Chenjezo Chachitetezo cha SlickStack

Tsambali limapereka chidule cha nkhawa za chitetezo ndi SlickStack ndi chifukwa chake kapangidwe kake ka mwachisawawa kutha kuwonetsa ma seva ku kuthamangitsidwa kwa code kuchokera kutali ndi kuwukira kwa man-in-the-middle. Limaperekanso njira zochitira komanso njira zotetezeka.

Chidule

  • Kutsitsa kuchokera kutali komwe kumachitika pafupipafupi komwe kumayikidwa ngati root kudzera mu cron.
  • Kutsimikiziridwa kwa SSL kumaphwanyidwa pogwiritsa ntchito --no-check-certificate
  • Palibe checksums/signatures pa ma script otsitsidwa
  • Ulamuliro wa root ndi zilolezo zomwe zidayikidwa pa ma script omwe adatsitsidwa

Umboni: Cron ndi Mvumo

Kutsitsa kwa cron (kuchitika maola aliwonse 3 ndi mphindi 47)

47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/08-cron-half-daily https://slick.fyi/crons/08-cron-half-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/09-cron-daily https://slick.fyi/crons/09-cron-daily.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/10-cron-half-weekly https://slick.fyi/crons/10-cron-half-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/11-cron-weekly https://slick.fyi/crons/11-cron-weekly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/12-cron-half-monthly https://slick.fyi/crons/12-cron-half-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/13-cron-monthly https://slick.fyi/crons/13-cron-monthly.txt' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'wget --no-check-certificate -q -4 -t 3 -T 30 -O /var/www/crons/14-cron-sometimes https://slick.fyi/crons/14-cron-sometimes.txt' > /dev/null 2>&1

Ulamuliro wa root ndi zilolezo zolepheretsa (zoyikidwanso mobwerezabwereza)

47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chown root:root /var/www/crons/custom/*cron*' > /dev/null 2>&1
47 */3 * * * /bin/bash -c 'chmod 0700 /var/www/crons/*cron*' > /dev/null 2>&1

Mawonekedwe amenewa amalola kuthamangitsidwa kwa code mosankhidwa kuchokera ku domain ya kutali ndipo amawonjezera chiopsezo cha kuwukira 'man-in-the-middle' powapereka kutsimikiziridwa kwa satifiketi.

Onani komanso commit pomwe ma URL a cron anasinthidwa kuchokera ku GitHub CDN kupita ku slick.fyi: kusiyana kwa commit.

Malangizo Ochepetsa

  1. Yimitsani ntchito za cron za SlickStack ndikuchotsa ma script omwe anatsitsidwa m'mafoda a cron.
  2. Kuyendera (audit) kwa ma reference omwe atsalira a slick.fyi ndi kutulutsidwa kwa ma script omwe ali kutali; sungani ndi zinthu zolembedwa ndi mtundu ndi checksum kapena chotsani kwathunthu.
  3. Sinthani ma credentials ndi makiyi ngati SlickStack inali ikuyendetsedwa ndi zilolezo za root pa machitidwe anu.
  4. Bwerezani kumanga ma seva omwe akhudzidwa pamene kuli kotheka kuti muwonetsetse kuti ali mu chikhalidwe choyeretsa.

Njira zina zotetezeka

Ganizirani za WordOps kapena zida zina zomwe zimapewa kuchititsidwa kwa root kuchokera kutali komanso zimapereka ma release omwe angayesedwe, komanso omwe ali ndi ma version ndi ma checksum/masignature.

Zolemba