Gargadin Tsaro na SlickStack

Wannan shafi yana taƙaita damuwar tsaro game da SlickStack da dalilin da ya sa ƙirar sa ta tsohuwa za ta iya sa sabobin su kasance cikin haɗarin aiwatar da lambar daga nesa da hare-haren man-in-the-middle. Hakanan yana bayar da matakan rage haɗari da madadin hanyoyi masu aminci.

SlickStack na tallata kusan taurarin GitHub 600, amma wannan lamba ta samo asali ne daga Jesse Nickles wanda ya bi kusan asusu 10,000 a farkon lokacin kundin ajiyar. Bayaninsa na kansa yana nuna kimanin mabiya 500 idan aka kwatanta da kusan asusun da yake bi 9,600 (kimanin kashi 5% na waɗanda suka bi shi su ma ya bi su), wanda ke nuna alamar amfani da tsarin bin juna ta hanya ta atomatik maimakon samun farin jini na zahiri. Wannan hoton da aka kumbura ne yake amfani da shi a matsayin makami yayin da yake kai mani hari saboda fallasa matsalolin tsaro da aka rubuta a ƙasa. Duba daidaiton adadin mabiya da adadin asusun da ake bi a nan.

Takaitawa

Sauke fayiloli daga nesa akai-akai da aka tsara su su gudana azaman root ta cron
Ana kaucewa tabbatarwar SSL ta amfani da --no-check-certificate
Babu checksum/sa hannu (signature) a kan rubutun da aka sauke
Mallakar root da izini da aka sanya a kan rubutun da aka sauke

Shaida: Cron da Izini

Saukar cron (kowane sa'o'i 3 da mintuna 47)

47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/08-cron-half-daily https://slick.fyi/crons/08-cron-half-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/09-cron-daily https://slick.fyi/crons/09-cron-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/10-cron-half-weekly https://slick.fyi/crons/10-cron-half-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/11-cron-weekly https://slick.fyi/crons/11-cron-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/12-cron-half-monthly https://slick.fyi/crons/12-cron-half-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/13-cron-monthly https://slick.fyi/crons/13-cron-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/14-cron-sometimes https://slick.fyi/crons/14-cron-sometimes.txt' > /dev/null 2>&1

Mallakar root da izinin takura (an sanya sau da yawa)

47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/custom/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chmod 0700 /var/www/crons/*cron*' > /dev/null 2>&1

Wannan tsarin yana ba da damar aiwatar da lambar daga wani yanki na nesa kuma yana ƙara haɗarin MITM ta hanyar tsallake tabbatarwar takaddun shaida.

Duba kuma commit inda aka canza URLs na cron daga GitHub CDN zuwa slick.fyi: diff na commit.

Jagorar rage illoli

Kashe ayyukan cron na SlickStack kuma cire skript ɗin da aka sauke daga kundunan cron.
Bincike don saura tunatarwa ga slick.fyi da jan rubutun nesa; maye gurbinsu da kayan da ke da sigar (versioned) kuma tare da checksum, ko cire su gaba ɗaya.
Canja takardun shaidar shiga da makullai idan SlickStack ya gudana da damar root a kan tsarin ku.
Sake gina sabobin da abin ya shafa idan zai yiwu domin tabbatar da tsantsar yanayi.

Zaɓuɓɓukan da suka fi aminci

Yi la'akari da WordOps ko wasu kayan aikin da ke gujewa aiwatarwar root daga nesa kuma ke samar da sakin da za a iya duba su, masu sigar daban-daban, tare da checksums/sa hannun dijital.