面对Logjam攻击 你该如何保护Debian或Ubuntu服务器?

译文
安全 网站安全
本教程介绍了保护你的Ubuntu或Debian Linux服务器,以应对最近发现的Logjam攻击所需要采取的几个步骤。Logjam是一种针对Diffie-Hellman密钥交换技术发起的攻击,而这项技术应用于诸多流行的加密协议,比如HTTPS、TLS、SMTPS、SSH及其他协议。

本教程介绍了保护你的Ubuntu或Debian Linux服务器,以应对最近发现的Logjam攻击所需要采取的几个步骤。Logjam是一种针对Diffie-Hellman密钥交换技术发起的攻击,而这项技术应用于诸多流行的加密协议,比如HTTPS、TLS、SMTPS、SSH及其他协议。

必须以根用户的身份在外壳上执行下列步骤。

生成独特的DH组

想确保服务器安全,第一个步骤是利用openssl命令,生成独特的DH组。我将在/etc/ssl/private/目录中创建文件。如果你的服务器上没有这个目录,那么用下列命令创建该文件:

mkdir -p /etc/ssl/private
chmod 710 /etc/ssl/private

现在,我要创建dhparams.pem文件,并设置安全权限:

cd /etc/ssl/private
openssl dhparam -out dhparams.pem 2048
chmod 600 dhparams.pem

Apache

首先,我要根据来自weakdh.org的建议,添加一个安全密码组。使用编辑工具打开文件/etc/apache2/mods-available/ssl.conf:

nano /etc/apache2/mods-available/ssl.conf

然后更改或添加这几行:

SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on

请注意:SSLCipherSuide只有一行长,所以不要添加换行符!

第二部分是在apache中设置DH组。SSLOpenSSLConfCmd配置选项只出现在apache 2.4.8或更新的版本上,它还需要openssl 1.0.2或更新的版本,于是我们首先要测试我们的apache和openssl版本是否支持它:

apache2 -v

我的Debian 7服务器上的输出结果如下:

root@server1:/etc/apache2# apache2 -v
Server version: Apache/2.2.22 (Debian)
Server built: Dec 23 2014 22:48:29

现在我要测试openssl:

openssl version

我系统上的输出结果如下:

root@server1:/# openssl version
OpenSSL 1.0.1e 11 Feb 2013

因而我可以在该服务器上设置DH组。第一个和第二个部分彼此独立,第一个部分是已经被禁用的可保护服务器的弱密码,它没有DH组也可以工作。如果你的apache版本高于2.4.8,OpenSSL版本高于1.0.2,那么再次编辑/etc/apache2/mods-available/ssl.conf文件:

nano /etc/apache2/mods-available/ssl.conf

添加这一行:

SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams.pem"

然后重启apache:

service apache2 restart

Nginx

编辑nginx配置文件/etc/nginx/nginx.conf

nano /etc/nginx/nginx.conf

添加或更换httpd { .... }这部分里面的下列设置:

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/private/dhparams.pem;

然后重启nginx:

service nginx restart

Postfix

运行下面这些命令,设置安全密码组和DH组:

postconf -e "smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA"
postconf -e "smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem"

然后重启postfix:

service postfix restart

Dovecot

编辑dovecot配置文件/etc/dovecot/dovecot.conf

nano /etc/dovecot/dovecot.conf

然后紧跟ssl_protocols这一行添加这一行:

ssl_cipher_list=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

至于其他参数,我们需要知道dovecot版本。在外壳上运行这个命令,以获得dovecot版本方面的信息: dovecot --version

如果版本是2.2.6或更高,那么添加这额外的一行:

ssl_prefer_server_ciphers = yes

如果版本是2.2.7或更高,那么添加这第三行:

ssl_dh_parameters_length = 2048

最后重启dovecot

service dovecot restart

Pure-ftpd

保护Debian和Ubuntu上的pure-ftpd的安全来得有点复杂,因为/usr/sbin/pure-ftpd-wrapper脚本并不直接参数-J参数选项,pure-ftpd使用该参数选项来设置SSL密码组。第一步是在封装器脚本中添加对-J选项的支持。打开文件:

nano /usr/sbin/pure-ftpd-wrapper

然后向下滚动,找到这一行:

'TLS' => ['-Y %d', \&parse_number_1],

现在紧跟'TLSCipherSuite' => ['-J %s', \&parse_string]后面添加这新的一行。

然后使用nano命令,创建文件/etc/pure-ftpd/conf/TLSCipherSuite;如果该文件已存在,则编辑它:

nano /etc/pure-ftpd/conf/TLSCipherSuite

然后输入下列密码列表:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

如果该文件已经存在,并且含有一些密码,那么将密码换成上述密码。然后保存文件,重启pure-ftpd:

service pure-ftpd-mysql restart

链接:

https://weakdh.org/

英文:How to protect your Debian or Ubuntu Server against the Logjam attack

责任编辑:蓝雨泪 来源: 51CTO.com
相关推荐

2011-03-18 13:41:50

2020-12-02 09:28:00

DDoS攻击网络攻击网络安全

2009-10-14 10:16:45

2017-03-30 17:02:13

UbuntuDebianDHCP

2018-05-04 12:22:47

2018-03-15 08:25:53

2023-01-05 11:40:57

2017-08-03 10:36:08

UbuntuCertbotNGINX

2016-08-04 16:04:56

2011-11-21 16:32:19

2023-06-26 14:19:35

2012-01-18 11:25:36

服务器优化

2017-09-13 07:23:03

2015-09-01 10:33:53

2019-04-30 10:27:46

无服务器云计算安全

2009-03-04 06:30:00

DHCP服务器企业服务器

2013-11-08 17:10:10

2014-08-06 00:38:12

CentOS服务器操作系统

2011-07-13 10:12:44

2018-01-12 10:57:58

点赞
收藏

51CTO技术栈公众号