Shulou(Shulou.com)05/31 Report--

Today, I would like to talk to you about zookeeper unauthorized access to penetration testing and repair methods, many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

Zookeeper unauthorized access harm

Server information leaked and cluster destroyed

One and four-word commands are not authorized to use.

Tools: netcat, Linux or Windows can be tested

Enter echo envi | nc 10.10.10.10 2181 on the command line to view server information

The command is: https://www.runoob.com/w3cnote/zookeeper-sc-4lw.html

Fix: if you don't want to disclose information, you can modify zookeeper/conf/zoo.cfg (zookeeper is the installation directory) and comment out the lines related to 4lw.commands.whitelist. Four-word commands are used to query status. Zookeeper does not open these commands by default and can only run them in the whitelist.

Second, unauthorized connection and node operation

Tools: install zookeeper; under Linux or run zktools with Java8 under Windows

Https://blog.csdn.net/rongbaojian/article/details/82078368

Under Linux, enter zookeeper/bin/zkCli.sh-server 10.10.10.10 get 2181 to connect. You can use commands such as get / node watch or set / node 1 to operate the node. If successful, it proves that there is unauthorized access to this node.

Under Windows, as long as the zktools connection is successful, it proves that all nodes have unauthorized access. It is worth noting that if a node has permission control, then zktools cannot connect successfully and cannot access other unauthorized nodes. However, zkCli.sh can still access other unauthorized nodes under Linux.

Repair:

1. Ip ACL authorization policy

You can use operations such as setAcl-R / node ip:127.0.0.1:cdrwa,ip:10.10.11.11:cdrwa (- R is recursive and cdrwa is permission) to restrict access to the IP of a node

2. Auth ACL authorization policy

That is, the user mode, after the formulation of the policy, visitors must log in using addauth digest user:passwd to carry out node operations.

The policy-making method is that after connecting with zkCli.sh, run addauth digest user:passwd (digest is fixed) in it to register users, and there can be multiple users. Then run setAcl / node auth::cdrwa (auth is fixed), and then run getAcl / node to check, and you can find that previously registered users are assigned to the permissions of the node. Using quit to exit and then connect, you can find that the node can be manipulated only after addauth login.

3. Digest Acl authorization policy

It is not difficult to find that in policy 2, all users have the same permissions on nodes and can only be set uniformly. If you want different users to have different permissions on nodes, you can use digest Acl authorization policy. See https://blog.csdn.net/u014630623/article/details/103749103

4. Firewall policy

After using the above policy to restrict the node, any user can still log in and use ls / to view the node name, but cannot get the details and perform the operation. If you want to prevent any user from accessing port 2181, you can configure a firewall.

After reading the above, do you have any further understanding of zookeeper unauthorized access to penetration testing and repair methods? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.