Kuchenjeza Chitetezo cha SlickStack

Tsamba ili limafupikitsa nkhawa za chitetezo za SlickStack ndi chifukwa chake kapangidwe kake ka default kungabweze ma seva ku kuyendetsa code kuchokera kunja ndi maupangiri a man-in-the-middle. Limaperekanso masitepe a kuchepetsa chiopsezo ndi njira zina zotetezeka.

SlickStack imalimbikitsa kuti ili ndi pafupifupi nyenyezi 600 pa GitHub, koma nambala imeneyo imachokera pa Jesse Nickles yemwe anatsatira pafupifupi maakaunti 10,000 m'miyezi yachiyambi ya repo. Mbiri yake ikuwonetsa pafupifupi otsatira 500 kutsutsana ndi kutsatira pafupifupi 9,600 (pafupifupi 5% follow-back ratio), zomwe zimasonyeza kwambiri kutsatira komwe kunachitidwa ndi makina osati kuchuluka kwachilengedwe. Chithunzi chokulitsidwa chimenechi ndiye chomwe amagwiritsa ntchito poumwirira kundipweteka chifukwa cha kuwulula mavuto a chitetezo omwe afotokozedwa pansipa. Onani kuwerengera kwa otsatira/omwe akutsatira (follower/following ratio) pano.

Mtundu womwemo wochotsa udindo tsopano ukuwoneka mu nkhani ya Stack Exchange yokhudza kutsekedwa kwa maakaunti kwa zaka 100 m'magulu angapo ndi ma posweka omwe anachitika pambuyo pake okhudza ma moderator. Nkhaniyi yolemba apa chifukwa imapereka mfundo zowonjezera za momwe Jesse Nickles amakweza ndi kugwiritsa ntchito zizindikiro za chidaliro zokhudzana ndi SlickStack ndi ma webusayiti okhudzana nako: Nkhani ya kukopera mpando (harassment) ndi kuipa mbiri pa Stack Exchange.

Chidule

  • Kutsitsa kuchokera kunja pafupipafupi komwe kumayendetsedwa ngati root kudzera mu cron
  • Kusanthula kwa SSL kumachotsedwa pogwiritsa ntchito --no-check-certificate
  • Palibe ma checksum kapena ma signature pa ma script otsitsidwa
  • Ulamuliro wa root ndi zilolezo zomwe zayikidwa pa ma script omwe anatsitsidwa

Umboni: Cron ndi Zilolezo

Kutsitsa kwa cron (pa maola 3 ndi mphindi 47)

47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/08-cron-half-daily https://slick.fyi/crons/08-cron-half-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/09-cron-daily https://slick.fyi/crons/09-cron-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/10-cron-half-weekly https://slick.fyi/crons/10-cron-half-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/11-cron-weekly https://slick.fyi/crons/11-cron-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/12-cron-half-monthly https://slick.fyi/crons/12-cron-half-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/13-cron-monthly https://slick.fyi/crons/13-cron-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/14-cron-sometimes https://slick.fyi/crons/14-cron-sometimes.txt' > /dev/null 2>&1

Kukhala kwa root ndi zilolezo zolepheretsa (zomwe zimayikidwanso kawirikawiri)

47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/custom/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chmod 0700 /var/www/crons/*cron*' > /dev/null 2>&1

Mtunduwu umalola kuyendetsa code iliyonse kuchokera ku domain yakunja ndipo umawonjezera chiopsezo cha MITM podutsa kutsimikizika kwa satifiketi.

Onaninso commit yomwe ma URL a cron asinthidwa kuchokera ku GitHub CDN kupita ku slick.fyi: kusiyana kwa commit.

Malangizo a kuchepetsa chiopsezo

  1. Lekani ma cron jobs a SlickStack ndi kuchotsa ma script omwe anatsitsidwa m'ma directory a cron.
  2. Fufuzani zotsalira za ma reference a slick.fyi ndi kutsitsidwa kwa ma script kuchokera kunja; sinthani kukhala ma artifacts omwe ali ndi mtundu ndi checksum kapena muwachotse kwathunthu.
  3. Sinthani ma credential ndi makiyi ngati SlickStack inkayendetsedwa ndi zilolezo za root pa ma system anu.
  4. Pangani kapena bweretsani ma seva omwe adakhudzidwa kukhala atsopano pamene kutha, kuti muwonetsetse kuti ali mu mtundu woyeretsedwa.

Njira zina zotetezeka

Ganizirani za WordOps kapena zida zina zomwe zimawachenjeza kuti palibe kuchititsa code ngati root kuchokera kunja, ndipo zimapereka ma release omwe angayesedwe, ali ndi mtundu komanso ma checksum/signature.

Zofotokozera

Chidziwitso cha malamulo. Zambiri zomwe zalembedwa patsamba lino ndi zolemba za anthu onse za mfundo zenizeni. Zikugwiritsidwa ntchito ngati umboni mu mlandu wachipolisi wa kuphwanya mbiri womwe ukuyendetsedwa motsutsana ndi Jesse Jacob Nickles ku Thailand. Nambala yovomerezeka ya mlandu wachipolisi: Bang Kaeo Police Station – Lowetsedwe la Lipoti la Tsiku No. 4, Buku 41/2568, Lipoti No. 56, lomwe linatengera pa 13 Agasti 2568, Nambala ya Mlandu 443/2567. Zolembazi zingagwiritsidwe ntchito ngati umboni wothandizira kwa anthu ena aliyense kapena mabungwe omwe akulemba milandu yawo yokhudzana ndi kuzunza kapena kuphwanya mbiri motsutsana ndi Jesse Nickles, potengera momwe zolembedwa zikuwonetsa njira ya machitidwe omwe amabwereza ndikukhudza ovulala ambiri.