MongoDB / Debianサーバーが正常に攻撃されました-パブリックIPがmongodbサーバーに到達する理由は?
ログファイルからリモートIPアドレスから接続を得たmongodbサーバーを取得しましたが、以下に示すように、mongodb構成ファイルが原因で明らかに許可されていません(正確には、mongodはパブリックインターフェイスにバインドされていません)。
IPアドレスがsslなしで接続しようとしましたが、アクセスが拒否されました-しかし、明らかにログが欠落しています。つまり、mongodb.logの一部ではなくすべてをクリーンアップしたと思います。たとえば、リモートIPアドレスが表示されているエントリが1つ残っています(使用したものの1つである可能性がありますか?)。
つまり、質問は次のとおりです。mongodbサーバーへのパブリックIPアドレスを取得するにはどうすればよいですか?以下のさまざまな事実により、sshアクセス権を持っているようですが、それでもローカルインターフェイスを使用してmongodbに接続する必要があります。 、そうですか?
これまでにわかったこと:
- /var/log/auth.logはmongodb Dockerコンテナー内で削除されました(または、Dockerコンテナーに直接sshを実行しなかったため、まだ存在しませんでした)が、デーモンの親マシンにはまだ存在していますが、 Apr 24 06:25:29だから私は彼らがそれを削除したと思います。
- 彼らは、mongodbルートディレクトリ内にREAD_ME(空)フォルダーとPLEASE_READ_MEフォルダーを残し、次のメッセージで始まるファイル "./PLEASE_READ_ME/collection-0-*****.wt"(マスク)を残しました:
Don't panic. Your DB is in safety and backed up (check logs). To restore send 0.1 BTC and email with your server ip or domain name. Each 48 hours we erase all the data... - 追加のdbユーザーを作成しなかった(または少なくとも、追加のユーザーがatmに存在しない)
これは、親マシン(netstat)上のサービスのリストです
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1281/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1296/exim4
tcp 0 0 0.0.0.0:54885 0.0.0.0:* LISTEN 707/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 697/rpcbind
tcp6 0 0 ::: 22 ::: * LISTEN 1281/sshd
tcp6 0 0 :: 1:25 ::: * LISTEN 1296/exim4
tcp6 0 0 ::: 35619 ::: * LISTEN 707/rpc.statd
tcp6 0 0 ::: 27017 ::: * LISTEN 1172/docker-proxy tcp6 0 0 ::: 111 ::: * LISTEN 697/rpcbind
udp 0 0 127.0.0.1:883 0.0.0.0:* 707/rpc.statd
udp 0 0 0.0.0.0:39217 0.0.0.0:* 707/rpc.statd
udp 0 0 0.0.0.0:872 0.0.0.0:* 697/rpcbind
udp 0 0 0.0.0.0:111 0.0.0.0:* 697/rpcbind
udp6 0 0 ::: 49550 ::: * 707/rpc.statd
udp6 0 0 ::: 872 ::: * 697/rpcbind
udp6 0 0 ::: 111 ::: * 697/rpcbind
建築:
- Debian 8.7がインストールされた仮想マシンで実行されているDocker deamon
- 各Dockerコンテナーはdebian 8.7も実行します
- Mongodb用の1つのdockerコンテナー、アプリケーション用の1つのdockerコンテナー(dockerネットワーク経由で接続)
バージョンMongoDB Shell version: 3.2.11
ログ(データベース名、プリンシパル名、マスクされたIP):
2017-04-23T12:03:03.511Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:44575 #16 (5 connections now open)
2017-04-23T12:03:03.540Z I ACCESS [conn16] Successfully authenticated as principal *** on testdatabase
2017-04-23T12:03:15.461Z I NETWORK [conn16] end connection ***.***.***.***:44575 (4 connections now open)
2017-04-24T05:07:57.711Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:27790 #17 (5 connections now open)
2017-04-24T05:07:57.724Z I NETWORK [conn17] AssertionException handling request, closing client connection: 17189 The server is configured to only allow SSL connections
2017-04-24T05:45:35.997Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54235 #18 (5 connections now open)
2017-04-24T05:45:36.027Z I ACCESS [conn18] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:36.053Z I NETWORK [conn18] end connection ***.***.***.***:54235 (4 connections now open)
2017-04-24T05:45:36.063Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54236 #19 (5 connections now open)
2017-04-24T05:45:36.086Z I ACCESS [conn19] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:39.843Z I NETWORK [conn19] end connection ***.***.***.***:54236 (4 connections now open)
2017-04-24T05:45:39.853Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54237 #20 (5 connections now open)
2017-04-24T05:45:39.874Z I ACCESS [conn20] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:40.071Z I NETWORK [conn20] end connection ***.***.***.***:54237 (4 connections now open)
2017-04-24T05:45:40.080Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54238 #21 (5 connections now open)
2017-04-24T05:45:40.101Z I ACCESS [conn21] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:40.108Z I NETWORK [conn21] end connection ***.***.***.***:54238 (4 connections now open)
2017-04-24T05:45:40.117Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54239 #22 (5 connections now open)
2017-04-24T05:45:40.138Z I ACCESS [conn22] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.784Z I NETWORK [conn22] end connection ***.***.***.***:54239 (4 connections now open)
2017-04-24T05:45:44.797Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54245 #23 (5 connections now open)
2017-04-24T05:45:44.820Z I ACCESS [conn23] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.824Z I NETWORK [conn23] end connection ***.***.***.***:54245 (4 connections now open)
2017-04-24T05:45:44.833Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54246 #24 (5 connections now open)
2017-04-24T05:45:44.854Z I ACCESS [conn24] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:44.858Z I NETWORK [conn24] end connection ***.***.***.***:54246 (4 connections now open)
2017-04-24T05:45:44.868Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54247 #25 (5 connections now open)
2017-04-24T05:45:44.888Z I ACCESS [conn25] Successfully authenticated as principal *** on testdatabase
2017-04-24T05:45:56.683Z I NETWORK [conn25] end connection ***.***.***.***:54247 (4 connections now open)
2017-04-24T06:00:01.936Z I NETWORK [conn3] end connection ***.***.***.***:39610 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK [conn2] end connection ***.***.***.***:39609 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK [conn4] end connection ***.***.***.***:39636 (3 connections now open)
2017-04-24T06:00:01.937Z I NETWORK [conn1] end connection ***.***.***.***:39548 (3 connections now open)
2017-04-24T06:00:05.915Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:49695 #26 (1 connection now open)
2017-04-24T06:00:05.951Z I ACCESS [conn26] Successfully authenticated as principal *** on testdatabase
2017-04-24T06:00:09.089Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:49758 #27 (2 connections now open)
2017-04-24T06:00:09.103Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:49760 #28 (3 connections now open)
2017-04-24T06:00:09.125Z I ACCESS [conn28] Successfully authenticated as principal *** on testdatabase
2017-04-24T06:00:20.916Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:49790 #29 (4 connections now open)
2017-04-24T06:05:32.404Z I NETWORK [initandlisten] connection accepted from ***.***.***.***:54712 #30 (5 connections now open)
2017-04-24T06:05:32.414Z I ACCESS [conn30] Unauthorized: not authorized on admin to execute command { getLog: "startupWarnings" }
設定ファイル(マスクされたデータベース名):
storage:
dbPath: "/***"
directoryPerDB: true
journal:
enabled: true
systemLog:
destination: file
path: "/***/mongodb.log"
logAppend: true
timeStampFormat: iso8601-utc
processManagement:
fork: true
net:
bindIp: [127.0.0.1,172.0.0.5]
port: 27017
wireObjectCheck : false
unixDomainSocket:
enabled : true
http:
enabled: false
ssl:
mode: requireSSL
PEMKeyFile: /certs/server-***.***.***.***.pem
CAFile: /certs/ca.pem
#CRLFile: <string>
allowConnectionsWithoutCertificates: false
allowInvalidCertificates: false
allowInvalidHostnames: true
#disabledProtocols: false
#FIPSMode: <boolean>
security:
authorization: enabled
親docker deamonsのヘッド/var/log/auth.log(マスクされたIP)
Apr 24 06:25:29 *** sshd[5332]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:25:32 *** sshd[4660]: Received disconnect from ***.***.***.***: 11: disconnected by user
Apr 24 06:25:32 *** sshd[4660]: pam_unix(sshd:session): session closed for user root
Apr 24 06:25:41 *** CRON[5111]: pam_unix(cron:session): session closed for user root
Apr 24 06:25:44 *** sshd[5342]: Invalid user admin from ***.***.***.***
Apr 24 06:25:44 *** sshd[5342]: input_userauth_request: invalid user admin [preauth]
Apr 24 06:25:44 *** sshd[5342]: Disconnecting: Too many authentication failures for invalid user admin from ***.***.***.*** port 41822 ssh2 [preauth]
Apr 24 06:26:19 *** sshd[5393]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:28:26 *** sshd[5423]: Invalid user pat from ***.***.***.***
Apr 24 06:28:26 *** sshd[5423]: input_userauth_request: invalid user pat [preauth]
Apr 24 06:28:26 *** sshd[5423]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:28:28 *** sshd[5421]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:30:46 *** sshd[5450]: Accepted publickey for root from ***.***.***.*** port 47739 ssh2: RSA 74:72:c0:b4:6e:6d:11:3a:2e:c5:4e:be:34:60:e1:99
Apr 24 06:30:46 *** sshd[5450]: pam_unix(sshd:session): session opened for user root by (uid=0)
Apr 24 06:30:49 *** sshd[5499]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:33:16 *** sshd[5842]: Invalid user postgres from ***.***.***.***
Apr 24 06:33:16 *** sshd[5842]: input_userauth_request: invalid user postgres [preauth]
Apr 24 06:33:16 *** sshd[5842]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:36:16 *** sshd[5844]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:38:02 *** sshd[5846]: Invalid user nginx from ***.***.***.***
Apr 24 06:38:02 *** sshd[5846]: input_userauth_request: invalid user nginx [preauth]
Apr 24 06:38:02 *** sshd[5846]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:38:28 *** sshd[3979]: Timeout, client not responding.
Apr 24 06:38:28 *** sshd[3979]: pam_unix(sshd:session): session closed for user root
Apr 24 06:38:32 *** sshd[5450]: Timeout, client not responding.
Apr 24 06:38:32 *** sshd[5450]: pam_unix(sshd:session): session closed for user root
Apr 24 06:39:14 *** sshd[4027]: Timeout, client not responding.
Apr 24 06:39:14 *** sshd[4027]: pam_unix(sshd:session): session closed for user root
Apr 24 06:41:42 *** sshd[5848]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:07 *** sshd[5850]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:08 *** sshd[5852]: Invalid user from ***.***.***.***
Apr 24 06:42:08 *** sshd[5852]: input_userauth_request: invalid user [preauth]
Apr 24 06:42:08 *** sshd[5852]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:42:55 *** sshd[5854]: Invalid user spark from ***.***.***.***
Apr 24 06:42:55 *** sshd[5854]: input_userauth_request: invalid user spark [preauth]
Apr 24 06:42:55 *** sshd[5854]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:06 *** sshd[5859]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:48 *** sshd[5861]: Invalid user odoo from ***.***.***.***
Apr 24 06:47:48 *** sshd[5861]: input_userauth_request: invalid user odoo [preauth]
Apr 24 06:47:48 *** sshd[5857]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:47:48 *** sshd[5861]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:52:32 *** sshd[5872]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:52:34 *** sshd[5870]: Invalid user Steam from ***.***.***.***
Apr 24 06:52:34 *** sshd[5870]: input_userauth_request: invalid user Steam [preauth]
Apr 24 06:52:34 *** sshd[5870]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:54:00 *** sshd[5874]: Disconnecting: Too many authentication failures for root from ***.***.***.*** port 46803 ssh2 [preauth]
Apr 24 06:57:22 *** sshd[5877]: Invalid user teste from ***.***.***.***
Apr 24 06:57:22 *** sshd[5877]: input_userauth_request: invalid user teste [preauth]
Apr 24 06:57:22 *** sshd[5877]: Connection closed by ***.***.***.*** [preauth]
Apr 24 06:57:58 *** sshd[5879]: Connection closed by ***.***.***.*** [preauth]
Apr 24 07:02:13 *** sshd[5881]: Invalid user hadoop from ***.***.***.***
Apr 24 07:02:13 *** sshd[5881]: input_userauth_request: invalid user hadoop [preauth]
Apr 24 07:02:13 *** sshd[5881]: Connection closed by ***.***.***.*** [preauth]
Apr 24 07:03:16 *** sshd[5885]: Invalid user admin from ***.***.***.***
Apr 24 07:03:16 *** sshd[5885]: input_userauth_request: invalid user admin [preauth]
Apr 24 07:03:16 *** sshd[5883]: Disconnecting: Too many authentication failures for root from ***.***.***.*** port 4792 ssh2 [preauth]
Apr 24 07:03:17 *** sshd[5885]: Disconnecting: Too many authentication failures for invalid user admin from ***.***.***.*** port 4802 ssh2 [preauth]
次回の情報が不足しているため、plizzにはカーネルバージョン、Dockerバージョン、およびクライアントアプリケーションがrootユーザーと接続するかどうかが含まれます。
彼らが使用した可能性のある悪用:
危険にさらされたデータベースクライアントアプリケーション。脆弱性についても確認してください。
dockerコンテナーはカーネルをホストと共有し、他のコンテナーはカーネルのバージョンの脆弱性をチェックします
悪用されたssh。情報が表示されないので、fail2banまたはキーベースのssh認証、またはパスワードまたはVPNのみがあります(sshポート、公開鍵認証およびfail2banの変更、またはプライベートVPN経由のsshへの接続のみを許可することをお勧めします)
理解する必要があるのは、エクスプロイトに変わった脆弱性が1つだけではなく、一連の脆弱性になる可能性があるということです。