成千上萬套未加驗證保護的數據庫暴露於互聯網

{"type":"doc","content":[{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當今，數據庫可以說是網絡空間中每一項技術的實現基石。隨着世界各地越來越多邊緣智能設備接入互聯網，敏感數據暴露的風險也在隨之提升。過去幾年，大規模數據泄露事件越來越司空見慣，百萬甚至千萬條記錄的大規模泄露事件層出不窮。泄露的原因之一，就是直接接入互聯網的數據庫存在安全性差 \/ 未經驗證保護的問題。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"最近，"},{"type":"link","attrs":{"href":"https:\/\/redhuntlabs.com\/","title":"","type":null},"content":[{"type":"text","text":"RedHunt 實驗室"}]},{"type":"text","text":"對網上公開的數據庫狀況進行了研究，結果令人震驚："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"21387 個未經驗證保護 \/ 公開的 MongoDB 數據庫"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"20098 個暴露的 elasticsearch 實例"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"20528 個非安全 Redis 數據庫"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"25575 個暴露在外的 Memcached 服務器"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1977 個非安全 CouchDB 實例"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"3340 個 Cassandra 數據庫暴露在互聯網上"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"570 個暴露在互聯網上的 RethinkDB 數據庫"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"1846 個非安全 HBase 實例"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過對攻擊面管理（ASM）門戶“NVADR”的統計數據進行研究，RedHunt 實驗室"},{"type":"link","attrs":{"href":"https:\/\/redhuntlabs.com\/blog\/thousands-of-unauthenticated-databases-exposed-on-the-internet.html","title":"","type":null},"content":[{"type":"text","text":"發現"}]},{"type":"text","text":"約 40% 的暴露問題涉及未受驗證保護內容的意外公開。除了其中常見的源代碼 repo、內部文檔、查詢系統 \/ 門戶以及儀表板之外，最受關注也是最具安全影響的當然是未經驗證保護的數據庫。這些暴露在外的數據庫不僅常被發現，而且往往會極大影響並增加相關組織的攻擊面。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了解互聯網上公開的數據庫安全現狀，RedHunt 實驗室選擇了 8 種數據庫作爲研究對象，具體包括："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"MongoDB"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"ElasticSearch"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Redis"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Memcached"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Apache CouchDB"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Apache Cassandra"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RethinkDB"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"HBase"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"同時，他們還創建了一款掃描工具，力求以理想的速度與準確性覆蓋整個互聯網，同時避免觸碰到排除清單中的對象。RedHunt 實驗室決定在整個 IPv4 空間內使用統一的單個數據包掃描保持這一非侵入性要求。該工具的基本架構如下所示："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/07\/07897191d5a23de4b9a5cb2b48c3f8c5.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"現在，看看他們的具體發現。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"MongoDB"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/baike.baidu.com\/item\/mongodb\/60411?fr=aladdin","title":"","type":null},"content":[{"type":"text","text":"MongoDB"}]},{"type":"text","text":" 是一款跨平臺且面向文檔的開源數據庫，也是目前使用類 JSON 存儲對象的高人氣 NoSQL 數據庫方案之一。雖然最新的 MongoDB 版本已經採取了嚴格的 ACL 策略，但其 2.6.0 之前的版本仍默認監聽所有接口上的連接。換句話說，默認安裝下的 MongoDB 會直接向未經身份驗證的互聯網連接開放。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RedHunt 實驗室共發現了 21387 個未經驗證保護 \/ 公開的數據庫。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/f8\/f8c8835fe141890c14b9b2ec12d6f852.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"幸運的是，最新版本的 MongoDB 現在只默認監聽本地連接。但研究表明，這種暴露背後代表的不只是默認設置中的隱患，因爲所發現的大部分非安全 MongoDB 其版本都要高於 2.6.0。下面來看關於非安全數據庫版本的基本情況："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/b8\/b8773bdfee2a98952e03d90afb411edc.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"儘管 MongoDB 團隊已經努力提出相關安全最佳實踐，但大部分數據庫仍然未受身份驗證保護，而且對互聯網直接開放。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Elasticsearch"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/xie.infoq.cn\/article\/07950e89243eb064b079cbac0","title":"","type":null},"content":[{"type":"text","text":"Elasticsearch"}]},{"type":"text","text":" 是一款面向文檔的 NoSQL 數據庫，主要強調高性能搜索、分析與可視化。從本質上講，Elasticsearch 爲不同的軟件版本實施了不同的 ACL 策略，具體策略因許可證而異。在 elasticsearch 說明文檔中可以看到，如果“您使用免費 \/ 基本許可證，則默認情況下禁用 Elasticsearch 安全功能。”但對於其他企業許可證，則直接啓用身份驗證。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在研究中，RedHunt 實驗室共確定了 20098 個暴露的 elasticsearch 實例。這些易受攻擊的 IP 分佈在 104 個國家共 982 座城市。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/69\/691a5586ec57a96e9934cdfaa9f53934.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"有趣的是，作爲一個相當陳舊的版本，1.4.1 版居然在 elasticsearch 使用量中排名第二，共有 577 個相關實例。下圖爲各個版本的實際使用數量："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/1f\/1f257a5cd4ef5d1e3d2056bc7be8bb78.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作爲一項安全措施，最新版本的 ElasticSearch 會在默認安裝中顯示警告標頭，提示“未使用內置的安全功能”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/7c\/7c1c0887c1c97448072311b532bf0837.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Redis"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/baike.baidu.com\/item\/Redis\/6549233?fr=aladdin","title":"","type":null},"content":[{"type":"text","text":"Redis"}]},{"type":"text","text":" 是一套內存數據結構存儲系統，可作爲鍵值對數據庫、緩存或消息代理使用。Redis 專爲受信環境下的受信客戶端所設計，因此本身並不具備強大的安全保護功能。儘管說明文檔明確提到“除網絡中的受信客戶端外，其他各方均不應有權訪問 Redis 端口”，但我們仍在互聯網上發現了大量 Redis 數據庫。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在研究中，RedHunt 實驗室共發現了 20528 個非安全的 Redis 數據庫。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/c6\/c6398cfae5877f86f03d302d172a04a5.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於 Redis 實例的部署量已經相當驚人，爲了亡羊補牢，開發人員決定自 3.2.0 版本起引入“保護模式”——Redis 會僅回覆來自環回接口的查詢。通過其他地址進行接入的客戶端會收到一條錯誤提示，說明應如何正確配置 Redis。儘管採取這項安全修復措施，但研究中發現的大部分公開 Redis 實例使用的正是 3.2 以上版本。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/63\/63207bba234ce5156e3ab625a3ca7c51.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Memcached"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與 Redis 類似，"},{"type":"link","attrs":{"href":"https:\/\/xie.infoq.cn\/article\/d2d065130d25c4d5064cc8a8b","title":"","type":null},"content":[{"type":"text","text":"Memcached"}]},{"type":"text","text":" 是另一套通用型分佈式內存緩存系統，通常用於數據庫加速功能。在安全性方面，Memcached 同樣不具備任何身份驗證機制，而且默認監聽所有接口。結合過往的拒絕服務放大攻擊來看，這樣的設置無疑具有巨大的安全風險。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"令人震驚的是，RedHunt 實驗室在研究中共發現 25575 個暴露在外的 Memcached 服務器。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/f5\/f5c80c89d746ae1fde995e1af5282971.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Memcached 各版本的使用量如下圖所示："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/90\/903f22ce94a502f4182a17130acf7c13.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Apache CouchDB"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoq.cn\/article\/warner-couchdb","title":"","type":null},"content":[{"type":"text","text":"CouchDB"}]},{"type":"text","text":" 是一款極具人氣的 NoSQL 數據庫，與 MongoDB 頗有相通之處。自誕生以來，CouchDB 一直遵循“默認開放”原則，這也導致默認安裝配置極易受到攻擊影響。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RedHunt 實驗室共在互聯網上發現 1977 個非安全的 CouchDB 實例。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/2b\/2b89e6a8a4c938ff5a8236b986988085.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"值得慶幸的是，隨着 3.0 版本的發佈，CouchDB 開發人員終於決定用“默認安全”替代作死性質的“默認開放”方法。其要求我們在初始化數據庫之前設置管理賬戶，因此能夠大大降低風險水平——結合實際觀察，網上公開暴露的大部分 CouchDB 數據庫使用的版本也確實爲 3.0 以下。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/97\/97935b1af3e8eb17cbacd7b16f3a4391.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Apache Cassandra"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoq.cn\/article\/7V63Hp27EAxSELxAXif1","title":"","type":null},"content":[{"type":"text","text":"Apache Cassandra"}]},{"type":"text","text":" 是一套開源 NoSQL 分佈式數據庫，強調可擴展性、高可用性與性能。但從安全角度來看，其默認安裝配置很可能面臨安全威脅。援引 Cassandra 說明文檔中的解釋："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在默認情況下，這些（安全）功能會被禁用，Cassandra 可被集羣內其他成員輕鬆發現。換句話說，Cassandra 開箱即用的特性會給惡意攻擊者提供巨大的攻擊面。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在研究中，RedHunt 實驗室共發現 3340 個 Cassandra 數據庫以未經任何驗證保護的形式暴露在互聯網上。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/88\/88dbe0515d864ce63bf6206290003003.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖所示，爲易受威脅影響的各 Cassandra 版本。有趣的是，其中 v2.0.15 幾乎佔所有暴露數據庫中的 70%。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/8f\/8f647e2866dddf5595ee60963343086c.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"RethinkDB"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/www.infoq.cn\/article\/2017\/02\/RethinkDB-join-Linux","title":"","type":null},"content":[{"type":"text","text":"RethinkDB"}]},{"type":"text","text":" 也是一套開源數據庫，利用帶有動態模式的 JSON 文檔進行實時數據處理。默認情況下，RethinkDB 提供一個具有全局範圍內所有權限、但卻未經密碼保護的 admin 內置賬戶。有意思的來了：Web 管理界面將始終以 admin 權限接入，無需任何身份驗證。更要命的是，用戶根本無法在 Web 管理 UI 上啓用身份驗證功能。對這套數據庫施加保護的唯一方法，就是變更集羣監聽連接的接口。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在研究中，RedHunt 實驗室共發現 570 個暴露在互聯網上的 RethinkDB 數據庫。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/91\/9190135d5d3cefd272ce9008789c9234.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"令人意外的是，在暴露在外的數據庫中出現了一個相當陳舊的版本——1.16.2-1（發佈於 2015 年）。下圖爲各暴露 RethinkDB 的相關版本數量："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/d7\/d737c693b282fde1ee03dce114edff7b.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"HBase"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/xie.infoq.cn\/article\/63491bd9c18b8d45bc6fe478f","title":"","type":null},"content":[{"type":"text","text":"HBase"}]},{"type":"text","text":" 也被稱爲 Hadoop 數據庫，是一種分佈式大數據存儲系統。Hadoop 生態系統相當複雜，涵蓋 HDFS、YARN 以及 Zookeeper 等多個依賴項。很明顯，其驗證過程也相當複雜。HBase 需要通過嚴格遵循 SASL 的 Kerberos 在 RPC 層級上實現授權。同樣的，HBase 的默認安裝配置中沒有任何身份驗證要求 ("},{"type":"text","marks":[{"type":"strong"}],"text":"hbase-default.xml"},{"type":"text","text":")："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/37\/37542cbec867e2b13921e67da560b4d2.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在研究中，RedHunt 實驗室總計發現 1846 個非安全 HBase 實例。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/1d\/1dca58838eed724dd25e20ffe2a1da59.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Hadoop 還附帶一套 WebUI 管理界面，允許外來者輕鬆訪問甚至對文件系統（HDFS）進行全面的讀取 \/ 寫入操作。我們注意到，這些易受攻擊的數據庫還提供一個未經驗證保護的 HTTP WebUI，直接通過端口 50070 暴露在互聯網上。該 WebUI 的存在能夠顯著簡化攻擊者的入侵流程，因此進一步擴大了攻擊面。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"RedHunt 實驗室還發現，大部分非安全數據庫也同時開啓了端口 2181（Zookeeper），相當於給攻擊者留了另外一扇門。Hadoop 生態系統中各個組件的“協同參與”，顯著增加了這套數據庫的整體攻擊面。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖所示，爲前十大易受攻擊的 Hadoop 版本："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/d0\/d0375fd03e82e63a7d7ecaae9d872903.webp","alt":null,"title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"要點總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"聊聊可能導致暴露問題的各項因素："}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"默認設置不安全"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在研究中，RedHunt 實驗室發現這些數據庫之間最驚人的相似之處，就是默認不帶安全配置。有些朋友會認爲這是爲了實現可用性與安全性間的平衡，但必須承認這是個需要關注的大問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不可能指望用戶在安裝完成後主動添加各類安全保障方案。好消息是，部分數據庫開發者已經開始採取“默認安全”策略來解決這個問題。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"缺乏安全意識"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在發現這麼多暴露在互聯網上的數據庫後，RedHunt 實驗室覺得開發人員的安全意識可能仍然比較淡薄。從以上統計數據可以清晰看出，儘管某些數據庫也提供安全安裝選項，但出於某種原因，最終結果仍然是直接暴露在網上。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在構建面向互聯網的產品時，理解安全上下文非常重要。因此本文呼籲各位開發人員在設置任何基礎設施之前，請務必認真閱讀官方說明文檔（特別是安全性配置部分）。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"存在大量未跟蹤資產，包括影子 IT 與高價值信息"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果未能及時發現，影子 IT（即未得到正確跟蹤的已部署基礎設施）可能導致關鍵數據意外泄露。作爲“皇冠上的明珠”，高價值信息資產一旦受到損害，可能給組織造成重大業務影響。此類高價值資產需要在整個開發生命週期中得到持續的跟蹤與管理，確保在暴露事件發生之前即得到關注與保護。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"實際影響"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"數據庫暴露很可能帶來毀滅性的後果，包括現有數據外流、信息濫用、權限提升以及入侵等等。這類典型違規事件很可能給組織聲譽造成破壞性影響，並嚴重衝擊消費者對組織的評價與信心。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"寫在最後"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如今，我們已經正式迎來萬物互連的新時代。從以上統計數據可以看出，互聯網上相當一部分數據庫仍然極易受到攻擊影響。這也讓我們再次深切意識到，已經無數被強調的正確資產管理理念並沒有得到實際推行。在本文的最後，要再給您提個醒——請馬上檢查一下，您的組織內有沒有不該公開發布的數據庫被暴露在外。"}]}]}