面對Logjam攻擊 你該如何保護Debian或Ubuntu服務器?
譯文本教程介紹了保護你的Ubuntu或Debian Linux服務器,以應對最近發現的Logjam攻擊所需要采取的幾個步驟。Logjam是一種針對Diffie-Hellman密鑰交換技術發起的攻擊,而這項技術應用于諸多流行的加密協議,比如HTTPS、TLS、SMTPS、SSH及其他協議。
必須以根用戶的身份在外殼上執行下列步驟。
生成獨特的DH組
想確保服務器安全,第一個步驟是利用openssl命令,生成獨特的DH組。我將在/etc/ssl/private/目錄中創建文件。如果你的服務器上沒有這個目錄,那么用下列命令創建該文件:
mkdir -p /etc/ssl/private chmod 710 /etc/ssl/private
現在,我要創建dhparams.pem文件,并設置安全權限:
cd /etc/ssl/private openssl dhparam -out dhparams.pem 2048 chmod 600 dhparams.pem
Apache
首先,我要根據來自weakdh.org的建議,添加一個安全密碼組。使用編輯工具打開文件/etc/apache2/mods-available/ssl.conf:
nano /etc/apache2/mods-available/ssl.conf
然后更改或添加這幾行:
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on
請注意:SSLCipherSuide只有一行長,所以不要添加換行符!
第二部分是在apache中設置DH組。SSLOpenSSLConfCmd配置選項只出現在apache 2.4.8或更新的版本上,它還需要openssl 1.0.2或更新的版本,于是我們首先要測試我們的apache和openssl版本是否支持它:
apache2 -v
我的Debian 7服務器上的輸出結果如下:
root@server1:/etc/apache2# apache2 -v Server version: Apache/2.2.22 (Debian) Server built: Dec 23 2014 22:48:29
現在我要測試openssl:
openssl version
我系統上的輸出結果如下:
root@server1:/# openssl version OpenSSL 1.0.1e 11 Feb 2013
因而我可以在該服務器上設置DH組。第一個和第二個部分彼此獨立,第一個部分是已經被禁用的可保護服務器的弱密碼,它沒有DH組也可以工作。如果你的apache版本高于2.4.8,OpenSSL版本高于1.0.2,那么再次編輯/etc/apache2/mods-available/ssl.conf文件:
nano /etc/apache2/mods-available/ssl.conf
添加這一行:
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem"
然后重啟apache:
service apache2 restart
Nginx
編輯nginx配置文件/etc/nginx/nginx.conf
nano /etc/nginx/nginx.conf
添加或更換httpd { .... }這部分里面的下列設置:
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/private/dhparams.pem;
然后重啟nginx:
service nginx restart
Postfix
運行下面這些命令,設置安全密碼組和DH組:
postconf -e "smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA"
postconf -e "smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem"
然后重啟postfix:
service postfix restart
Dovecot
編輯dovecot配置文件/etc/dovecot/dovecot.conf
nano /etc/dovecot/dovecot.conf
然后緊跟ssl_protocols這一行添加這一行:
ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
至于其他參數,我們需要知道dovecot版本。在外殼上運行這個命令,以獲得dovecot版本方面的信息: dovecot --version
如果版本是2.2.6或更高,那么添加這額外的一行:
ssl_prefer_server_ciphers = yes
如果版本是2.2.7或更高,那么添加這第三行:
ssl_dh_parameters_length = 2048
最后重啟dovecot
service dovecot restart
Pure-ftpd
保護Debian和Ubuntu上的pure-ftpd的安全來得有點復雜,因為/usr/sbin/pure-ftpd-wrapper腳本并不直接參數-J參數選項,pure-ftpd使用該參數選項來設置SSL密碼組。第一步是在封裝器腳本中添加對-J選項的支持。打開文件:
nano /usr/sbin/pure-ftpd-wrapper
然后向下滾動,找到這一行:
'TLS' => ['-Y %d', \&parse_number_1],
現在緊跟'TLSCipherSuite' => ['-J %s', \&parse_string]后面添加這新的一行。
然后使用nano命令,創建文件/etc/pure-ftpd/conf/TLSCipherSuite;如果該文件已存在,則編輯它:
nano /etc/pure-ftpd/conf/TLSCipherSuite
然后輸入下列密碼列表:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
如果該文件已經存在,并且含有一些密碼,那么將密碼換成上述密碼。然后保存文件,重啟pure-ftpd:
service pure-ftpd-mysql restart
鏈接:
https://weakdh.org/
英文:How to protect your Debian or Ubuntu Server against the Logjam attack
