一封突如其來的簡短的郵件,某生產環境IP的443端口漏洞,一陣莫名其妙,看了看IP找了找xshell發現有這個IP,那就不用再去問同事(因爲我是新來的),直接開幹,由於信息包含省略一些敏感內容
1.第一步,找端口:
[root@localhost ~]# netstat -tunlp |grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3095/nginx tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3095/nginx
#443端口存在,運行的是nginx
2.第二步,查看進程並找到程序的路徑
[root@localhost ~]# ps -ef |grep nginx |grep -v grep nginx 3085 3078 0 Mar01 ? 00:11:28 php-fpm: pool www nginx 3086 3078 0 Mar01 ? 00:11:26 php-fpm: pool www nginx 3087 3078 0 Mar01 ? 00:11:26 php-fpm: pool www nginx 3088 3078 0 Mar01 ? 00:11:26 php-fpm: pool www nginx 3089 3078 0 Mar01 ? 00:11:25 php-fpm: pool www root 3095 1 0 Mar01 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf nginx 3096 3095 0 Mar01 ? 00:09:36 nginx: worker process nginx 3248 3078 0 Mar01 ? 00:11:25 php-fpm: pool www nginx 3480 3078 0 11:10 ? 00:00:03 php-fpm: pool www nginx 4461 3078 0 Mar01 ? 00:11:24 php-fpm: pool www nginx 4555 3078 0 11:10 ? 00:00:03 php-fpm: pool www nginx 4574 3078 0 11:10 ? 00:00:02 php-fpm: pool www nginx 4575 3078 0 11:10 ? 00:00:03 php-fpm: pool www nginx 4591 3078 0 11:10 ? 00:00:03 php-fpm: pool www nginx 4592 3078 0 11:10 ? 00:00:03 php-fpm: pool www nginx 4610 3078 0 11:10 ? 00:00:02 php-fpm: pool www
#運行命令是:/usr/sbin/nginx -c /etc/nginx/nginx.conf
#程序的配置目錄是:/etc/nginx/nginx.conf
#相關運行的程序是php
3.查看nginx的安裝路徑
#nginx安裝是以rpm包的方式安裝的 [root@localhost ~]# rpm -qa |grep nginx nginx-1.2.3-1.el6.x86_64 [root@localhost ~]# rpm -ql nginx /etc /etc/logrotate.d /etc/logrotate.d/nginx /etc/nginx /etc/nginx/conf.d /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/ssl.conf /etc/nginx/conf.d/virtual.conf /etc/nginx/fastcgi.conf /etc/nginx/fastcgi.conf.default /etc/nginx/fastcgi_params /etc/nginx/fastcgi_params.default /etc/nginx/html /etc/nginx/html/50x.html /etc/nginx/html/index.html /etc/nginx/koi-utf /etc/nginx/koi-win /etc/nginx/mime.types /etc/nginx/mime.types.default /etc/nginx/nginx.conf /etc/nginx/nginx.conf.default /etc/nginx/scgi_params /etc/nginx/scgi_params.default /etc/nginx/uwsgi_params /etc/nginx/uwsgi_params.default /etc/nginx/win-utf /etc/rc.d /etc/rc.d/init.d /etc/rc.d/init.d/nginx /etc/sysconfig /etc/sysconfig/nginx /usr/sbin/nginx /usr/share/doc/nginx-1.2.3 /usr/share/doc/nginx-1.2.3/CHANGES /usr/share/doc/nginx-1.2.3/LICENSE /usr/share/doc/nginx-1.2.3/README /usr/share/nginx /usr/share/nginx/html /usr/share/nginx/html/404.html /usr/share/nginx/html/50x.html /usr/share/nginx/html/index.html /usr/share/nginx/html/nginx-logo.png /usr/share/nginx/html/poweredby.png /var/cache/nginx /var/lib/nginx /var/lib/nginx/tmp /var/log/nginx
#版本號是nginx-1.2.3
4.查看nginx的配置文件
#啓動配置文件並沒有配置相關信息,可以看到配置文件在conf.d目錄下 [root@localhost nginx]# cat nginx.conf
http{
...........省略.................
include /etc/nginx/conf.d/*.conf;
...........省略.................
}#進入conf.d的目錄查看配置,找到有443端口ssl配置的文件
[root@localhost nginx]# cd conf.d/
[root@localhost conf.d]# ls
server {
listen 443;
server_name gg.abc.com;
ssl on;
ssl_certificate /etc/local/ssl/abc.crt;
ssl_certificate_key /etc/local/ssl/abc.rsa;
ssl_session_timeout 5m;
...........省略.................
}#域名是隨便設置,不是自用的域名,看到域名了,那就測試訪問:https://gg.abc.com,可以訪問
#接下來就是掃描漏洞了。
#使用了,windows漏洞掃描工具,Acunetix Web Vulnerability Scaner 10.5的版本
#掃描結果顯示
#1.打開Acunetix
#2.點擊New SCAN,Scan single website→Website URL:輸入地址 next
#3.默認,下一步,一直到結束
Vulnerability description The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (***s). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. What versions of the OpenSSL are affected? Status of different versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug. This vulnerability affects Web Server. Discovered by: Scripting (Heartbleed_Bug.script). Attack details First 512 bytes of data we pulled from the server memory: 十六進制信息.....省略.... ....................... Retest alert(s) Mark this alert as a false positive The impact of this vulnerability An attacker can read the memory of the systems protected by the vulnerable versions of the OpenSSL software. How to fix this vulnerability Upgrade to the latest version of OpenSSL. Classification CWE CWE-200 CVE CVE-2014-0160 CVSS Base Score: 6.4 - AV:N/AC:L/Au:N/C:P/I:P/A:N Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None CVSS3 Base Score: 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: None Availability Impact: None
#可以看出是openssl的版本問題:
What versions of the OpenSSL are affected? Status of different versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
#這個是漏洞的編號,點擊版本號就可以看得見詳細描述
Classification CWE CWE-200 CVE CVE-2014-0160 CVSS Base Score: 6.4 - AV:N/AC:L/Au:N/C:P/I:P/A:N Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None CVSS3 Base Score: 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: None Availability Impact: None
openssl現有版本
#openssl這版本有大bug
[root@localhost software]# rpm -qa |grep openssl openssl-1.0.1e-15.el6.x86_64 [root@localhost software]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
虛擬機上測試nginx1.2.3版本兼容的openssl版本
#接下來就是找openssl已經修復的版本號,因爲nginx版本比較低,找的openssl可能會受到影響。
#openssl-1.1.1 ,測試編譯不通過
#openssl-1.0.2o ,測試編譯安裝通過
#下載openssl版本 wget https://www.openssl.org/source/openssl-1.1.1-pre6.tar.gz wget https://www.openssl.org/source/openssl-1.0.2o.tar.gz #創建nignx運行用戶 useradd www -s /sbin/nologin #配置 ./configure \ --user=www \ --group=www \ --prefix=/usr/local/nginx-1.2.3 \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-openssl=/home/software/nginx/openssl_update/openssl-1.0.2o \ --with-pcre=/home/software/nginx/openssl_update/pcre-7.8 \ --with-zlib=/home/software/nginx/openssl_update/zlib-1.2.3 #編譯與安裝 make && make install #運行nginx /usr/local/nginx-1.2.3/sbin/nginx #驗證開啓成功 [root@tsung-client ~]# curl -I http://127.0.0.1:80 HTTP/1.1 200 OK Server: nginx/1.2.3 Date: Wed, 23 May 2018 14:05:26 GMT Content-Type: text/html Content-Length: 612 Last-Modified: Fri, 09 Mar 2018 06:30:39 GMT Connection: keep-alive Accept-Ranges: bytes
linux生產機器上修復的openssl漏洞
#查看是否安裝zlib [root@localhost software]# rpm -qa |grep zlib zlib-1.2.3-29.el6.x86_64 #查看是否按gcc,無安裝 [root@localhost openssl-1.0.2o]# rpm -qa |grep gcc libgcc-4.4.7-4.el6.x86_64 #centos安裝gcc,red hat更改yum源,或者手動安裝 [root@localhost openssl-1.0.2o]# yum -y install gcc gcc-c++ #配置openssl [root@localhost openssl-1.0.2o]# ./config --prefix=/usr/local/openssl -enable-shared #編譯openssl [root@localhost openssl-1.0.2o]# make #安裝openssl [root@localhost openssl-1.0.2o]# make install #備份原openssl文件 [root@localhost openssl-1.0.2o]# mv /usr/bin/openssl /usr/bin/openssl-1.0.1.e-bak [root@localhost openssl-1.0.2o]# mv /usr/include/openssl/ /usr/include/openssl-1.0.1.e-bak #將安裝的新版本的鏈接到,舊版本的路徑上 [root@localhost openssl-1.0.2o]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl [root@localhost openssl-1.0.2o]# ln -s /usr/local/openssl/include/openssl/ /usr/include/openssl #動態庫路徑配置 [root@localhost openssl-1.0.2o]# cat /etc/ld.so.conf include ld.so.conf.d/*.conf #將目錄追加到ld.so.conf文件 [root@localhost openssl-1.0.2o]# ls -d /usr/local/openssl/lib/ >> /etc/ld.so.conf #查看 [root@tsung-client etc]# cat /etc/ld.so.conf include ld.so.conf.d/*.conf /usr/local/openssl/lib/ #不報錯表示正常 [root@localhost openssl-1.0.2o]# ldconfig #查看ssl,p打印緩存,v顯示詳細信息。我想兩者應該差不多,無害。 [root@localhost openssl-1.0.2o]# ldconfig -p |grep ssl libssl3.so (libc6,x86-64) => /usr/lib64/libssl3.so libssl.so.10 (libc6,x86-64) => /usr/lib64/libssl.so.10 [root@localhost openssl-1.0.2o]# ldconfig -v |grep ssl libssl.so.10 -> libssl.so.1.0.1e libssl3.so -> libssl3.so #驗證版本 [root@localhost openssl-1.0.2o]# openssl version OpenSSL 1.0.2o 27 Mar 2018
#測試openssl是否正常使用。OK完成
修復nginx漏洞ssl
[root@localhost objs]# ps -ef |grep nginx nginx 3085 3078 0 Mar01 ? 00:11:41 php-fpm: pool www nginx 3086 3078 0 Mar01 ? 00:11:39 php-fpm: pool www nginx 3087 3078 0 Mar01 ? 00:11:38 php-fpm: pool www nginx 3088 3078 0 Mar01 ? 00:11:39 php-fpm: pool www nginx 3089 3078 0 Mar01 ? 00:11:37 php-fpm: pool www root 3095 1 0 Mar01 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf nginx 3248 3078 0 Mar01 ? 00:11:37 php-fpm: pool www nginx 3480 3078 0 11:10 ? 00:00:15 php-fpm: pool www nginx 4134 3095 2 20:50 ? 00:00:27 nginx: worker process nginx 4461 3078 0 Mar01 ? 00:11:36 php-fpm: pool www nginx 4555 3078 0 11:10 ? 00:00:15 php-fpm: pool www nginx 4574 3078 0 11:10 ? 00:00:14 php-fpm: pool www nginx 4575 3078 0 11:10 ? 00:00:15 php-fpm: pool www nginx 4591 3078 0 11:10 ? 00:00:15 php-fpm: pool www nginx 4592 3078 0 11:10 ? 00:00:15 php-fpm: pool www nginx 4610 3078 0 11:10 ? 00:00:15 php-fpm: pool www root 12605 10741 0 21:06 pts/4 00:00:00 grep nginx #查看是否靜態編譯,顯示錶示動態編譯,沒有顯示錶示靜態編譯 [root@localhost objs]# lsof -p 3095| grep ssl nginx 3095 root DEL REG 253,0 2640288 /usr/lib64/libssl.so.1.0.1e.#prelink#.SY9VCo
#nginx下載 wget http://nginx.org/download/nginx-1.2.3.tar.gz #nginx模塊下載,nginx-accesskey wget https://github.com/search?utf8=%E2%9C%93&q=nginx-accesskey-2.0.3&type= #nginx模塊下載,chunkin-nginx https://github.com/search?utf8=%E2%9C%93&q=chunkin-nginx-module&type= #pcre下載 wget https://sourceforge.net/projects/pcre/files/pcre/7.8/pcre-7.8.tar.gz #zlib下載 wget https://sourceforge.net/projects/libpng/files/zlib/1.2.3/zlib-1.2.3.tar.gz #配置nginx ./configure --prefix=/etc/nginx/ --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock \ --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module \ --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-file-aio --with-mail_ssl_module --with-ipv6 --with-cc-opt='-O2 -g' \ --add-module=/home/software/nginx-1.2.3/nginx-accesskey-2.0.3 --add-module=/home/software/nginx-1.2.3/chunkin-nginx-module --http-client-body-temp-path=/var/cache/nginx/client_temp --http-log-path=/var/log/nginx/access.log \ --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ --with-pcre=/home/software/nginx-1.2.3/pcre-7.8 --with-openssl=/home/software/nginx-1.2.3/openssl-1.0.2o --with-zlib=/home/software/nginx-1.2.3/zlib-1.2.3 #編譯,編譯完不要安裝,安裝就會覆蓋,現在只是升級 make #編譯完成之後,備份一下nginx,拷貝nginx到/usr/sbin目錄 mv /usr/sbin/nginx /usr/sbin/nginx.bak cp /home/software/nginx-1.2.3/objs/nginx /usr/sbin/ ##查看是否靜態編譯,沒有顯示錶示靜態編譯 [root@localhost objs]# lsof -p 3095| grep ssl #重新載入nginx,但是沒有作用 [root@localhost objs]# /usr/sbin/nginx -s reload -c /etc/nginx/nginx.conf #關閉nginx [root@localhost objs]# /usr/sbin/nginx -s stop -c /etc/nginx/nginx.conf #啓動nginx root@localhost objs]# /usr/sbin/nginx
#再次使用安全掃描軟件,發現已經不存在這個漏洞了,OK解決了。
#解決了,記錄一下過程