白翼的服務器運維博客
wget http://update.aegis.aliyun.com/download/uninstall.sh
chmod +x uninstall.sh
./uninstall.sh
rm uninstall.sh
systemctl stop aliyun.service
systemctl disable aliyun.service
rm /etc/systemd/system/aliyun.service
rm /usr/sbin/aliyun-service
systemctl daemon-reload
chkconfig agentwatch off
chkconfig --del agentwatch
rm /etc/init.d/agentwatch
systemctl reboot
© BANDAI NAMCO Entertainment Inc.
最近開始使用 Detectify – 一款個人十分喜歡的在線網站掃描工具。驚訝的發現由於 WordPress 官方的一個 Nginx 推薦配置,很多人都因此存在這個問題。
長話短說,WordPress 官方推薦的一個 wp-admin 轉發規則:
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
然而這個規則的 $uri 是可以帶有轉義字符的函數,於是就導致了下面的漏洞。
curl https://holywhite.com/%0d%0asplitting:/wp-admin --http1.1 -v
Response:
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Fri, 26 Oct 2018 01:05:04 GMT
< Content-Type: text/html
< Content-Length: 162
< Location: https://holywhite.com/
< splitting:/wp-admin/
< Connection: keep-alive
<
經過一點點研究,目前個人改為了更為安全的函數去解決這個問題。
rewrite /wp-admin$ $scheme://$host$request_uri/ permanent;
Implemented with Nginx Mainline and OpenSSL 1.1.1.
Major browsers are not ready for RFC version yet, so TLS 1.2 will be chosen.
Update on 10-12:
--with-openssl-opt='enable-ec_nistp_64_gcc_128 enable-tls1_3'
Looks like this is the key configuration to make Nginx enbale TLSv1.3.
Passenger 從 5.1 開始導入了 SecurityUpdateCheck 功能,一旦發現有重大補丁更新,就會自動推送。
本來是件好事情,然而 Passenger 的老版本有一個 Bug,如果收到的 Response 超過 500B 的話,就會崩掉… 這個問題在 5.1.5 得到了修復。
於是全世界的 < 5.1.5 版本的 Passenger 都死掉了…
For more details: https://github.com/phusion/passenger/issues/2089
Never thought that I would have to criticize Namecheap again, after I left their services.
Let me explain, I bought myself a new domain this month, and found out that there is a 3-year SSL certificate valid for my domain through crt.sh. Naturally I contacted Comodo SSL Abuse Dept. and got redirected to the reseller – Namecheap. After reaching out to Namecheap they insisted that as long as I issued a new certificate, the valid certificate that the former domain owner had will have no power whatsoever ( which is not true ), even after ticket escalation, they’re just re-assuring me that MITM somehow will not exist as long as I set up a new SSL cert and “there is no need to worry about the security of your website and the information transmitted via Internet”.
So, according to Namecheap’s statement, Wosign accident is just a fraud and people obtained github.com’s certificate will do absolutely no harm to Github. Good to know.
A public discussion is under way: https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/4R1parm1XCc
(Author: 華若葉,https://www.pixiv.net/member_illust.php?mode=medium&illust_id=66732375)
隨手發一篇文章,跟大家安利一下 Certum 的好處。
今天在 The SSL Store 給騰訊企業郵的登錄介面買了個 Certum 的 SSL 證書,最終因為騰訊不支持非他們列表中的 CA 導致需要申請退款,但正是這個退款讓我見識到 Certum 的力量。
從點擊郵箱鏈接開始不到30秒的時間內, Certum 已經簽發好證書可供下載了,如此的速度最近很難見大型 CA 的自動化系統能夠做到,而且每次操作都以證書的序列號為准,能夠精確讓你知道你在操作的是哪一張證書。之後的申請退款,確定了我要退款的那一瞬間, Certum 提醒我證書已被註銷並加入他們 CRL 列表的郵件已經送到了我的郵箱…太快太爽了!
特別跟最近與 Comodo 扯皮吊銷證書的事情對比, Certum 滿分,牆裂推薦。
Update: The certificate has finally been revoked, after I have brought it up a month ago. Comodo’s Technical Support Team Lead gave me a reason why it all goes to hell is because my order is attached with an e-mail address, so I have to send the request via that e-mail. It is perfectly fine except that neither Comodo support staff nor GoGetSSL knows this should be done within this way, as Comodo’s support staff are redirecting me to go back to GoGetSSL to solve the problem at the first place.
This is not an article about Comodo being distrusted by main-stream browsers, but just me.
In short, Comodo failed to act as a trusted Certificate Authority. I recently bought a certificate from their reseller GoGetSSL and the transmit of the private key was initially not safe because I did it on a Chinese software which has zero encrypt on the messages and have files copied on their server. So we ( me and my client ) decided to re-issue the certificate and asked GoGetSSL to revoke the old one. Things start out smoothly as GoGetSSL ask for specific certification to revoke, and said that Comodo will do it in 12 hours.
Well, 12 hours past, but nothing happened on the old certificate. CRL and OCSP still validates it ( according to https://certificate.revocationcheck.com/ ). So I request it again, and GoGetSSL’s customer service try to revoke it again, some days had past, nothing happened.
Then, I tried to get in touch with Comodo by their Official website’s ticket system, I clarified the issue and want to know if they have anything to say about it, or even will it actually be GoGetSSL’s fault in this. But nope, all they replied was this:
Thank you for contacting Comodo, we will be happy to assist you. Please contact the party in which the certificate was purchased from in regards to any revocation of your certificate. If you have any further questions or concerns feel free to contact us again.
Which basically said nothing.
A few days ago, I published an article saying why am I deciding to move my own website’s certificate to GlobalSign because I felt Comodo is being to feel like it is “Too big to fail”. And now, if a trusted certificate authority, could not even complete the most basic part of a certification, which is validate and revoke, it’s out my friend.