最近很多朋友的vos被黑客盗打了诈骗等话务,造成了很大的经济损失及社会影响,据我掌握的信息来看vos盗版的版本涉及2.1.4.0、2.1.6.0、2.1.7.x、2.1.8.0 等当前主要流行的盗版版本,正版肯定没有问题。各版本后门都不尽相同,下面是我针对所有版本的防护措施,仅限参考,本人不对其产生的后果负责。
1、准备工作:
因为阿里云更攺了对CentOs 6.x的yum地址,请手动更新yum.repo内容。
将/etc/yum.repos.d/目录下所有文件删除,再建/etc/yum.repos.d/CentOS-Base.repo文件:
# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client. You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever - Base
baseurl=https://mirrors.tuna.tsinghua.edu.cn/centos-vault/centos/$releasever/os/$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-6
#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=https://mirrors.tuna.tsinghua.edu.cn/centos-vault/centos/$releasever/updates/$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-6
#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=https://mirrors.tuna.tsinghua.edu.cn/centos-vault/centos/$releasever/extras/$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-6
#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=https://mirrors.tuna.tsinghua.edu.cn/centos-vault/centos/$releasever/centosplus/$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-6
#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
baseurl=https://mirrors.tuna.tsinghua.edu.cn/centos-vault/centos/$releasever/contrib/$basearch/
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-6
测试一下看是否可以正常yum:
yum -y install mlocate lrzsz ca-certificates openssl nss
2、准备安装VOS环境:
新建安装脚本(install.sh):
#!/bin/bash
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
service iptables stop
yum install -y zip
yum install ntp crontabs -y
rm -rf /etc/localtime
ln -s /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
service ntpd stop
ntpdate cn.ntp.org.cn
free=$(free -m|awk '{print $2}'|tail -1)
if [[ "$free" < "1024" ]];then
echo "making swap..."
dd if=/dev/zero of=/mnt/swapfile bs=1M count=8192
mkswap /mnt/swapfile
swapon /mnt/swapfile
echo "set chkconfig"
echo "/mnt/swapfile /swap swap defaults 0 0" >> /etc/fstab
fi
uname=$(uname -a|awk '{print $3}')
if [ "$uname" != "2.6.32-358.el6.x86_64" ];then
yum remove -y kernel kernel-firmware
yum install -y kernel-2.6.32-358.el6.x86_64.rpm kernel-firmware-2.6.32-358.el6.noarch.rpm
reboot
fi
yum remove -y perl perl-DBI mysql mysql-*
yum remove -y perl perl-DBI mysql mysql-*
赋权并执行安装:
chmod 777 install.sh && ./install.sh
因涉及正版内容,vos的安装在这里省略了,有感兴趣的私信里交流。
重启后查看端口是否启动:
netstat -nlp
tcp 0 0 0.0.0.0:1202 0.0.0.0:* LISTEN 1350/java
tcp 0 0 0.0.0.0:1203 0.0.0.0:* LISTEN 1350/java
tcp 0 0 0.0.0.0:1204 0.0.0.0:* LISTEN 1350/java
tcp 0 0 0.0.0.0:1205 0.0.0.0:* LISTEN 1350/java
以上端口为client连接端口
udp 0 0 0.0.0.0:5060 0.0.0.0:* 2320/mbx3000
udp 0 0 0.0.0.0:5060 0.0.0.0:* 2320/mbx3000
以上端口说明vos的sip服务起来了,授权正确.
3、更改Mysql数据库目录
停止MySQL服务:
#> /etc/init.d/mysql stop
在大的挂载磁盘创建MySQL目录并copy数据文件到该目录:
#> mkdir /home/mysql
#> cp -R /var/lib/mysql/* /home/mysql/
修改权限(mysql的运行账户为“mysql“用户),否则MySQL启动会报错:
#> chown -R mysql.mysql /home/mysql/
修改MySQL配置文件,讲data目录修改至新分区:
#> vim /etc/my.cnf
[mysqld]
datadir = /home/mysql
启动服务:
#> /etc/init.d/mysql start
Starting MySQL. SUCCESS!
测试是否成功:
##将旧的数据目录(data)改名:
#> mv /var/lib/mysql /var/lib/mysql_
#> /etc/init.d/mysql restart
Shutting down MySQL... SUCCESS!
Starting MySQL. SUCCESS!
4、系统防护:
以上完成后开始做防护,安装tripwir(该软件监控linux 文件系统的改动):
yum install epel-release
yum -y install tripwire
如不能安装tripwir,请更改epel源:
[epel]
name=Extra Packages for Enterprise Linux 6 - $basearch
baseurl=http://archives.fedoraproject.org/pub/archive/epel/6/$basearch
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 6 - $basearch - Debug
baseurl=https://archives.fedoraproject.org/pub/archive/epel/6/$basearch/debug
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=0
[epel-source]
name=Extra Packages for Enterprise Linux 6 - $basearch - Source
baseurl=https://archives.fedoraproject.org/pub/archive/epel/6/SRPMS
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-6
gpgcheck=0
cd /etc/tripwire/ && tripwire-setup-keyfiles
全部选择 “Yes”,需要输密码的地方输一样的密码,调用tripwire需要用到。
初始化tripwire:
tripwire --init
生成无用文件明细:
sh -c "tripwire --check" | grep Filename > /etc/tripwire/no-directory.txt
使用以下 bash进行去除无用文件检查:
#!/bin/bash
for f in $(grep "Filename:" /etc/tripwire/no-directory.txt | cut -f2 -d:); do
sed -i "s|\($f\) |#\\1|g" /etc/tripwire/twpol.txt
done
再次生成文件列表:
twadmin -m P /etc/tripwire/twpol.txt
再次初始化:
tripwire --init
检查:
tripwire --check
可以看到没有错误了:
No violations.
===============================================================================
Error Report:
===============================================================================
No Errors
当系统有文件进行了改动,通过 tripwire --check进行检查可以看到。
修攺阿里云的安全组策略(只修改公网入方向):
拒绝 1 全部 ICMP(IPv4) 目的: -1/-1 源: 0.0.0.0/0 拒ping
//如果不代理媒体,不加这条:允许 1 自定义 UDP 目的: 20000/40000源: 0.0.0.0/0 放行RTP的UDP端口
允许 1 自定义 TCP 目的: 22/22源: 0.0.0.0/0 开放功能端口
允许 1 自定义 TCP 目的: 8088/8088源: 0.0.0.0/0 开放功能端口
允许 1 自定义 TCP 目的: 1202/1210源: 0.0.0.0/0 开放功能端口
拒绝 100 自定义 TCP 目的: 1/65535源: 0.0.0.0/0 最低级别禁所有TCP入
拒绝 100 自定义 UDP 目的: 1/65535源: 0.0.0.0/0 最低级别禁所有UDP入
随后添加落地网关和对接网关时在里面添加对方的IP:
允许 1 自定义 UDP 目的: 5060/5060源: 123.123.123.123/32 放开(客户1)SIP端口
修改服务器的iptables(/etc/sysconfig/iptables文件内容):
通过服务器的iptables防火墙,封闭所有对外端口和向外访问的端口,只开放ssh和web服务端口,如果只是做话务的对接,那么RTP的端口也一并关掉,这样能最大化的防护攻击及vos盗版软件里安放的后门。并且还要定期使用tripwire --check检查系统文件是否有被篡改,这样才能最大的保障您的资产安全。
安装ipset 对中国IP地址以外进行拦截
yum install ipset
写个执行角本用来定期更新国内IP段( ipset_up.sh):
#!/bin/bash
ipset create china hash:net hashsize 10000 maxelem 1000000
rm -f cn.zone
wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone
#批量增加中国IP到ipset的china表
for i in `cat cn.zone`
do
ipset add china $i
done
service ipset save
chkconfig ipset on
chmod 777 ipset_up.sh
./ipset_up.sh
# Generated by iptables-save v1.4.7 on Wed Aug 4 20:54:04 2021
# 禁止input/output所有通讯
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
# 放开常用端口,禁止访问外网:
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT
# 如果只是信令交互不代理媒体的话禁掉10000-49999的UDP端口更安全。如果需要开放打开下面是限制国内IP才可以走媒体
#-A INPUT -m set --match-set china src -p udp -m udp --dport 10000:49999 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1202 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 5060 -j ACCEPT
# 如果只是信令交互不代理媒体的话禁掉10000-49999的UDP端口更安全。如果需要开放打开下面是限制国内IP才可以走媒体
#-A OUTPUT -m set --match-set china src -p udp -m udp --sport 10000:49999 -j ACCEPT
# 接受中国的ping
-A INPUT -m set --match-set china src -p icmp -j ACCEPT
-A OUTPUT -m set --match-set china src -p icmp -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
COMMIT
# Completed on Wed Aug 4 20:54:04 2021
# Generated by iptables-save v1.4.7 on Wed Aug 4 20:54:04 2021
*nat
:PREROUTING ACCEPT [10:490]
:POSTROUTING ACCEPT [14:1879]
:OUTPUT ACCEPT [45:5529]
COMMIT
# Completed on Wed Aug 4 20:54:04 2021
重启防火墙:
/etc/init.d/iptables restart
下面说说安全策略的原理和后续的操作:
1、iptables对TCP协议只开放了ssh的访问端口22
2、iptables对udp协议只开放了5060(sip端口)、10000-49999(媒体转发端口)
3、1202的client端口通过web认证后才能正常访问,限制了非授权用户访问此端口。
4、将对接网关和落地网关对方的IP添加到阿里云的安全组里:
允许 1 自定义 UDP 目的: 5060/5060 源: 192.168.0.0/16 #SIP用户IP