如何保护默认的 apache karaf 安装
How to secure the default apache karaf installation
根据 Christian Schneider 的博客 post、How to hack into any default apache karaf installation,我检查了我的默认 Karaf 安装 (4.0.5) 是否不安全:
Some simple steps to check if your karaf installations is open.
- Check the "etc/org.apache.karaf.shell.cfg" for the attribute sshPort. Note this port number. By default it is 8101
- Do "ssh -p 8101 karaf@localhost". Like expected it will ask for a password. This may also be dangerous if you do not change the default password but is quite obvious.
- Now just do bin/client -a 8101. You will get a shell without supplying a password. If this works then your server is vulnerable
不出所料。它很脆弱。所以我试着按照描述的说明来保护它:
How to secure your server?
- Simply remove the public key of the karaf user in the "etc/keys.properties". Unfortunately this will stop the bin/client command from working.
- Also make sure you change the password of the karaf user in "etc/users.properties".
我使用 halt 命令关闭了 Karaf 服务器。然后我在etc/users.properties中更改了karaf密码并删除了文件etc/keys.properties。然后我用 bin/karaf 再次启动服务器。然后在一个新的终端中,我通过尝试 ssh 进入服务器来测试安装是否安全。我验证了 ssh 登录现在需要新配置的密码。最后,我尝试使用 bin/client -a 8101 命令。
此时,正如博客post中所解释的那样,我预计命令会失败:
Unfortunately this will stop the bin/client command from working.
我注意到在 运行 bin/client -a 8101 之后有一个新文件 etc/host.key bin/client 或容器本身自动生成。命令没有失败,而是成功了,我看到了 Karaf 控制台。
这是否意味着容器仍然容易受到此攻击向量的攻击?
没有
OP 中描述的修改(更改 etc/users.properties 中的默认密码并删除 etc/keys.properties) 保护容器免受该特定攻击向量。
根据 Karaf users mailing list 关于这个堆栈溢出问题的讨论:
By default bin/client tries (in this order) to use:
etc/keys.properties
etc/users.properties
karaf/karaf
-u to prompt for the password
bin/client is an SSH client (written in Java). The host.key is the same file as for SSH and containing the trusted hosts (you also have .sshkaraf/known_hosts for that).
OP 中引用自博客的部分已过时:
Unfortunately this will stop the bin/client command from working.
根据 Christian Schneider 的博客 post、How to hack into any default apache karaf installation,我检查了我的默认 Karaf 安装 (4.0.5) 是否不安全:
Some simple steps to check if your karaf installations is open.
- Check the "etc/org.apache.karaf.shell.cfg" for the attribute sshPort. Note this port number. By default it is 8101
- Do "ssh -p 8101 karaf@localhost". Like expected it will ask for a password. This may also be dangerous if you do not change the default password but is quite obvious.
- Now just do bin/client -a 8101. You will get a shell without supplying a password. If this works then your server is vulnerable
不出所料。它很脆弱。所以我试着按照描述的说明来保护它:
How to secure your server?
- Simply remove the public key of the karaf user in the "etc/keys.properties". Unfortunately this will stop the bin/client command from working.
- Also make sure you change the password of the karaf user in "etc/users.properties".
我使用 halt 命令关闭了 Karaf 服务器。然后我在etc/users.properties中更改了karaf密码并删除了文件etc/keys.properties。然后我用 bin/karaf 再次启动服务器。然后在一个新的终端中,我通过尝试 ssh 进入服务器来测试安装是否安全。我验证了 ssh 登录现在需要新配置的密码。最后,我尝试使用 bin/client -a 8101 命令。
此时,正如博客post中所解释的那样,我预计命令会失败:
Unfortunately this will stop the bin/client command from working.
我注意到在 运行 bin/client -a 8101 之后有一个新文件 etc/host.key bin/client 或容器本身自动生成。命令没有失败,而是成功了,我看到了 Karaf 控制台。
这是否意味着容器仍然容易受到此攻击向量的攻击?
没有
OP 中描述的修改(更改 etc/users.properties 中的默认密码并删除 etc/keys.properties) 保护容器免受该特定攻击向量。
根据 Karaf users mailing list 关于这个堆栈溢出问题的讨论:
By default
bin/clienttries (in this order) to use:
etc/keys.properties
etc/users.properties
karaf/karaf
-uto prompt for the password
bin/clientis an SSH client (written in Java). Thehost.keyis the same file as for SSH and containing the trusted hosts (you also have.sshkaraf/known_hostsfor that).
OP 中引用自博客的部分已过时:
Unfortunately this will stop the bin/client command from working.