MySQL 在 AWS AMI 上遭到黑客攻击:“付费取回数据”——这怎么可能发生以及下次如何避免?

tag-icon tag-icon linux mysql security remote hacking
MySQL 在 AWS AMI 上遭到黑客攻击:“付费取回数据”——这怎么可能发生以及下次如何避免?

今天早上,我注意到我在 EC2 实例上托管的某些网站无法正常工作。当我验证 MySql 数据库时,它已被清除! :( 我发现的唯一东西只是一条记录,告诉我我被黑客入侵了,如果我想恢复我的数据就必须付费 :D ... 无论如何。

他们是如何进入我的数据库的?我现在应该采取什么步骤来保护我的实例/数据库?


开放端口: 在此处输入图片描述


这是我的 MySql 日志,如果有人能看一下并告诉我一些有关以下内容的信息,我将不胜感激:

2017-03-18 15:27:19 14056 [Note] InnoDB: Shutdown completed; log sequence number 5692547
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'PERFORMANCE_SCHEMA'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'BLACKHOLE'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'CSV'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'MEMORY'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'MyISAM'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'MRG_MYISAM'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'sha256_password'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'mysql_old_password'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'mysql_native_password'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'binlog'
2017-03-18 15:27:19 14056 [Note] /usr/libexec/mysql56/mysqld: Shutdown complete

2017-03-18 15:27:20 12178 [Note] Plugin 'FEDERATED' is disabled.
2017-03-18 15:27:20 12178 [Note] InnoDB: Using atomics to ref count buffer pool pages
2017-03-18 15:27:20 12178 [Note] InnoDB: The InnoDB memory heap is disabled
2017-03-18 15:27:20 12178 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2017-03-18 15:27:20 12178 [Note] InnoDB: Memory barrier is not used
2017-03-18 15:27:20 12178 [Note] InnoDB: Compressed tables use zlib 1.2.8
2017-03-18 15:27:20 12178 [Note] InnoDB: Using Linux native AIO
2017-03-18 15:27:20 12178 [Note] InnoDB: Using CPU crc32 instructions
2017-03-18 15:27:20 12178 [Note] InnoDB: Initializing buffer pool, size = 128.0M
2017-03-18 15:27:20 12178 [Note] InnoDB: Completed initialization of buffer pool
2017-03-18 15:27:20 12178 [Note] InnoDB: Highest supported file format is Barracuda.
2017-03-18 15:27:20 12178 [Note] InnoDB: 128 rollback segment(s) are active.
2017-03-18 15:27:20 12178 [Note] InnoDB: Waiting for purge to start
2017-03-18 15:27:20 12178 [Note] InnoDB: 5.6.35 started; log sequence number 5692547
2017-03-18 15:27:20 12178 [Note] RSA private key file not found: /var/lib/mysql//private_key.pem. Some authentication plugins will not work.
2017-03-18 15:27:20 12178 [Note] RSA public key file not found: /var/lib/mysql//public_key.pem. Some authentication plugins will not work.
2017-03-18 15:27:20 12178 [Note] Server hostname (bind-address): '*'; port: 3306
2017-03-18 15:27:20 12178 [Note] IPv6 is available.
2017-03-18 15:27:20 12178 [Note]  - '::' resolves to '::';
2017-03-18 15:27:20 12178 [Note] Server socket created on IP: '::'.
2017-03-18 15:27:20 12178 [Note] Event Scheduler: Loaded 0 events
2017-03-18 15:27:20 12178 [Note] /usr/libexec/mysql56/mysqld: ready for connections.
Version: '5.6.35'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MySQL Community Server (GPL)
2017-03-18 16:06:17 12178 [Warning] IP address '27.18.88.215' could not be resolved: Name or service not known
2017-03-18 18:29:03 12178 [Warning] Hostname 'thinkdream.com' does not resolve to '14.192.9.41'.
2017-03-18 18:29:03 12178 [Note] Hostname 'thinkdream.com' has the following IP addresses:
2017-03-18 18:29:03 12178 [Note]  - 103.206.122.114
2017-03-18 18:38:36 12178 [Warning] IP address '117.44.26.66' could not be resolved: Name or service not known
2017-03-18 19:37:22 12178 [Warning] IP address '49.4.143.152' could not be resolved: Name or service not known
2017-03-18 21:24:57 12178 [Warning] IP address '49.4.135.14' could not be resolved: Name or service not known
2017-03-18 22:03:15 12178 [Warning] IP address '171.221.233.50' could not be resolved: Name or service not known
2017-03-18 22:36:58 12178 [Warning] IP address '182.18.72.116' could not be resolved: Name or service not known
2017-03-18 23:05:57 12178 [Warning] IP address '146.0.72.199' could not be resolved: Name or service not known
2017-03-18 23:05:57 12178 [Warning] IP address '146.0.72.199' could not be resolved: Name or service not known
2017-03-18 23:51:04 12178 [Warning] IP address '49.4.142.104' could not be resolved: Name or service not known
2017-03-19 00:18:55 12178 [Warning] IP address '222.187.224.190' could not be resolved: Name or service not known
2017-03-19 00:22:02 12178 [Warning] IP address '49.4.135.189' could not be resolved: Name or service not known
2017-03-19 01:26:56 12178 [Warning] IP address '182.18.72.82' could not be resolved: Name or service not known
2017-03-19 01:49:36 12178 [Warning] IP address '118.193.165.12' could not be resolved: Name or service not known
2017-03-19 01:52:47 12178 [Warning] IP address '107.179.126.47' could not be resolved: Name or service not known
2017-03-19 01:55:14 12178 [Warning] IP address '49.4.142.189' could not be resolved: Name or service not known
2017-03-19 04:27:45 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:27:54 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:06 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:15 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:15 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:26 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:38 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:56 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:29:15 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:29:33 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:30:13 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:30:44 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:31:17 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:05 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:22 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:58 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:59 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 05:23:02 12178 [Warning] IP address '113.108.21.16' could not be resolved: Name or service not known
2017-03-19 07:18:40 12178 [Warning] IP address '61.177.139.252' could not be resolved: Name or service not known
2017-03-19 07:18:40 12178 [Warning] IP address '61.177.139.252' could not be resolved: Name or service not known
2017-03-19 08:59:45 12178 [Warning] IP address '49.4.142.178' could not be resolved: Name or service not known
2017-03-19 12:28:36 12178 [Warning] IP address '107.179.45.19' could not be resolved: Name or service not known
2017-03-19 15:47:23 12178 [Warning] IP address '103.37.45.166' could not be resolved: Name or service not known
2017-03-19 16:33:18 12178 [Warning] IP address '61.160.194.88' could not be resolved: Name or service not known
2017-03-19 18:09:59 12178 [Warning] IP address '139.196.18.68' could not be resolved: Name or service not known
2017-03-19 18:10:44 12178 [Warning] IP address '117.41.229.53' could not be resolved: Name or service not known
2017-03-19 21:00:33 12178 [Warning] IP address '182.18.72.81' could not be resolved: Name or service not known
2017-03-19 21:31:10 12178 [Warning] IP address '123.249.45.172' could not be resolved: Name or service not known
2017-03-19 21:40:05 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 21:52:52 12178 [Warning] Host name 'hostby.chnet.se' could not be resolved: Name or service not known
2017-03-20 00:33:24 12178 [Warning] IP address '122.114.224.10' could not be resolved: Temporary failure in name resolution
2017-03-20 00:41:00 12178 [Warning] IP address '106.111.128.184' could not be resolved: Name or service not known
2017-03-20 02:44:32 12178 [Warning] IP address '49.4.142.177' could not be resolved: Name or service not known

答案1

安全组规则显示你对所有人开放了3306,这是很危险的。

  1. 不允许任何来源的流量到达 3306。
  2. 限制 3306 对已知 IP 的访问,更好的选择是通过 VPN 限制其访问。
  3. 添加日志监控工具,当有任何恶意流量时通知您。
  4. 如果您的设置较小,则使用 Monit 来监控日志。
  5. MySQL 中的严格用户策略。

还有许多其他东西可用于保护 MySQL。但最好先从这些开始。

答案2

为了防止这种情况再次发生,您应该做的第一件事就是替换您拥有的每个 MySQL 实例。

虽然我建议您不要考虑为数据付费,但如果必须的话,请保留一个实例,以便您取回该数据,然后尽快转储它,检查并重新检查该转储,然后将其导入到干净的安装中。

如果您无法恢复数据,请将一切都烧毁并重新开始。

@xs2rashid的建议肯定是好的。当然考虑不允许任何访问您不需要的 - 例如将所有内容列入白名单,而不是使用黑名单。

我还建议你注意确保你在节点上运行 mysql_secure_installation,并使用密码管理器(例如 KeePass)生成强密码。更好的办法可能是使用 CA/PKI -韓國可以轻松生成您需要的证书。

您可能还想使用 fail2ban 来帮助阻止任何可疑内容(如何使用 Fail2ban 设置 MySQL 监控?),以防止网络保护出现错误。

您还向全世界公开 SSH,这意味着您几乎肯定希望确保您使用公钥身份验证,不允许 root 登录,并尽可能限制对 SSH 的访问/登录(例如限制网络访问,并限制哪些用户/组被允许登录)。

我倾向于认为,通过阅读适当的CIS 基准适合您的发行版,并考虑应用至少其中的一些建议。

相关内容