O MySQL invadiu o AWS AMI: 'Pague para recuperar dados' - como isso poderia ser possível e como evitá-lo da próxima vez?

Navegue suas respostas
1

Hoje de manhã notei que alguns dos sites que hospedo em uma instância do EC2 não estão funcionando. Quando eu verifiquei o banco de dados MySql, foi eliminado! :( A única coisa que eu encontrei foi apenas um registro me dizendo que eu tinha sido hackeado e que pagaria se eu quisesse meus dados de volta: D ... de qualquer maneira.

Como eles conseguiram entrar no meu banco de dados? Quais etapas devo fazer agora para proteger minha instância / banco de dados?


portas abertas:


Este é o meu log do MySql, eu realmente aprecio se alguém puder dar uma olhada e me falar um pouco sobre: 

2017-03-18 15:27:19 14056 [Note] InnoDB: Shutdown completed; log sequence number 5692547
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'PERFORMANCE_SCHEMA'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'BLACKHOLE'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'CSV'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'MEMORY'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'MyISAM'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'MRG_MYISAM'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'sha256_password'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'mysql_old_password'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'mysql_native_password'
2017-03-18 15:27:19 14056 [Note] Shutting down plugin 'binlog'
2017-03-18 15:27:19 14056 [Note] /usr/libexec/mysql56/mysqld: Shutdown complete

2017-03-18 15:27:20 12178 [Note] Plugin 'FEDERATED' is disabled.
2017-03-18 15:27:20 12178 [Note] InnoDB: Using atomics to ref count buffer pool pages
2017-03-18 15:27:20 12178 [Note] InnoDB: The InnoDB memory heap is disabled
2017-03-18 15:27:20 12178 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2017-03-18 15:27:20 12178 [Note] InnoDB: Memory barrier is not used
2017-03-18 15:27:20 12178 [Note] InnoDB: Compressed tables use zlib 1.2.8
2017-03-18 15:27:20 12178 [Note] InnoDB: Using Linux native AIO
2017-03-18 15:27:20 12178 [Note] InnoDB: Using CPU crc32 instructions
2017-03-18 15:27:20 12178 [Note] InnoDB: Initializing buffer pool, size = 128.0M
2017-03-18 15:27:20 12178 [Note] InnoDB: Completed initialization of buffer pool
2017-03-18 15:27:20 12178 [Note] InnoDB: Highest supported file format is Barracuda.
2017-03-18 15:27:20 12178 [Note] InnoDB: 128 rollback segment(s) are active.
2017-03-18 15:27:20 12178 [Note] InnoDB: Waiting for purge to start
2017-03-18 15:27:20 12178 [Note] InnoDB: 5.6.35 started; log sequence number 5692547
2017-03-18 15:27:20 12178 [Note] RSA private key file not found: /var/lib/mysql//private_key.pem. Some authentication plugins will not work.
2017-03-18 15:27:20 12178 [Note] RSA public key file not found: /var/lib/mysql//public_key.pem. Some authentication plugins will not work.
2017-03-18 15:27:20 12178 [Note] Server hostname (bind-address): '*'; port: 3306
2017-03-18 15:27:20 12178 [Note] IPv6 is available.
2017-03-18 15:27:20 12178 [Note]  - '::' resolves to '::';
2017-03-18 15:27:20 12178 [Note] Server socket created on IP: '::'.
2017-03-18 15:27:20 12178 [Note] Event Scheduler: Loaded 0 events
2017-03-18 15:27:20 12178 [Note] /usr/libexec/mysql56/mysqld: ready for connections.
Version: '5.6.35'  socket: '/var/lib/mysql/mysql.sock'  port: 3306  MySQL Community Server (GPL)
2017-03-18 16:06:17 12178 [Warning] IP address '27.18.88.215' could not be resolved: Name or service not known
2017-03-18 18:29:03 12178 [Warning] Hostname 'thinkdream.com' does not resolve to '14.192.9.41'.
2017-03-18 18:29:03 12178 [Note] Hostname 'thinkdream.com' has the following IP addresses:
2017-03-18 18:29:03 12178 [Note]  - 103.206.122.114
2017-03-18 18:38:36 12178 [Warning] IP address '117.44.26.66' could not be resolved: Name or service not known
2017-03-18 19:37:22 12178 [Warning] IP address '49.4.143.152' could not be resolved: Name or service not known
2017-03-18 21:24:57 12178 [Warning] IP address '49.4.135.14' could not be resolved: Name or service not known
2017-03-18 22:03:15 12178 [Warning] IP address '171.221.233.50' could not be resolved: Name or service not known
2017-03-18 22:36:58 12178 [Warning] IP address '182.18.72.116' could not be resolved: Name or service not known
2017-03-18 23:05:57 12178 [Warning] IP address '146.0.72.199' could not be resolved: Name or service not known
2017-03-18 23:05:57 12178 [Warning] IP address '146.0.72.199' could not be resolved: Name or service not known
2017-03-18 23:51:04 12178 [Warning] IP address '49.4.142.104' could not be resolved: Name or service not known
2017-03-19 00:18:55 12178 [Warning] IP address '222.187.224.190' could not be resolved: Name or service not known
2017-03-19 00:22:02 12178 [Warning] IP address '49.4.135.189' could not be resolved: Name or service not known
2017-03-19 01:26:56 12178 [Warning] IP address '182.18.72.82' could not be resolved: Name or service not known
2017-03-19 01:49:36 12178 [Warning] IP address '118.193.165.12' could not be resolved: Name or service not known
2017-03-19 01:52:47 12178 [Warning] IP address '107.179.126.47' could not be resolved: Name or service not known
2017-03-19 01:55:14 12178 [Warning] IP address '49.4.142.189' could not be resolved: Name or service not known
2017-03-19 04:27:45 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:27:54 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:06 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:15 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:15 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:26 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:38 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:28:56 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:29:15 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:29:33 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:30:13 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:30:44 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:31:17 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:05 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:22 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:58 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 04:32:59 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 05:23:02 12178 [Warning] IP address '113.108.21.16' could not be resolved: Name or service not known
2017-03-19 07:18:40 12178 [Warning] IP address '61.177.139.252' could not be resolved: Name or service not known
2017-03-19 07:18:40 12178 [Warning] IP address '61.177.139.252' could not be resolved: Name or service not known
2017-03-19 08:59:45 12178 [Warning] IP address '49.4.142.178' could not be resolved: Name or service not known
2017-03-19 12:28:36 12178 [Warning] IP address '107.179.45.19' could not be resolved: Name or service not known
2017-03-19 15:47:23 12178 [Warning] IP address '103.37.45.166' could not be resolved: Name or service not known
2017-03-19 16:33:18 12178 [Warning] IP address '61.160.194.88' could not be resolved: Name or service not known
2017-03-19 18:09:59 12178 [Warning] IP address '139.196.18.68' could not be resolved: Name or service not known
2017-03-19 18:10:44 12178 [Warning] IP address '117.41.229.53' could not be resolved: Name or service not known
2017-03-19 21:00:33 12178 [Warning] IP address '182.18.72.81' could not be resolved: Name or service not known
2017-03-19 21:31:10 12178 [Warning] IP address '123.249.45.172' could not be resolved: Name or service not known
2017-03-19 21:40:05 12178 [Warning] IP address '123.249.27.92' could not be resolved: Temporary failure in name resolution
2017-03-19 21:52:52 12178 [Warning] Host name 'hostby.chnet.se' could not be resolved: Name or service not known
2017-03-20 00:33:24 12178 [Warning] IP address '122.114.224.10' could not be resolved: Temporary failure in name resolution
2017-03-20 00:41:00 12178 [Warning] IP address '106.111.128.184' could not be resolved: Name or service not known
2017-03-20 02:44:32 12178 [Warning] IP address '49.4.142.177' could not be resolved: Name or service not known
    
por Edmond Tamas 20.03.2017 / 09:58

2 respostas

4

As regras do grupo de segurança mostram que você abriu o 3306 para todos e é perigoso.

  1. Não permita tráfego para 3306 de qualquer lugar.
  2. Restringir o acesso do 3306 aos ip, s conhecidos e a melhor opção é restringir o acesso através de VPN.
  3. Adicione ferramentas de monitoramento de registros para informá-lo em caso de qualquer tráfego malicioso.
  4. Se você tiver uma configuração pequena, use o Monit para monitorar os registros.
  5. Políticas estritas de usuários no MySQL.

Existem várias outras coisas que podem ser usadas para proteger o MySQL. Mas é bom começar com isso.

    
por 20.03.2017 / 10:17
3

A primeira coisa que você deve fazer para evitar que isso aconteça novamente está substituindo todas as instâncias do MySQL que você tem.

Embora eu recomende que você não considere pagar pelos seus dados, se precisar, mantenha uma instância em volta que permita recuperar esses dados, depois faça o download o mais rápido possível, verifique e verifique novamente o despejo e importe-o uma instalação limpa.

Se você não puder recuperar seus dados, queime tudo no chão e comece de novo.

@ as sugestões do xs2rashid são definitivamente boas. Certamente considere não permitir qualquer acesso que você não precise - por exemplo, colocar tudo na lista de permissões, em vez de usar uma lista negra.

Eu também sugiro que você faça questão de garantir que execute mysql_secure_installation em seus nós, e use um gerenciador de senhas (por exemplo, KeePass) para gerar senhas strongs. Melhor ainda é usar um CA / PKI - o cfssl facilita a geração dos certificados necessários para isso.

Você pode querer usar o fail2ban para ajudar a bloquear qualquer coisa suspeita também ( Como faço para configurar o monitoramento do MySQL com o Fail2ban? ), como uma proteção contra erros em suas proteções de rede.

Você também expõe o SSH ao mundo, o que significa que você certamente quer garantir que está usando a autenticação de chave pública, não permitindo logins de raiz e restringindo o acesso / login ao SSH tanto quanto possível (por exemplo, limitar o acesso à rede e limitar quais usuários / grupos podem fazer login).

Eu tenderia a pensar que você poderia ganhar lendo os benchmarks de CIS apropriados para sua distro, e considere aplicar pelo menos alguns das suas recomendações.

    
por 20.03.2017 / 10:53

Tags

Migração do Servidor Microsoft AD - Dois Servidores Fechando Um (Evitando a Demoção do Servidor) Desempenhos terríveis usando um Banco de Dados SQL do Azure remoto