亿迈科技旗下门户资讯平台!
  • 24小时服务热线:
  • 400-6690-301

  • 当前位置:首页 >> 系统漏洞 >> 内容

    面对Logjam攻击 你该如何保护Debian或Ubuntu服务器?

    时间:2015/9/18 0:01:55 点击:1

     本教程介绍了保护你的Ubuntu或Debian Linux服务器,以应对最近发现的Logjam攻击所需要采取的几个步骤。Logjam是一种针对Diffie-Hellman密钥交换技术发起的攻击,而这项技术应用于诸多流行的加密协议,比如HTTPS、TLS、SMTPS、SSH及其他协议。

    必须以根用户的身份在外壳上执行下列步骤。

    生成独特的DH组

    想确保服务器安全,第一个步骤是利用openssl命令,生成独特的DH组。我将在/etc/ssl/private/目录中创建文件。如果你的服务器上没有这个目录,那么用下列命令创建该文件:

    mkdir -p /etc/ssl/privatechmod 710 /etc/ssl/private

    现在,我要创建dhparams.pem文件,并设置安全权限:

    cd /etc/ssl/privateopenssl dhparam -out dhparams.pem 2048chmod 600 dhparams.pem

    Apache

    首先,我要根据来自weakdh.org的建议,添加一个安全密码组。使用编辑工具打开文件/etc/apache2/mods-available/ssl.conf:

    nano /etc/apache2/mods-available/ssl.conf

    然后更改或添加这几行:

    SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHASSLHonorCipherOrder     on

     

    请注意:SSLCipherSuide只有一行长,所以不要添加换行符!

    第二部分是在apache中设置DH组。SSLOpenSSLConfCmd配置选项只出现在apache 2.4.8或更新的版本上,它还需要openssl 1.0.2或更新的版本,于是我们首先要测试我们的apache和openssl版本是否支持它:

    apache2 -v

    我的Debian 7服务器上的输出结果如下:

    root@server1:/etc/apache2# apache2 -vServer version: Apache/2.2.22 (Debian)Server built: Dec 23 2014 22:48:29

    现在我要测试openssl:

    openssl version

    我系统上的输出结果如下:

    root@server1:/# openssl versionOpenSSL 1.0.1e 11 Feb 2013

    因而我可以在该服务器上设置DH组。第一个和第二个部分彼此独立,第一个部分是已经被禁用的可保护服务器的弱密码,它没有DH组也可以工作。如果你的apache版本高于2.4.8,OpenSSL版本高于1.0.2,那么再次编辑/etc/apache2/mods-available/ssl.conf文件:

    nano /etc/apache2/mods-available/ssl.conf

    添加这一行:

    SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem"

     

    然后重启apache:

    service apache2 restart

    Nginx

    编辑nginx配置文件/etc/nginx/nginx.conf

    nano /etc/nginx/nginx.conf

    添加或更换httpd { .... }这部分里面的下列设置:

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/private/dhparams.pem;

    然后重启nginx:

    service nginx restart

    Postfix

     

    运行下面这些命令,设置安全密码组和DH组:

     

    postconf -e "smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA"

    postconf -e "smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem"

    然后重启postfix:

    service postfix restart

    Dovecot

    编辑dovecot配置文件/etc/dovecot/dovecot.conf

    nano /etc/dovecot/dovecot.conf

    然后紧跟ssl_protocols这一行添加这一行:

    ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    至于其他参数,我们需要知道dovecot版本。在外壳上运行这个命令,以获得dovecot版本方面的信息: dovecot --version

    如果版本是2.2.6或更高,那么添加这额外的一行:

    ssl_prefer_server_ciphers = yes

     

    如果版本是2.2.7或更高,那么添加这第三行:

     

    ssl_dh_parameters_length = 2048

    最后重启dovecot

    service dovecot restart

    Pure-ftpd

    保护Debian和Ubuntu上的pure-ftpd的安全来得有点复杂,因为/usr/sbin/pure-ftpd-wrapper脚本并不直接参数-J参数选项,pure-ftpd使用该参数选项来设置SSL密码组。第一步是在封装器脚本中添加对-J选项的支持。打开文件:

    nano /usr/sbin/pure-ftpd-wrapper

    然后向下滚动,找到这一行:

    'TLS' => ['-Y %d', \&parse_number_1],

    现在紧跟'TLSCipherSuite' => ['-J %s', \&parse_string]后面添加这新的一行。

    然后使用nano命令,创建文件/etc/pure-ftpd/conf/TLSCipherSuite;如果该文件已存在,则编辑它:

    nano /etc/pure-ftpd/conf/TLSCipherSuite

    然后输入下列密码列表:

    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

     

    如果该文件已经存在,并且含有一些密码,那么将密码换成上述密码。然后保存文件,重启pure-ftpd:

    service pure-ftpd-mysql restart