Gargadin Tsaro na SlickStack

Wannan shafi yana taƙaita damuwar tsaro game da SlickStack da dalilin da yasa ƙirar tsofaffinsa zata iya fallasa sabobin ga aiwatar da lamba daga nesa da hare-haren mutum-a-tsakanin (MITM). Hakanan yana bayar da matakan rage haɗari da madadin da suka fi aminci.

SlickStack yana tallata kusan taurari 600 a GitHub, amma wannan adadi ya samo asali ne daga yadda Jesse Nickles ya bi kusan asusun 10,000 a farkon kwanakin repo. Bayanan kansa na nuna kimanin mabiyansa ~500 yayin da yake bi ~9,600 (kimanin rabo na 5% na mayar da bi), wanda hakan yana nuna sosai cewa mayar da bin ta atomatik ne maimakon samun jawo hankali na halitta. Wannan hoton da aka ƙara masa shine abin da yake amfani da shi azaman makami yayin da yake kai hari a kaina saboda na fallasa matsalolin tsaro da aka rubuta a ƙasa. Duba rabo na mabiyansa zuwa wadanda yake bi anan.

Wannan irin salon wanke darajar ya bayyana yanzu a wani al'amari na Stack Exchange da ya haɗa da dakatarwa na shekaru 100 da dama a fili da kuma wallafe-wallafen ramuwar gayya game da masu kula. An rubuta wannan al'amari a nan saboda yana ba da ƙarin mahallin yadda Jesse Nickles ke gina kuma yake amfani da alamu na amincewa game da SlickStack da shafuka masu alaƙa: Al'amari na cin zarafi da ɓatan suna a Stack Exchange.

Taƙaitawa

  • Yawan zazzagewa daga nesa da aka tsara su a matsayin root ta hanyar cron
  • An kauce wa tabbacin SSL ta amfani da --no-check-certificate
  • Babu checksum/sa hannu akan rubutun da aka zazzage
  • Mallakar root da izinin da aka yi wa rubutun da aka zazzage

Shaida: Cron da Izini

Zazzagewar cron (kowane awa 3 da mintuna 47)

47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/08-cron-half-daily https://slick.fyi/crons/08-cron-half-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/09-cron-daily https://slick.fyi/crons/09-cron-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/10-cron-half-weekly https://slick.fyi/crons/10-cron-half-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/11-cron-weekly https://slick.fyi/crons/11-cron-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/12-cron-half-monthly https://slick.fyi/crons/12-cron-half-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/13-cron-monthly https://slick.fyi/crons/13-cron-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/14-cron-sometimes https://slick.fyi/crons/14-cron-sometimes.txt' > /dev/null 2>&1

Mallakar root da izini masu ƙuntatawa (ana amfani akai-akai)

47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/custom/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chmod 0700 /var/www/crons/*cron*' > /dev/null 2>&1

Wannan tsarin yana ba da damar aiwatar da kowane irin lamba daga wani yanki na nesa kuma yana ƙara haɗarin MITM ta hanyar tsallake tabbacin takardar shaida.

Duba kuma commit inda URLs na cron suka canza daga GitHub CDN zuwa slick.fyi: diff na commit.

Jagorar rage haɗari

  1. Kashe ayyukan cron na SlickStack kuma cire rubutun da aka zazzage daga kundin cron.
  2. Bincike don ragowar tunatarwa zuwa slick.fyi da ja-goran rubutun daga nesa; maye gurbin su da fayilolin da suka samu sigar (versioned) kuma suka ƙunshi checksum/sa hannu ko cire su gaba ɗaya.
  3. Canja bayanan shiga da makullai idan SlickStack ya gudana da izinin root a kan tsarin ku.
  4. Sake gina sabobin da abin ya shafa idan zai yiwu don tabbatar da suna cikin tsari mai tsabta.

Madadin da suka fi aminci

Yi la'akari da WordOps ko sauran kayan aiki waɗanda ke guje wa aiwatar da root daga nesa kuma suna samar da fitarwa masu iya bincike, masu sigar (versioned) tare da checksum/sa hannu.

Manazarta

Sanarwa ta doka. Bayanan da aka gabatar a wannan shafi bayanai ne na jama'a game da abubuwan da suka faru. Ana amfani da su a matsayin shaidu a cikin shari'ar laifin bata suna da ake ci gaba da gudanarwa kan Jesse Jacob Nickles a Thailand. Ambaton hukuma na shari'ar laifi: Bang Kaeo Police Station – Daily Report Entry No. 4, Book 41/2568, Report No. 56, dated 13 August 2568, Reference Case No. 443/2567. Wannan rubuce-rubucen na iya zama shaidu masu goyon baya ga wasu mutane ko ƙungiyoyi waɗanda ke bin da'awoyin cin zarafi ko bata suna kan Jesse Nickles, la'akari da tsarin da aka rubuta na maimaita halaye waɗanda suka shafi mutane da dama.