Vixual

弱點掃瞄

弱點: TLS Service Supports Weak Cipher Suite

Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Cryptographic algorithms do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which algorithms are untrustworthy evolves over time, and if a communication is protected with a weak cipher suite then that communication can be altered or decrypted.

• Severity: Medium
• Risk: A TLS service was observed supporting weak cipher suites.
• Recommendation: Disable the cipher suites listed in the evidence column of the measurement.

Read more

弱點掃瞄

弱點 1: SSH Supports Weak Cipher

The SSH server is configured to support either Arcfour or Cipher Block Chaining (CBC) mode cipher algorithms. SSH can be configured to use Counter (CTR) mode encryption instead of CBC. The use of Arcfour algorithms should be disabled.

• Severity: Medium
• Risk: A weak cipher has been detected.
• Recommendation: Configure the SSH server to disable Arcfour and CBC ciphers.

弱點 2: SSH Supports Weak MAC

The SSH server is configured to support MD5 algorithm. The cryptographic strength depends upon the size of the key and algorithm that is used. A Modern MAC algorithms such as SHA1 or SHA2 should be used instead.

• Severity: Medium
• Risk: A weak Message Authentication Code (MAC) algorithm has been detected.
• Recommendation: Configure the SSH server to disable the use of MD5.

Read more

弱點掃瞄

弱點: SSL/TLS Service Supports Weak Protocol

Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Networking protocols do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which protocols are untrustworthy evolves over time, and if communications are sent with a weak protocol then that communication can be altered or decrypted.

• Severity: High
• Risk: A TLS service was observed supporting weak protocols.
• Recommendation: Disable the protocols listed in the evidence column of the measurement.

Read more

弱點掃瞄

弱點: Site does not enforce HTTPS

The site responds to HTTP requests without ultimately redirecting the browser to a secure version of the page. Since the site allows plaintext traffic, a man-in-the-middle attacker is able to read and modify any information passed between the site and the user. There are a variety of situations in which an attacker can intercept plaintext traffic in a man-in-the-middle position, including but not limited to:

1. Open Wi-Fi Hotspots
2. WPA/WPA2 encrypted hot-spots where the attacker connected before the victim
3. Malicious Wi-Fi access points
4. Compromised switches and routers
5. ARP poisoning on the same wired network

It's important to remember that in many of the above situations, an attacker can not only read traffic, but also actively modify the traffic. Even if a site that does not contain sensitive information, an attacker can still inject malicious content to a user’s browser.

• Severity: High
• Risk: Site does not enforce the use of HTTPS encryption, leaving the user vulnerable to man-in-the-middle attackers (who can falsify data and inject malicious code).
• Recommendation: Any site served to a user (possibly at the end of a redirect chain) should be served over HTTPS.

Read more

勒索病毒 (RansomWare)

近兩年來出現一種新型態的電腦病毒:「勒索病毒」。(關鍵字: RansomWare、Crypt0L0ocker、CryptoLocker、CryptWall)

這種病毒會將受害人電腦裡的文件類型的檔案加密 (包含連結到 NAS 的檔案)，而受害人必須交付贖款才能取得解密程式。

由於病毒是使用很高階的加密技術，受害人即使能刪除病毒也救不回被加密的檔案。防毒軟體頂多能移除病毒，但仍無法解密檔案! 因此只能選擇交付贖款或放棄所有檔案。

而台灣的受害人甚至必須到「全家便利商店」購買 BitCoin 來付贖款，就算請店員打 165 也沒用!

唯有異地的檔案備份才能解除危機。

這種「勒索病毒」嚴然成為了一種新的「商業模式」，並且已經做出了口碑，未來只會衍生出更多的變種病毒。

Read more

本文是綜合我的經驗，以及身為一個 MIS 的血淚所交織出來的資安重點，寫的不算專業，但還是希望對於看到的人能有一點幫助。

防毒觀念

1. 病毒也是一種「軟體」，必須有人去執行。散播病毒的人會設法引誘你去執行它。
2. 防毒軟體只能防「已知病毒」，新的病毒必需在有人中毒並且回報病毒樣本之後才能研發出病毒碼。直到防毒軟體能全面防止新病毒通常是病毒已經肆虐了好幾天之後的事情了。
3. 寫病毒的人如果覺得有利可圖，病毒會更新的比防毒軟體還勤快!!
4. 個人的安全意識比防毒軟體更為重要，人的因素，永遠是資安最大的漏洞。

Read more

本文要介紹的 Linux 的 E-Mail 防毒主要由兩個套件組成: clamav 與 clamav-milter。

其中「clamav」是防毒軟體、「clamav-milter」是 clamav 用來與 sendmail 整合的掃毒程式。

Read more

本站曾用過 Limit Login Attempts 這個 WordPress 的外掛程式，用以防止被暴力破解登入密碼。當有人一直以錯誤的密碼進行登入時，就會對其 IP 進行幾個小時的封鎖，然後 mail 通知你又有什麼 IP 被封鎖了，效果其實也還不錯。

不過其實只要用「.htaccess 的權限認證方式」，就可以針對 wordpress 的 wp-login.php 這個單一檔案做防護，也可以達到很好的效果。

.htaccess 認證

首先找一個安全的地方放置 .htusers 這個檔案。所謂的「安全」，是指至少不要在網頁可以被下載到的路徑。.htusers 的設定方式請參考本站另一篇文章:

• .htaccess 的權限認證方式

密碼請不要用跟 WordPress 原本的登入密碼一樣。

編輯 wordpress 目錄下的 .htaccess，在檔案最後如入:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/path/to/.htusers"
<Files wp-login.php>
require valid-user
</Files>

如果你想進一步針對整個 wp-admin 目錄做防護，則進到 wordpress 下的 wp-admin 目錄，新增或編輯 .htaccess，一樣在檔案最後如入:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/path/to/.htusers"
require valid-user

參考網頁

• Dynamic Drive: .htaccess password generator
• 限制WordPress後台登入次數、封鎖IP、防駭客入侵 – 香腸炒魷魚
• 幫WordPress後台築城牆 « 高登工作室
• 隱藏 WordPress 後台網址 « 高登工作室
• WordPress 如何防範暴力攻擊 Brute Force Attack « 高登工作室

OpenSSL Heartbleed 漏洞

Linux 站長請檢測您的網站是否有 OpenSSL 的 Heartbleed 嚴重漏洞，此漏洞會造成加密的封包在網路上被截取:

• OpenSSL 影響版本: 1.0.1 ~ 1.0.1f / 1.0.2-beta ~ 1.0.2-beta1
• OpenSSL 修復版本: 1.0.1g / 1.0.2-beta2

檢測方法

至「Test your server for Heartbleed」輸入你的網站網址做檢測。

參考網頁

• OpenSSL CVE-2014-0160 Heartbleed 嚴重漏洞 | DEVCORE 戴夫寇爾
• CVE - CVE-2014-0160
• Test your server for Heartbleed (CVE-2014-0160)
• https://www.openssl.org/news/secadv_20140407.txt

這是我在 Facebook 上看到的安全資訊，我覺得很重要，也適用在任何的網站套件上。

以 WordPress 為例，首先，請查看你的 WordPress 目錄下是否有這些檔案:

Read more