MySQLがAWSAMIをハッキングしました:「データを取り戻すために支払う」-これはどのように可能であり、次回はどのように回避するのでしょうか?
今日の朝、EC2インスタンスでホストしているWebサイトの一部が機能していないことに気付きました。 MySqlデータベースを検証したところ、消去されました。 :(私が見つけた唯一のことは、私がハッキングされたことを告げる記録と、データを取り戻したい場合は支払うことだけでした:D ...とにかく。
彼らはどうやって私のDBに入ることができましたか?インスタンス/ DBを保護するには、今どのような手順を実行する必要がありますか?
開いているポート: 
これは私のMySqlログです。誰かが見て、私にいくつかについて教えてくれたら本当にありがたいです:
2017-03-18 15:27:19 14056 [Note] InnoDB: Shutdown completed; log sequence number 5692547
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'PERFORMANCE_SCHEMA'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'BLACKHOLE'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'CSV'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'MEMORY'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'MyISAM'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'MRG_MYISAM'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'sha256_password'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'mysql_old_password'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'mysql_native_password'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'binlog'
2017-03-18 15:27:19 14056 [Note] /usr/libexec/mysql56/mysqld: Shutdown complete
2017-03-18 15:27:20 12178 [Note] Plugin 'FEDERATED' is disabled.
2017-03-18 15:27:20 12178 [Note] InnoDB: Using atomics to ref count buffer pool pages
2017-03-18 15:27:20 12178 [Note] InnoDB: The InnoDB memory heap is disabled
2017-03-18 15:27:20 12178 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2017-03-18 15:27:20 12178 [Note] InnoDB: Memory barrier is not used
2017-03-18 15:27:20 12178 [Note] InnoDB: Compressed tables use zlib 1.2.8
2017-03-18 15:27:20 12178 [Note] InnoDB: Using Linux native AIO
2017-03-18 15:27:20 12178 [Note] InnoDB: Using CPU crc32 instructions
2017-03-18 15:27:20 12178 [Note] InnoDB: Initializing buffer pool, size = 128.0M
2017-03-18 15:27:20 12178 [Note] InnoDB: Completed initialization of buffer pool
2017-03-18 15:27:20 12178 [Note] InnoDB: Highest supported file format is Barracuda.
2017-03-18 15:27:20 12178 [Note] InnoDB: 128 rollback segment(s) are active.
2017-03-18 15:27:20 12178 [Note] InnoDB: Waiting for purge to start
2017-03-18 15:27:20 12178 [Note] InnoDB: 5.6.35 started; log sequence number 5692547
2017-03-18 15:27:20 12178 [Note] RSA private key file not found: /var/lib/mysql//private_key.pem. Some authentication plugins will not work.
2017-03-18 15:27:20 12178 [Note] RSA public key file not found: /var/lib/mysql//public_key.pem. Some authentication plugins will not work.
2017-03-18 15:27:20 12178 [Note] Server hostname (bind-address): '*'; port: 3306
2017-03-18 15:27:20 12178 [Note] IPv6 is available.
2017-03-18 15:27:20 12178 [Note] - '::' resolves to '::';
2017-03-18 15:27:20 12178 [Note] Server socket created on IP: '::'.
2017-03-18 15:27:20 12178 [Note] Event Scheduler: Loaded 0 events
2017-03-18 15:27:20 12178 [Note] /usr/libexec/mysql56/mysqld: ready for connections.
Version: '5.6.35' socket: '/var/lib/mysql/mysql.sock' port: 3306 MySQL Community Server (GPL)
2017-03-18 16:06:17 12178 [Warning] IP address '27.18.88.215' could not be resolved: Name or service not known
2017-03-18 18:29:03 12178 [Warning] Hostname 'thinkdream.com' does not resolve to '14.192.9.41'.
2017-03-18 18:29:03 12178 [Note] Hostname 'thinkdream.com' has the following IP addresses:
2017-03-18 18:29:03 12178 [Note] - 103.206.122.114
2017-03-18 18:38:36 12178 [Warning] IP address '117.44.26.66' could not be resolved: Name or service not known
2017-03-18 19:37:22 12178 [Warning] IP address '49.4.143.152' could not be resolved: Name or service not known
2017-03-18 21:24:57 12178 [Warning] IP address '49.4.135.14' could not be resolved: Name or service not known
2017-03-18 22:03:15 12178 [Warning] IP address '171.221.233.50' could not be resolved: Name or service not known
2017-03-18 22:36:58 12178 [Warning] IP address '182.18.72.116' could not be resolved: Name or service not known
2017-03-18 23:05:57 12178 [Warning] IP address '146.0.72.199' could not be resolved: Name or service not known
2017-03-18 23:05:57 12178 [Warning] IP address '146.0.72.199' could not be resolved: Name or service not known
2017-03-18 23:51:04 12178 [Warning] IP address '49.4.142.104' could not be resolved: Name or service not known
2017-03-19 00:18:55 12178 [Warning] IP address '222.187.224.190' could not be resolved: Name or service not known
2017-03-19 00:22:02 12178 [Warning] IP address '49.4.135.189' could not be resolved: Name or service not known
2017-03-19 01:26:56 12178 [Warning] IP address '182.18.72.82' could not be resolved: Name or service not known
2017-03-19 01:49:36 12178 [Warning] IP address '118.193.165.12' could not be resolved: Name or service not known
2017-03-19 01:52:47 12178 [Warning] IP address '107.179.126.47' could not be resolved: Name or service not known
2017-03-19 01:55:14 12178 [Warning] IP address '49.4.142.189' could not be resolved: Name or service not known
2017-03-19 04:27:45 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:27:54 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:06 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:15 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:15 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:26 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:38 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:56 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:29:15 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:29:33 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:30:13 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:30:44 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:31:17 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:05 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:22 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:58 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:59 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 05:23:02 12178 [Warning] IP address '113.108.21.16' could not be resolved: Name or service not known
2017-03-19 07:18:40 12178 [Warning] IP address '61.177.139.252' could not be resolved: Name or service not known
2017-03-19 07:18:40 12178 [Warning] IP address '61.177.139.252' could not be resolved: Name or service not known
2017-03-19 08:59:45 12178 [Warning] IP address '49.4.142.178' could not be resolved: Name or service not known
2017-03-19 12:28:36 12178 [Warning] IP address '107.179.45.19' could not be resolved: Name or service not known
2017-03-19 15:47:23 12178 [Warning] IP address '103.37.45.166' could not be resolved: Name or service not known
2017-03-19 16:33:18 12178 [Warning] IP address '61.160.194.88' could not be resolved: Name or service not known
2017-03-19 18:09:59 12178 [Warning] IP address '139.196.18.68' could not be resolved: Name or service not known
2017-03-19 18:10:44 12178 [Warning] IP address '117.41.229.53' could not be resolved: Name or service not known
2017-03-19 21:00:33 12178 [Warning] IP address '182.18.72.81' could not be resolved: Name or service not known
2017-03-19 21:31:10 12178 [Warning] IP address '123.249.45.172' could not be resolved: Name or service not known
2017-03-19 21:40:05 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 21:52:52 12178 [Warning] Host name 'hostby.chnet.se' could not be resolved: Name or service not known
2017-03-20 00:33:24 12178 [Warning] IP address '122.114.224.10' could not be resolved: Temporary failure in name resolution
2017-03-20 00:41:00 12178 [Warning] IP address '106.111.128.184' could not be resolved: Name or service not known
2017-03-20 02:44:32 12178 [Warning] IP address '49.4.142.177' could not be resolved: Name or service not known
セキュリティグループのルールは、すべての人に3306を開いたことを示しており、危険です。
- どこからでも3306へのトラフィックを許可しないでください。
- 3306アクセスを既知のIPに制限します。より適切なオプションは、VPNを介したアクセスを制限することです。
- 悪意のあるトラフィックが発生した場合に通知するログ監視ツールを追加します。
- セットアップが小さい場合は、Monitを使用してログを監視します。
- MySQLの厳格なユーザーポリシー。
MySQLを保護するために使用できるものは他にもたくさんあります。しかし、これらから始めるのは良いことです。
これが再び発生するのを防ぐために最初にすべきことは、MySQLのすべてのインスタンスを置き換えることです。
データの支払いを検討しないことをお勧めしますが、必要な場合は、そのデータを取り戻すことができるインスタンスを1つ保持し、できるだけ早くダンプし、ダンプを確認して再確認してから、クリーンインストールにインポートします。 。
データを取得しない余裕がある場合は、すべてを地面に焼き付けて、最初からやり直してください。
@ xs2rashid の提案は間違いなく良いものです。確かに、必要のないanyアクセスを許可しないことを検討してください。つまり、ブラックリストを使用するのではなく、すべてをホワイトリストに登録します。
また、ノードでmysql_secure_installationを実行し、パスワードマネージャー(KeePassなど)を使用して強力なパスワードを生成することを確実にすることを強調することをお勧めします。 CA/PKIを使用する方がよいかもしれません cfssl これにより、必要な証明書を簡単に生成できます。
ネットワーク保護の間違いを防ぐために、fail2banを使用して疑わしいものをブロックすることもできます( Fail2banを使用してMySQLの監視を設定するにはどうすればよいですか? )。
また、SSHを世界に公開します。つまり、公開鍵認証を使用し、ルートログインを禁止し、SSHへのアクセス/ログインを可能な限り制限する(ネットワークアクセスの制限、ユーザーの制限など)ことをほぼ確実に行う必要があります。グループはログインできます)。
私はあなたがあなたのディストリビューションのために適切な CISベンチマーク を読むことからあなたが得るかもしれないと思う傾向があります、そして彼らの推薦の少なくともいくつかを適用することを検討してください。