Vixual

弱点扫瞄

弱点: TLS Service Supports Weak Cipher Suite

Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Cryptographic algorithms do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which algorithms are untrustworthy evolves over time, and if a communication is protected with a weak cipher suite then that communication can be altered or decrypted.

• Severity: Medium
• Risk: A TLS service was observed supporting weak cipher suites.
• Recommendation: Disable the cipher suites listed in the evidence column of the measurement.

Read more

弱点扫瞄

弱点 1: SSH Supports Weak Cipher

The SSH server is configured to support either Arcfour or Cipher Block Chaining (CBC) mode cipher algorithms. SSH can be configured to use Counter (CTR) mode encryption instead of CBC. The use of Arcfour algorithms should be disabled.

• Severity: Medium
• Risk: A weak cipher has been detected.
• Recommendation: Configure the SSH server to disable Arcfour and CBC ciphers.

弱点 2: SSH Supports Weak MAC

The SSH server is configured to support MD5 algorithm. The cryptographic strength depends upon the size of the key and algorithm that is used. A Modern MAC algorithms such as SHA1 or SHA2 should be used instead.

• Severity: Medium
• Risk: A weak Message Authentication Code (MAC) algorithm has been detected.
• Recommendation: Configure the SSH server to disable the use of MD5.

Read more

弱点扫瞄

弱点: SSL/TLS Service Supports Weak Protocol

Transport Layer Security (TLS), the successor to Secure Socket Layer (SSL), is a network protocol that encrypt communications between TLS servers (e.g., websites) and TLS clients (e.g., web browsers). Every communication is secured by a cipher suite: a combination of several algorithms working in concert. Networking protocols do not have a defined lifetime, but academics, researchers, and nation states are constantly evaluating them for weaknesses. Consensus on which protocols are untrustworthy evolves over time, and if communications are sent with a weak protocol then that communication can be altered or decrypted.

• Severity: High
• Risk: A TLS service was observed supporting weak protocols.
• Recommendation: Disable the protocols listed in the evidence column of the measurement.

Read more

弱点扫瞄

弱点: Site does not enforce HTTPS

The site responds to HTTP requests without ultimately redirecting the browser to a secure version of the page. Since the site allows plaintext traffic, a man-in-the-middle attacker is able to read and modify any information passed between the site and the user. There are a variety of situations in which an attacker can intercept plaintext traffic in a man-in-the-middle position, including but not limited to:

1. Open Wi-Fi Hotspots
2. WPA/WPA2 encrypted hot-spots where the attacker connected before the victim
3. Malicious Wi-Fi access points
4. Compromised switches and routers
5. ARP poisoning on the same wired network

It's important to remember that in many of the above situations, an attacker can not only read traffic, but also actively modify the traffic. Even if a site that does not contain sensitive information, an attacker can still inject malicious content to a user’s browser.

• Severity: High
• Risk: Site does not enforce the use of HTTPS encryption, leaving the user vulnerable to man-in-the-middle attackers (who can falsify data and inject malicious code).
• Recommendation: Any site served to a user (possibly at the end of a redirect chain) should be served over HTTPS.

Read more

勒索病毒 (RansomWare)

近两年来出现一种新型态的电脑病毒:“勒索病毒”。(关键字: RansomWare、Crypt0L0ocker、CryptoLocker、CryptWall)

这种病毒会将受害人电脑里的文件类型的档案加密 (包含连结到 NAS 的档案)，而受害人必须交付赎款才能取得解密程式。

由于病毒是使用很高阶的加密技术，受害人即使能删除病毒也救不回被加密的档案。防毒软件顶多能移除病毒，但仍无法解密档案! 因此只能选择交付赎款或放弃所有档案。

而台湾的受害人甚至必须到“全家便利商店”购买 BitCoin 来付赎款，就算请店员打 165 也没用!

唯有异地的档案备份才能解除危机。

这种“勒索病毒”严然成为了一种新的“商业模式”，并且已经做出了口碑，未来只会衍生出更多的变种病毒。

Read more

本文是综合我的经验，以及身为一个 MIS 的血泪所交织出来的资安重点，写的不算专业，但还是希望对于看到的人能有一点帮助。

防毒观念

1. 病毒也是一种“软件”，必须有人去执行。散播病毒的人会设法引诱你去执行它。
2. 防毒软件只能防“已知病毒”，新的病毒必需在有人中毒并且回报病毒样本之后才能研发出病毒码。直到防毒软件能全面防止新病毒通常是病毒已经肆虐了好几天之后的事情了。
3. 写病毒的人如果觉得有利可图，病毒会更新的比防毒软件还勤快!!
4. 个人的安全意识比防毒软件更为重要，人的因素，永远是资安最大的漏洞。

Read more

本文要介绍的 Linux 的 E-Mail 防毒主要由两个套件组成: clamav 与 clamav-milter。

其中“clamav”是防毒软件、“clamav-milter”是 clamav 用来与 sendmail 整合的扫毒程式。

Read more

本站曾用过 Limit Login Attempts 这个 WordPress 的外挂程式，用以防止被暴力破解登入密码。当有人一直以错误的密码进行登入时，就会对其 IP 进行几个小时的封锁，然后 mail 通知你又有什么 IP 被封锁了，效果其实也还不错。

不过其实只要用“.htaccess 的权限认证方式”，就可以针对 wordpress 的 wp-login.php 这个单一档案做防护，也可以达到很好的效果。

.htaccess 认证

首先找一个安全的地方放置 .htusers 这个档案。所谓的“安全”，是指至少不要在网页可以被下载到的路径。.htusers 的设定方式请参考本站另一篇文章:

• .htaccess 的权限认证方式

密码请不要用跟 WordPress 原本的登入密码一样。

编辑 wordpress 目录下的 .htaccess，在档案最后如入:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/path/to/.htusers"
<Files wp-login.php>
require valid-user
</Files>

如果你想进一步针对整个 wp-admin 目录做防护，则进到 wordpress 下的 wp-admin 目录，新增或编辑 .htaccess，一样在档案最后如入:

AuthType Basic
AuthName "Restricted Area"
AuthUserFile "/path/to/.htusers"
require valid-user

参考网页

• Dynamic Drive: .htaccess password generator
• 限制WordPress后台登入次数、封锁IP、防骇客入侵 – 香肠炒鱿鱼
• 帮WordPress后台筑城墙 « 高登工作室
• 隐藏 WordPress 后台网址 « 高登工作室
• WordPress 如何防范暴力攻击 Brute Force Attack « 高登工作室

OpenSSL Heartbleed 漏洞

Linux 站长请检测您的网站是否有 OpenSSL 的 Heartbleed 严重漏洞，此漏洞会造成加密的封包在网络上被截取:

• OpenSSL 影响版本: 1.0.1 ~ 1.0.1f / 1.0.2-beta ~ 1.0.2-beta1
• OpenSSL 修复版本: 1.0.1g / 1.0.2-beta2

检测方法

至“Test your server for Heartbleed”输入你的网站网址做检测。

参考网页

• OpenSSL CVE-2014-0160 Heartbleed 严重漏洞 | DEVCORE 戴夫寇尔
• CVE - CVE-2014-0160
• Test your server for Heartbleed (CVE-2014-0160)
• https://www.openssl.org/news/secadv_20140407.txt

这是我在 Facebook 上看到的安全资讯，我觉得很重要，也适用在任何的网站套件上。

以 WordPress 为例，首先，请查看你的 WordPress 目录下是否有这些档案:

Read more