|
我的wordpress已经裸奔了好久了,在看了一篇关于wordpress安全方面的文章后,决定给我的wordpress做一安全防护,以下是我操作的整个过程记录。
</div><p>最近看了infosec 出品的<<rotecting WordPress Installations in an IaaS Environment》,决定给裸奔的wordpress做做安全加固。<br />
<br />
wordpress是国人搭建个人博客的首选,其地位等同于论坛搭建首选discuz(话说,discuz才报出全局变量绕过导致的命令执行大洞,唉,开源的APP都是不产蜜而产getshell的蜂巢)<br />
<br />
wordpress以丰富的插件(插件漏洞)闻名,因此攻击者一般会对wordpress来个指纹识别(除去找暴力破解/社工后台登陆口的快捷方法)<br />
<br />
<strong>一、w<a href="/fw/photo.html" target="_blank">ps</a>can – WordPress指纹识别及漏洞检查工具</strong><br />
<br />
该网站被丧心病狂的GFW封掉了,翻墙吧psiphon搔年,或者使用渗透套装kali(重点不是wpscan,了解攻击才能给出相应防御措施)<br />
<br />
a.安装<br />
<br />
以ubuntu安装为例<br />
<br />
apt-get install libcurl4-gnutls-dev libxml2 libxml2-dev libxslt1-dev ruby-dev build-essential<br />
git clone https://github.com/wpscanteam/wpscan.git<br />
cd wpscan/<br />
gem install bundler && bundle install --without test<br />
<br />
b.基本使用<br />
<br />
枚举站点信息:用户名、插件、样式等信息<br />
<br />
ruby wpscan.rb --url www.tanjiti.com --enumerate<br />
<br />
察看详细的探测信息<br />
<br />
ruby wpscan.rb --url www.tanjiti.com --debug-output --random-agent >debug.log<br />
<br />
(注意:wpscan 默认User-Agent为WPScan v2.5.1 (http://wpscan.org),扫描器使用常识之一使用正常变化的ua,避免触发WAF之类的防御部署)<br />
基本察看LOG,我们就可以知道wpscan是如何收集信息<br />
例如检查响应头X-Pingback: http://www.tanjiti.com/xmlrpc.php 头 (xmlrpc漏洞)<br />
检查xmlrpc.php (xmlrpc漏洞)<br />
检查robots.txt文件 (敏感信息泄露)<br />
检查readme.html文件(敏感信息泄露)<br />
检查/wp-content/debug.log(敏感信息泄露)<br />
检查配置文件(能够明文读取配置文件基本就是挂掉了),wp-config.php.swo,%23wp-config.php%23,wp-config.orig,wp-config.php_bak,wp-config.original,wp-config.php.orig,wp-config.php.old,.wp-config.php.swp,wp-config.php.save,wp-config.bak,wp-config.txt,wp-config.php~ ,wp-config.save ,wp-config.old,wp-config.php.swp (敏感信息泄露)<br />
识别指纹后,一般会去漏洞信息库中查找可以利用的漏洞,例如MSF<br />
<strong><br />
二、MSF-wordpress漏洞利用(已方使用就是漏洞扫描)</strong><br />
<br />
msf > search wordpress<br />
<br />
Matching Modules<br />
================<br />
<br />
Name Disclosure Date Rank Description<br />
---- --------------- ---- -----------<br />
auxiliary/admin/http/wp_custom_contact_forms 2014-08-07 normal WordPress custom-contact-forms Plugin SQL Upload<br />
auxiliary/dos/http/wordpress_xmlrpc_dos 2014-08-06 normal WordPress XMLRPC DoS<br />
<br />
以前段时间有名的XMLRPC DoS为例(漏洞说明见 《[科普]什么是 billion laughs-WordPress与Drupal的DoS攻击有感》)<br />
<br />
msf > use auxiliary/dos/http/wordpress_xmlrpc_dos<br />
msf auxiliary(wordpress_xmlrpc_dos) > show options<br />
<br />
Module options (auxiliary/dos/http/wordpress_xmlrpc_dos):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
Proxies no Use a proxy chain<br />
RHOST yes The target address<br />
RLIMIT 1000 yes Number of <a href="/tags.php/request/" target="_blank">request</a>s to send<br />
RPORT 80 yes The target port<br />
TARGETURI / yes The base path to the wordpress application<br />
VHOST no HTTP server virtual host<br />
<br />
msf auxiliary(wordpress_xmlrpc_dos) > set RHOST www.tanjiti.com<br />
RHOST => xxx<br />
msf auxiliary(wordpress_xmlrpc_dos) > set TARGETURI /<br />
TARGETURI => /wordpress/wordpress/<br />
msf auxiliary(wordpress_xmlrpc_dos) > run<br />
<br />
(再次强调,重点不是Metasploit,了解攻击才能给出相应防御措施)<br />
<strong><br />
三、wordpress防护——使用ModSecurity进行防护</strong><br />
<br />
安装及规则编写的基础知识见《[科普文]ubuntu上安装Apache2+ModSecurity及自定义WAF规则》<br />
<br />
vim /usr/share/modsecurity-crs/activated_rules/MY.conf<br />
<br />
(1) 添加防御xmlrpc漏洞的规则<br />
<br />
SecRule REQUEST_URI "@endsWith /xmlrpc.php" "deny,tag:'WEB_ATTACK/WORDPRESS',msg:'block wordpress xmlrpc.php',id:0000003,phase:2"<br />
<br />
service apache2 restart<br />
<br />
使用MSF发送攻击包<br />
<br />
msf auxiliary(wordpress_xmlrpc_dos) > use auxiliary/scanner/http/wordpress_pingback_access<br />
msf auxiliary(wordpress_pingback_access) > show options<br />
<br />
Module options (auxiliary/scanner/http/wordpress_pingback_access):<br />
<br />
Name Current Setting Required Description<br />
---- --------------- -------- -----------<br />
Proxies no Use a proxy chain<br />
RHOSTS yes The target address range or CIDR identifier<br />
RPORT 80 yes The target port<br />
TARGETURI / yes The path to wordpress installation (e.g. /wordpress/)<br />
THREADS 1 yes The number of concurrent threads<br />
VHOST no HTTP server virtual host<br />
<br />
msf auxiliary(wordpress_pingback_access) > set RHOSTS www.tanjiti.com<br />
RHOSTS => xxx<br />
msf auxiliary(wordpress_pingback_access) > set TARGETURI /<br />
TARGETURI => /wordpress/wordpress/<br />
msf auxiliary(wordpress_pingback_access) > run<br />
<br />
可以看到拦截日志如下<br />
<br />
Message: Warning. String match "/xmlrpc.php" at REQUEST_URI. [file "/usr/share/modsecurity-crs/activa<br />
ted_rules/MY.conf"] [line "4"] [id "0000003"] [msg "block wordpress xmlrpc.php"] [tag "WEB_ATTACK/WOR<br />
DPRESS"]<br />
<br />
(2) 添加防御wpscan默认扫描头的规则<br />
<br />
SecRule REQUEST_HEADERS:User-Agent "@contains wpscan" "t:lowercase,deny,tag:'WEB_ATTACK/WORDPRESS',ms<br />
g:'block wpscanner default useragent',id:0000004,phase:1"<br />
<br />
再次运行wpscan,可以看到拦截日志如下<br />
<br />
essage: Warning. String match "wpscan" at REQUEST_HEADERS:User-Agent. [file "/usr/share/modsecurity-<br />
crs/activated_rules/MY.conf"] [line "6"] [id "0000004"] [msg "block wpscanner default useragent"] [ta<br />
g "WEB_ATTACK/WORDPRESS"]<br />
<br />
大伙可以针对性地添加规则,对个人网站而已,添加白规则较之黑规则会事半功倍,这里的示例规则仅仅是抛砖引玉。<br />
<strong><br />
四、wordpress防护——屏蔽敏感信息访问</strong><br />
<br />
vim /etc/apache2/apache2.conf<br />
<FilesMatch ".(sw[po]|old|save|bak|orig(?:inal)?|php(?:~|_bak|x23))$"><br />
Require all denied<br />
</FilesMatch><br />
service apache2 restart<br />
<strong><br />
五、wordpress防护——启用安全头</strong><br />
<br />
vim /etc/apache2/conf-available/security.conf<br />
<br />
(1) 防止在IE9、chrome和safari中的MIME类型混淆攻击<br />
<br />
Header set X-Content-Type-Options: "nosniff"<br />
(2) 防止clickjacking,只允许遵守同源策略的资源(和站点同源)通过frame加载那些受保护的资源。<br />
<br />
Header set X-Frame-Options: "sameorigin"<br />
(3) 开启xss防护并通知浏览器阻止而不是过滤用户注入的脚本。<br />
<br />
Header set X-XSS-Protection "1;mode=block"<br />
service apache2 restart</p>
<p><strong>六、wordpress防护——登陆口防爆破</strong><br />
<br />
一般的方法是设置一个登陆口白名单,但现在越来越多的网站使用CDN服务,明显不再是个好的防护方案<br />
安装Login LockDown 插件,wordpress后台插件管理处搜索即可,设置也超级简单<br />
<br />
设置实例:</p>
<p><img width="750" height="415" data-tag="bdimg" src="/get_pic/2015/02/02/20150202002528459.png" alt="8821414553178" class="aligncenter size-full wp-image-5943" /><br />
<br />
如果在5分钟失败3次就会封锁IP60分钟</p>
<p><img width="438" height="271" data-tag="bdimg" src="/get_pic/2015/02/02/20150202002531279.png" alt="49941414553180" class="aligncenter size-full wp-image-5944" /> |
|