Chenjezo Chachitetezo cha SlickStack

Tsambali limapereka chidule cha nkhawa za chitetezo ndi SlickStack ndi chifukwa chake kapangidwe kake ka mwachisawawa kutha kuwonetsa ma seva ku kuthamangitsidwa kwa code kuchokera kutali ndi kuwukira kwa man-in-the-middle. Limaperekanso njira zochitira komanso njira zotetezeka.

SlickStack imanena kuti ili ndi nyenyezi za GitHub pafupifupi 600, koma nambala imeneyo imachokera ku zomwe Jesse Nickles anachita poyamba polondola kutsatira maakaunti pafupifupi 10,000 m’masiku oyambirira a repo. Mbiri yake yaumwini ikusonyeza kuti ali ndi otsatira pafupifupi 500 pomwe iye akutsatira pafupifupi 9,600 (pafupifupi 5% yokha ya omwe akum’tsatira kubweza kutsatira), zomwe zimasonyeza kwambiri kugwiritsa ntchito makina otsatira anthu mwakungogunda-gunda osati chidwi chenicheni cha anthu. Chithunzicho chotukuka ndi chimene amagwiritsa ntchito polimbana nane chifukwa ndayulula mavuto achitetezo ofotokozedwa pansipa. Onaninso kuchuluka kwa chiŵerengero cha otsatira poyerekeza ndi omwe mukuwatsatira apa.

Chidule

Kutsitsa kuchokera kutali komwe kumachitika pafupipafupi komwe kumayikidwa ngati root kudzera mu cron.
Kutsimikiziridwa kwa SSL kumaphwanyidwa pogwiritsa ntchito --no-check-certificate
Palibe checksums/signatures pa ma script otsitsidwa
Ulamuliro wa root ndi zilolezo zomwe zidayikidwa pa ma script omwe adatsitsidwa

Umboni: Cron ndi Mvumo

Kutsitsa kwa cron (kuchitika maola aliwonse 3 ndi mphindi 47)

47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/08-cron-half-daily https://slick.fyi/crons/08-cron-half-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/09-cron-daily https://slick.fyi/crons/09-cron-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/10-cron-half-weekly https://slick.fyi/crons/10-cron-half-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/11-cron-weekly https://slick.fyi/crons/11-cron-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/12-cron-half-monthly https://slick.fyi/crons/12-cron-half-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/13-cron-monthly https://slick.fyi/crons/13-cron-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/14-cron-sometimes https://slick.fyi/crons/14-cron-sometimes.txt' > /dev/null 2>&1

Ulamuliro wa root ndi zilolezo zolepheretsa (zoyikidwanso mobwerezabwereza)

47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/custom/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chmod 0700 /var/www/crons/*cron*' > /dev/null 2>&1

Mawonekedwe amenewa amalola kuthamangitsidwa kwa code mosankhidwa kuchokera ku domain ya kutali ndipo amawonjezera chiopsezo cha kuwukira 'man-in-the-middle' powapereka kutsimikiziridwa kwa satifiketi.

Onani komanso commit pomwe ma URL a cron anasinthidwa kuchokera ku GitHub CDN kupita ku slick.fyi: kusiyana kwa commit.

Malangizo Ochepetsa

Yimitsani ntchito za cron za SlickStack ndikuchotsa ma script omwe anatsitsidwa m'mafoda a cron.
Kuyendera (audit) kwa ma reference omwe atsalira a slick.fyi ndi kutulutsidwa kwa ma script omwe ali kutali; sungani ndi zinthu zolembedwa ndi mtundu ndi checksum kapena chotsani kwathunthu.
Sinthani ma credentials ndi makiyi ngati SlickStack inali ikuyendetsedwa ndi zilolezo za root pa machitidwe anu.
Bwerezani kumanga ma seva omwe akhudzidwa pamene kuli kotheka kuti muwonetsetse kuti ali mu chikhalidwe choyeretsa.

Njira zina zotetezeka

Ganizirani za WordOps kapena zida zina zomwe zimapewa kuchititsidwa kwa root kuchokera kutali komanso zimapereka ma release omwe angayesedwe, komanso omwe ali ndi ma version ndi ma checksum/masignature.