本次ZAP弱掃出現二個Medium

其實上次就有 不過這次要求連Medium都要處理

看來二個都是CSP的問題

之前改過一次版面會亂

這次再處理看看吧

要修改 /etc/apache2/apache2.conf 

加上以這這段

<IfModule mod_headers.c>

        Header set Content-Security-Policy "\

        default-src 'self';\

        img-src 'self' http://10.0.0.1 http://www.fcounter.net http://s11.flagcounter.com data:;\

        frame-src 'self' https://abc.com.tw https://www.youtube.com;\

        style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com;\

        script-src 'self' https://cdn.jsdelivr.net https://code.jquery.com https://cdn.datatables.net 'unsafe-eval' 'unsafe-inline';\

        font-src 'self' https://cdnjs.cloudflare.com;\

        "

</IfModule>

內容需要依照自己的需求去修正

一個網頁一個網頁去看格式有沒亂掉 版面有沒正常

可以打開 browser 的開發人員工具

會顯示那些被CSP阻擋了

然後再補上去

需要補什麼問 https://www.perplexity.ai/ 比較快

把主控台上的訊息直接問就可以了

不難 但真的很花時間

今天登入n8n看到通知

想說之前升級都沒問題就沒先snapshot

結果升完後出現白畫面

只好倒回備分

再下一版看看吧

之後要升一定要先snapshot

又到了弱掃的時間

昨天看報告

有二個問題

Vulnerability Detection Result

The remote SSH server supports the following weak KEX algorithm(s):

KEX algorithm | Reason

------------------------------------------------

diffie-hellman-group-exchange-sha1 | Using SHA-1

Vulnerability Detection Result

The remote SSH server supports the following weak client-to-server encryption algorithm(s):

aes128-cbc

aes256-cbc

The remote SSH server supports the following weak server-to-client encryption algorithm(s):

aes128-cbc

aes256-cbc

想說改一下 /etc/ssh/sshd_config就可以了

Ciphers aes128-ctr,aes192-ctr,aes256-ctr

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512

沒想到重掃還是一樣

因為每次掃都要花很多時間

所以使用 nmap 特別針對ssh server來掃

nmap --script ssh2-enum-algos -sV -p 22   10.0.0.1

Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-21 13:47 CST

Nmap scan report for 10.0.0.1

Host is up (0.00079s latency).

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)

| ssh2-enum-algos: 

|   kex_algorithms: (12)

|       curve25519-sha256

|       curve25519-sha256@libssh.org

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|       diffie-hellman-group-exchange-sha256

|       diffie-hellman-group14-sha256

|       diffie-hellman-group16-sha512

|       diffie-hellman-group18-sha512

|       diffie-hellman-group-exchange-sha1

|       diffie-hellman-group14-sha1

|       kex-strict-s-v00@openssh.com

|   server_host_key_algorithms: (5)

|       rsa-sha2-512

|       rsa-sha2-256

|       ssh-rsa

|       ecdsa-sha2-nistp256

|       ssh-ed25519

|   encryption_algorithms: (7)

|       aes256-gcm@openssh.com

|       chacha20-poly1305@openssh.com

|       aes256-ctr

|       aes256-cbc

|       aes128-gcm@openssh.com

|       aes128-ctr

|       aes128-cbc

|   mac_algorithms: (8)

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha1-etm@openssh.com

|       umac-128-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha2-256

|       hmac-sha1

|       umac-128@openssh.com

|       hmac-sha2-512

|   compression_algorithms: (2)

|       none

|_      zlib@openssh.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds

果然還是沒用

找了半天資料 才找到解決方法

先處理 

aes128-cbc

aes256-cbc

先建一個文件內容如下

vi /etc/crypto-policies/policies/modules/DISABLE-CBC.pmod

cipher = -AES-128-CBC -AES-256-CBC

ssh_cipher = -AES-128-CBC -AES-256-CBC

更新加密策略

update-crypto-policies --set DEFAULT:DISABLE-CBC

再來處理

diffie-hellman-group-exchange-sha1

vi /etc/crypto-policies/back-ends/opensshserver.config

刪除以下文字

,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

重啟 sshd

systemctl restart sshd

再跑一次 

nmap --script ssh2-enum-algos -sV -p 22   10.0.0.1

Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-21 13:59 CST

Nmap scan report for 10.0.0.1

Host is up (0.00077s latency).

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 8.0 (protocol 2.0)

| ssh2-enum-algos: 

|   kex_algorithms: (10)

|       curve25519-sha256

|       curve25519-sha256@libssh.org

|       ecdh-sha2-nistp256

|       ecdh-sha2-nistp384

|       ecdh-sha2-nistp521

|       diffie-hellman-group-exchange-sha256

|       diffie-hellman-group14-sha256

|       diffie-hellman-group16-sha512

|       diffie-hellman-group18-sha512

|       kex-strict-s-v00@openssh.com

|   server_host_key_algorithms: (5)

|       rsa-sha2-512

|       rsa-sha2-256

|       ssh-rsa

|       ecdsa-sha2-nistp256

|       ssh-ed25519

|   encryption_algorithms: (5)

|       aes256-gcm@openssh.com

|       chacha20-poly1305@openssh.com

|       aes256-ctr

|       aes128-gcm@openssh.com

|       aes128-ctr

|   mac_algorithms: (8)

|       hmac-sha2-256-etm@openssh.com

|       hmac-sha1-etm@openssh.com

|       umac-128-etm@openssh.com

|       hmac-sha2-512-etm@openssh.com

|       hmac-sha2-256

|       hmac-sha1

|       umac-128@openssh.com

|       hmac-sha2-512

|   compression_algorithms: (2)

|       none

|_      zlib@openssh.com

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds

已經全部修正

再重掃一次也沒問題了

從昨天晚上開始 suricata的cpu就會一直跑到98以上而且降不下來

看了一下 log 出現大量的 truncated 

Jan 13 04:30:33 suricata suricata[77297]: [1:2200003:2] SURICATA IPv4 truncated packet [Classification: Gen

eric Protocol Command Decode] [Priority: 3] [**] [Raw pkt: C0 C5 20 6B A9 DA 00 60 E0 8A 76 E3 08 00 45 00 

0A 8C 8F C5 00 0]

Jan 13 10:44:03 suricata suricata[78]: [1:2200013:2] SURICATA IPv6 truncated packet [Classification: Generic Protocol Command Decode] [Priority: 3] [**] [Raw pkt: C0 C5 20 6B A9 DA 00 60 E0 8A 76 E3 86 DD 60 81 56 A3 10 DC 06 3]

先把這二個偵測暫停 

/etc/suricata/rules/decoder-events.rules

再觀察看看

在PVE中撈出所有guest的 cpu使用率並在超過上限值時發出告警

#!/bin/bash

pvesh get /cluster/resources|awk '{print $2" "$33" "$8}'|grep -E "lxc|qemu"|sed 's/....$//' > /tmp/all_guest_cpu

cat /tmp/all_guest_cpu | awk  '$3 > 80 {print $0}' > /tmp/guest_cpu_high

if [ -s /tmp/guest_cpu_high ]; then

        sed -i '1i network guest cpu high' /tmp/guest_cpu_high

        sed -i '2i ==========' /tmp/guest_cpu_high

        cp /tmp/guest_cpu_high /tmp/guest_cpu_high_network

        /usr/bin/lftp ftp://user:pwd@10.0.0.1 -e "put /tmp/guest_cpu_high_network; bye"

        mutt -s guest_cpu_high user@abc.com < /tmp/guest_cpu_high

fi

今天使用 tabby ssh 到almalinux 8 後 vi打中文時出現以下的狀況

中�~V~G試�~\~K�~\~K

但 cat 正常

找了資料 說要改 tabby config

appearance:

  - Character encoding: utf-8

改了還是沒用

最後解決的方法是先在 almalinux 8 安裝vim

dnf install vim

在home目錄建立 .vimrc 內容如下

set encoding=utf-8

set fileencoding=utf-8

設定 alias

echo "alias vi='vim'" >> ~/.bashrc

醬就正常了

https://blog.csdn.net/lisacumt/article/details/140498396

https://www.cyberciti.biz/faq/how-to-install-vim-on-centos-8-using-dnf-yum/