1饭冬、漏洞復(fù)現(xiàn)
登入rabbimq-management 管理界面无拗,f12打開開發(fā)者工具挫鸽,在network一項(xiàng)捕獲請(qǐng)求,請(qǐng)求頭中的Cookie值為base64 加密密文埃脏,可以使用通用base解密搪锣,
例如:請(qǐng)求頭中抓到 Cookie: m=2258:Z3Vlc3Q6Z3Vlc3Q%253D
對(duì) m=2258:Z3Vlc3Q6Z3Vlc3Q%253D 解密為 guest:guest
2、認(rèn)證模式
| Mechanism | Description |
|---|---|
| PLAIN | SASL PLAIN 驗(yàn)證彩掐。在RabbitMQ服務(wù)器和客戶端中构舟,默認(rèn)是啟用的,其他大多數(shù)客戶端也是默認(rèn)的堵幽。 |
| AMQPLAIN | PLAIN的非標(biāo)準(zhǔn)版本狗超,用于向后兼容。該功能在RabbitMQ服務(wù)器中默認(rèn)啟用朴下。 |
| EXTERNAL | 身份驗(yàn)證使用帶外機(jī)制進(jìn)行努咐,例如x509證書對(duì)等驗(yàn)證、客戶端IP地址范圍或類似的機(jī)制殴胧。這種機(jī)制通常由RabbitMQ插件提供渗稍。 |
| RABBIT-CR-DEMO | 演示challenge-response認(rèn)證的非標(biāo)準(zhǔn)機(jī)制。該機(jī)制具有與PLAIN等價(jià)的安全性团滥,在RabbitMQ服務(wù)器中默認(rèn)不啟用竿屹。 |
rabbitmq的auth_mechanisms配置中默認(rèn)為PLAIN模式,與AMQPLAIN同為明文認(rèn)證灸姊,解決AMQP明文驗(yàn)證漏洞需要修改為EXTERNAL
3拱燃、EXTERNAL認(rèn)證配置
修改 RabbitMQ 配置文件 /etc/rabbitmq/rabbitmq.config,此文件默認(rèn)不存在厨钻,需要手動(dòng)創(chuàng)建
[{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [
{cacertfile, "/etc/rabbitmq/ssl/cacert.pem"},
{certfile, "/etc/rabbitmq/ssl/rabbitmq-server.cert.pem"},
{keyfile, "/etc/rabbitmq/ssl/rabbitmq-server.key.pem"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{ciphers, [
"ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384",
"ECDHE-ECDSA-DES-CBC3-SHA","ECDH-ECDSA-AES256-GCM-SHA384",
"ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384",
"DHE-DSS-AES256-SHA256","AES256-GCM-SHA384",
"AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256",
"ECDHE-RSA-AES128-SHA256","ECDH-ECDSA-AES128-GCM-SHA256",
"ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256",
"DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
"AES128-SHA256","ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
"ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA",
"AES256-SHA","ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA",
"ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"
]}
]},
{auth_mechanisms,['EXTERNAL']},
{ssl_cert_login_from,common_name}
]}].
主要配置項(xiàng)說明:
- verify
-
verify_peer客戶端與服務(wù)端互相發(fā)送證書 -
verify_none禁用證書交換與校驗(yàn)
-
- fail_if_no_peer_cert
-
true不接受沒證書的客戶端連接 -
false接受沒證書的客戶端連接
-
-
auth_mechanisms認(rèn)證機(jī)制扼雏,此處使用EXTERNAL表示只使用插件提供認(rèn)證功能 - ssl_cert_login_from使用證書中的哪些信息登錄,如果不配置這項(xiàng)是走的DN夯膀,配置走CN
-
common_nameCN名稱
-
啟用插件
#啟用rabbitmq_auth_mechanism_ssl作為EXTERNAL認(rèn)證機(jī)制的實(shí)現(xiàn)
rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl
#查看啟動(dòng)結(jié)果
rabbitmq-plugins list
重啟rabbitmq 并添加rabbitmq-client用戶
service rabbitmq-server restart
#添加證書登錄用戶(用戶名要與客戶端證書名稱前綴一致)诗充,密碼任意
rabbitmqctl add_user 'rabbitmq-client' '2a55f70a841f18b97c3a7db939b7adc9e34a0f1b'
#給rabbitmq-client用戶虛擬主機(jī)/的所有權(quán)限,如需其他虛擬主機(jī)替換/
rabbitmqctl set_permissions -p "/" "rabbitmq-client" ".*" ".*" ".*"
代碼中添加配置
@Configration
public class RabbitmqConfig{
@Autowired
RabbitProperties rabbitProperties;
@Autowired
CachingConnectionFactory cachingConnectionFactory;
/**
* 解決安全掃描 AMQP明文登錄漏洞 僅當(dāng)rabbitmq啟用ssl時(shí)并且配置證書時(shí)诱建,顯式設(shè)置EXTERNAL認(rèn)證機(jī)制<br/>
* EXTERNAL認(rèn)證機(jī)制使用X509認(rèn)證方式蝴蜓,服務(wù)端讀取客戶端證書中的CN作為登錄名稱,同時(shí)忽略密碼
*/
@PostConstruct
public void rabbitmqSslExternalPostConstruct() {
boolean rabbitSslEnabled = BooleanUtils.toBoolean(rabbitProperties.getSsl().getEnabled());
boolean rabbitSslKeyStoreExists = rabbitProperties.getSsl().getKeyStore() != null;
if (rabbitSslEnabled && rabbitSslKeyStoreExists) {
cachingConnectionFactory.getRabbitConnectionFactory().setSaslConfig(DefaultSaslConfig.EXTERNAL);
}
}
}
application 配置文件修改
spring:
rabbitmq:
host: ip
port: 5671
publisher-returns: true
virtual-host: /
ssl:
enabled: true
key-store: classpath:ssl/rabbitmq-client.keycert.p12
key-store-password: rabbit
trust-store: classpath:ssl/rabbitmqTrustStore
trust-store-type: JKS
verify-hostname: false
listener:
direct:
acknowledge-mode: manual
4、參考文章
https://www.cnblogs.com/hellxz/p/15776987.html
-end-
