]# cat /etc/ld.so.conf include ld.so.conf.d/*.conf /usr/local/openssl/lib/ #不报错表示正常 [root@localhost openssl-1.0.2o]# ldconfig #查看ssl,p打印缓存,v显示详细信息。我想两者应该差不多,无害。 [root@localhost openssl-1.0.2o]# ldconfig -p |grep ssl libssl3.so (libc6,x86-64) => /usr/lib64/libssl3.so libssl.so.10 (libc6,x86-64) => /usr/lib64/libssl.so.10 [root@localhost openssl-1.0.2o]# ldconfig -v |grep ssl libssl.so.10 -> libssl.so.1.0.1e libssl3.so -> libssl3.so #验证版本 [root@localhost openssl-1.0.2o]# openssl version OpenSSL 1.0.2o 27 Mar 2018
#测试openssl是否正常使用。OK完成
修复nginx漏洞ssl
[root@localhost objs]# ps -ef |grep nginx nginx 3085 3078 0 Mar01 ? 00:11:41 php-fpm: pool www nginx 3086 3078 0 Mar01 ? 00:11:39 php-fpm: pool www nginx 3087 3078 0 Mar01 ? 00:11:38 php-fpm: pool www nginx 3088 3078 0 Mar01 ? 00:11:39 php-fpm: pool www nginx 3089 3078 0 Mar01 ? 00:11:37 php-fpm: pool www root 3095 1 0 Mar01 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf nginx 3248 3078 0 Mar01 ? 00:11:37 php-fpm: pool www nginx 3480 3078 0 11:10 ? 00:00:15 php-fpm: pool www nginx 4134 3095 2 20:50 ? 00:00:27 nginx: worker process nginx 4461 3078 0 Mar01 ? 00:11:36 php-fpm: pool www nginx 4555 3078 0 11:10 ? 00:00:15 php-fpm: pool www nginx 4574 3078 0 11:10 ? 00:00:14 php-fpm: pool www nginx 4575 3078 0 11:10 ? 00:00:15 php-fpm: pool www nginx 4591 3078 0 11:10 ? 00:00:15 php-fpm: pool www nginx 4592 3078 0 11:10 ? 00:00:15 php-fpm: pool www nginx 4610 3078 0 11:10 ? 00:00:15 php-fpm: pool www root 12605 10741 0 21:06 pts/4 00:00:00 grep nginx #查看是否静态编译,显示表示动态编译,没有显示表示静态编译 [root@localhost objs]# lsof -p 3095| grep ssl nginx 3095 root DEL REG 253,0 2640288 /usr/lib64/libssl.so.1.0.1e.#prelink#.SY9VCo
#nginx下载 wget http://nginx.org/download/nginx-1.2.3.tar.gz #nginx模块下载,nginx-accesskey wget https://github.com/search?utf8=%E2%9C%93&q=nginx-accesskey-2.0.3&type= #nginx模块下载,chunkin-nginx https://github.com/search?utf8=%E2%9C%93&q=chunkin-nginx-module&type= #pcre下载 wget https://sourceforge.net/projects/pcre/files/pcre/7.8/pcre-7.8.tar.gz #zlib下载 wget https://sourceforge.net/projects/libpng/files/zlib/1.2.3/zlib-1.2.3.tar.gz #配置nginx ./configure --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock \ --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module \ --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-file-aio --with-mail_ssl_module --with-ipv6 --with-cc-opt='-O2 -g' \ --add-module=/home/software/nginx-1.2.3/nginx-accesskey-2.0.3 --add-module=/home/software/nginx-1.2.3/chunkin-nginx-module --http-client-body-temp-path=/var/cache/nginx/client_temp --http-log-path=/var/log/nginx/access.log \ --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --with-pcre=/home/software/nginx-1.2.3/pcre-7.8 --with-openssl=/home/software/nginx-1.2.3/openssl-1.0.2o --with-zlib=/home/software/nginx-1.2.3/zlib-1.2.3 #编译,编译完不要安装,安装就会覆盖,现在只是升级 make #编译完成之后,备份一下nginx,拷贝nginx到/usr/sbin目录 mv /usr/sbin/nginx /usr/sbin/nginx.bak cp /home/software/nginx-1.2.3/objs/nginx /usr/sbin/ ##查看是否静态编译,没有显示表示静态编译 [root@localhost objs]# lsof -p 3095| grep ssl #重新载入nginx,但是没有作用 [root@localhost objs]# /usr/sbin/nginx -s reload -c /etc/nginx/nginx.conf #关闭nginx [root@localhost objs]# /usr/sbin/nginx -s stop -c /etc/nginx/nginx.conf #启动nginx root@localhost objs]# /usr/sbin/nginx
#再次使用安全扫描软件,发现已经不存在这个漏洞了,OK解决了。
#解决了,记录一下过程
转载于:https://blog.51cto.com/hongdouzi555/2119638