{"id":1550,"date":"2016-02-20T22:40:09","date_gmt":"2016-02-20T21:40:09","guid":{"rendered":"https:\/\/2016.prague.wordcamp.org\/?p=1550"},"modified":"2016-02-20T23:59:02","modified_gmt":"2016-02-20T22:59:02","slug":"vlada-smitka-odpovedi-na-nezodpovezene-dotazy","status":"publish","type":"post","link":"https:\/\/prague.wordcamp.org\/2016\/vlada-smitka-odpovedi-na-nezodpovezene-dotazy\/","title":{"rendered":"Vl\u00e1\u010fa Smitka – odpov\u011bdi na nezodpov\u011bzen\u00e9 dotazy"},"content":{"rendered":"

B\u011bhem p\u0159edn\u00e1\u0161ky bylo polo\u017eeno n\u011bkolik zaj\u00edmav\u00fdch dotaz\u016f na jejich\u017e zodpov\u011bzen\u00ed nezbyl \u010das.<\/p>\n

Dotazy v\u0161ak byly zaznamen\u00e1ny a odpov\u011bdi na n\u011b naleznete n\u00ed\u017ee:<\/p>\n

Vid\u00ed\u0161 n\u011bjak\u00e9 \u0159e\u0161en\u00ed\/vylep\u0161en\u00ed (tv\u016fj n\u00e1zor) pro syst\u00e9m distribuce plugin\u016f? (P\u0159edch\u00e1zen\u00ed \u0161\u00ed\u0159eni hacknut\u00fdch plugin\u016f)<\/strong><\/p>\n

Nad t\u00edm jsem popravd\u011b je\u0161t\u011b nep\u0159em\u00fd\u0161lel, osobn\u011b beru jako samoz\u0159ejmost pou\u017e\u00edv\u00e1n\u00ed d\u016fv\u011bryhodn\u00fdch zdroj\u016f. Pokud by se tato oblast m\u011bla n\u011bjak vylep\u0161ovat, tak by bylo nap\u0159\u00edklad zaj\u00edmav\u00e9 automaticky kontrolovat hashe soubor\u016f z ofici\u00e1ln\u00edch zdroj\u016f proti repozit\u00e1\u0159i – jednodu\u0161e by takto bylo mo\u017en\u00e9 naj\u00edt ty zm\u011bn\u011bn\u00e9. Co se t\u00fdk\u00e1 pou\u017eit\u00ed dal\u0161\u00edch zdroj\u016f jako je code canyon, tak zde by mohli jejich provozovatele poskytnou n\u011bco podobn\u00e9ho ve form\u011b pluginu – ka\u017ed\u00fd by si tak mohl zkontrolovat, zda jsou jeho soubory v po\u0159\u00e1dku a nezm\u011bn\u011bn\u00e9.<\/em><\/p>\n

Jak \u0159e\u0161\u00edte izolaci web\u016f proti vz\u00e1jemn\u00e9mu napaden\u00ed?<\/strong><\/p>\n

U n\u00e1s na serverech pou\u017e\u00edv\u00e1me open basedir a n\u011bkolik instanc\u00ed PHP (pou\u017e\u00edv\u00e1me nginx + PHP-FPM) s r\u016fzn\u00fdmi u\u017eivateli podle \u00fa\u010delu. V\u011bt\u0161ina be\u017en\u00fdch web\u016f je v\u0161ak pod stejn\u00fdm u\u017eivatelem a izolovan\u00e1 pouze pomoc\u00ed openbase dir. Mo\u017enost\u00ed jak tohoto dos\u00e1hnout je v\u0161ak n\u011bkolik.<\/em><\/p>\n

Pokud m\u00e1me ze spamov\u00fdch koment\u00e1\u0159\u016f zalo\u017eeno i tis\u00edce u\u017eivatel\u016f, m\u00e1me je smazat?<\/strong><\/p>\n

Nejsem si jist\u00fd co znamen\u00e1 v tomto p\u0159\u00edpad\u011b zalo\u017een\u00fd u\u017eivatel, ale obecn\u011b doporu\u010duji v\u0161e nepot\u0159ebn\u00e9 smazat.<\/em><\/p>\n

Jak jednodu\u0161e otestovat, \u017ee je wp web hacknut\u00fd?<\/strong><\/p>\n

\u00dapln\u011b jednoduch\u00e9 to nen\u00ed, n\u00e1kaza se m\u016f\u017ee projevovat mnoha zp\u016fsoby. Pokud se n\u00e1kaza projevuje vkl\u00e1d\u00e1n\u00edm ciz\u00edch k\u00f3d\u016f do frontendu webu, tak je mohu zkusit otestovat nap\u0159\u00edklad na https:\/\/sitecheck.sucuri.net\/<\/a>, nebo\u00a0https:\/\/www.virustotal.com\/<\/a>. Pokud se takto ve\u0159ejn\u011b neprojevuje, je dobr\u00e9 se pod\u00edvat do strojov\u00fdch PHP a JS soubor\u016f, zda v nich nen\u00ed n\u011bjak\u00fd podez\u0159el\u00fd k\u00f3d – dlouh\u00e9 \u0159et\u011bzce nesmysln\u00fdch znak\u016f. \u010casto jsou infikov\u00e1ny v\u0161echny soubory dan\u00e9ho typu, tak\u017ee sta\u010d\u00ed nam\u00e1tkov\u011b zkontrolovat n\u011bkolik soubor\u016f. V tomto mohou pomoci tak\u00e9 pluginy typu WordFence<\/a> nebo Sucuri Security<\/a>. Kdy\u017e ani toto nezabere, je pot\u0159eba prohledat web na podez\u0159el\u00e9 funkce, kter\u00e9 se v\u0161ak mohou vyskytovat v b\u011b\u017en\u00fdch regul\u00e9rn\u00edch souborech… k tomu je pot\u0159eba u\u017e dost zku\u0161enost\u00ed. Nej\u010dast\u011bji se jedn\u00e1 o funkce:<\/em><\/p>\n

eval, gzinflate, base64_decode, gzuncompress, move_uploaded_file, file_put_contents, fputs, exec, rawurldecode, strrev, ini_set, shell_exec, fopen, curl_exec, popen<\/em><\/p>\n

S t\u00edm, \u017ee prvn\u00ed t\u0159i jsou nejpou\u017e\u00edvan\u011bj\u0161\u00ed.<\/em><\/p>\n

Hacknut\u00fd web mohu n\u011bkdy poznat i z nestandardn\u00edho chov\u00e1n\u00ed jeho u\u017eivatel\u016f. To mohu zaznamen\u00e1vat nap\u0159\u00edklad pluginem\u00a0WP Security Audit Log<\/a>. Zn\u00e1mkou napaden\u00ed je zv\u00fd\u0161en\u00fd po\u010det odchoz\u00edch emailov\u00fdch zpr\u00e1v, to v\u0161ak \u010dasto nejde jednodu\u0161e sledovat.<\/em><\/p>\n

Dok\u00e1\u017ee u\u017e Seznam spolehliv\u011b indexovat HTTPS?<\/strong><\/p>\n

Spolehliv\u011b indexovat HTTPS um\u00ed Seznam u\u017e dlouho, m\u011bl v\u0161ak probl\u00e9my s p\u0159eindexov\u00e1n\u00edm webu p\u0159i p\u0159echodu z HTTP na HTTPS. Toto by v\u0161ak m\u011blo b\u00fdt ji\u017e vy\u0159e\u0161en\u00e9:\u00a0http:\/\/fulltext.sblog.cz\/2016\/01\/12\/testujeme-rychlejsi-presmerovani-webu-na-nove-adresy-tedy-napriklad-na-https-2\/<\/a><\/em><\/p>\n

V posledn\u00edch m\u011bs\u00edc\u00edch jsme p\u0159echod n\u011bkolikr\u00e1t \u0159e\u0161ili a nenastaly \u017e\u00e1dn\u00e9 z\u00e1va\u017en\u00e9 probl\u00e9my.<\/em><\/p>\n

Mohl byste rozv\u00e9st, pro\u010d by administr\u00e1tor nem\u011bl tvo\u0159it obsah?<\/strong><\/p>\n

Odpov\u011b\u010f od jin\u00e9ho\u00a0\u00fa\u010dastn\u00edka: \u010c\u00edm v\u011bt\u0161\u00ed pr\u00e1va, t\u00edm v\u011bt\u0161\u00ed do pak p\u0159i odposlechu. Pluginy \u0159e\u0161\u00ed\u00a0jen admin.<\/em><\/p>\n

S odpov\u011bd\u00ed samoz\u0159ejm\u011b souhlas\u00edm, dodal bych v\u0161ak, \u017ee se nejedn\u00e1 jen o odposlech, ale i n\u00e1chylnost na r\u016fzn\u00e9 dal\u0161\u00ed bezpe\u010dnostn\u00ed chyby – viz p\u0159\u00edklad s XSS v p\u0159edn\u00e1\u0161ce. Dal\u0161\u00ed v\u011bc\u00ed je, \u017ee pokud admin nevytvo\u0159\u00ed \u017e\u00e1dn\u00fd p\u0159\u00edsp\u011bvek, tak jeho u\u017eivatelsk\u00e9 jm\u00e9no nenajdeme jako autora n\u011bjak\u00e9ho obsahu webu – neprozrad\u00edme p\u0159\u00edpadn\u00e9mu \u00fato\u010dn\u00edkovi p\u016flku p\u0159ihla\u0161ovac\u00edch \u00fadaj\u016f.<\/em><\/p>\n

Mate zku\u0161enost kolik lid\u00ed, co maj\u00ed WordPress je z\u00e1rove\u0148 administr\u00e1tor a kolik lid\u00ed d\u011bl\u00ed a pou\u017e\u00edv\u00e1 role na r\u016fzn\u00e9 u\u017eivatel\u00e9 \/ tj. skute\u010dn\u011b dal\u0161\u00ed osoby?<\/strong><\/p>\n

P\u0159esn\u00e1 \u010d\u00edsla bohu\u017eel nem\u00e1m, tak\u017ee se mohu pouze domn\u00edvat na z\u00e1klad\u011b n\u011bkolika vzork\u016f. V p\u0159\u00edpad\u011b, \u017ee web spravuje pouze jedna osoba, tak je v naprost\u00e9 v\u011bt\u0161in\u011b p\u0159\u00edpad\u016f administr\u00e1torem – nepou\u017e\u00edv\u00e1 druhou roli pouze pro publikaci. U web\u016f s v\u011bt\u0161\u00edm po\u010dtem u\u017eivatel\u016f se \u010dasto setk\u00e1v\u00e1m s d\u011blen\u00edm na role, nej\u010dast\u011bji jeden administr\u00e1tor a ostatn\u00ed jako \u0161\u00e9fredakto\u0159i. Speci\u00e1ln\u00ed kapitolou jsou guestposty, kdy je b\u011b\u017enou prax\u00ed d\u00e1vat extern\u00edm p\u0159isp\u011bvovatel\u016fm roli editora.<\/em><\/p>\n

Tip od \u00fa\u010dastn\u00edka:<\/strong> M\u00e1m zku\u0161enosti z anal\u00fdzy zkou\u0161en\u00fdch hesel hackery: n\u00e1zev webu, dom\u00e9na, dom\u00e9na bez .cz apod. Tak\u017ee na to taky pozor!<\/em><\/p>\n

V\u00e1\u0161 n\u00e1zor: Je lep\u0161\u00ed \u0159e\u0161it zabezpe\u010den\u00ed p\u0159es vlastn\u00ed setupy do .htaccess nebo pou\u017e\u00edvat pluginy jako iThemes Security apod. ?<\/strong><\/p>\n

Na sv\u00fdch serverech bezpe\u010dnostn\u00ed pluginy p\u0159\u00edli\u0161 nepou\u017e\u00edv\u00e1me – v\u011bt\u0161inu jejich funkcionalit se n\u00e1m poda\u0159ilo zajistit ji\u017e na stran\u011b serveru. P\u0159izn\u00e1m se v\u0161ak, \u017ee z\u00e1klad na\u0161eho .htaccess (ekvivalentn\u00ed pravidla m\u00e1me v konfiguraci nginx) vych\u00e1z\u00ed pr\u00e1v\u011b z pluginu iThemes Security<\/a> – sta\u010d\u00ed si jej nastavit a prohl\u00e9dnout si vygenerovan\u00fd .htaccess – tyto pravidla pak m\u016f\u017eete jednodu\u0161e pou\u017e\u00edt na dal\u0161\u00edch webech. bezep\u010dnostn\u00ed pluginy v\u0161ak p\u0159in\u00e1\u0161\u00ed dal\u0161\u00ed funkce – nap\u0159\u00edklad blokov\u00e1n\u00ed u\u017eivatele po ur\u010dit\u00e9m po\u010dtu chybn\u00fdch p\u0159ihl\u00e1\u0161en\u00ed. Pokud tyto funkce nem\u00e1me vy\u0159e\u0161eny jinak, tak doporu\u010duji sp\u00ed\u0161e vyu\u017e\u00edt bezpe\u010dnostn\u00ed pluginy.<\/em><\/p>\n

Jak\u00fd m\u00e1te n\u00e1zor na r\u016fzn\u00e9 techniky skr\u00fdv\u00e1n\u00ed faktu, \u017ee pou\u017e\u00edv\u00e1te WP?<\/strong><\/p>\n

Osobn\u011b si mysl\u00edm, \u017ee je to trochu zbyte\u010dn\u00e9 (ale i p\u0159es to to \u010d\u00e1ste\u010dn\u011b d\u011bl\u00e1m \ud83d\ude42 ). Pokud m\u00e1m aktu\u00e1ln\u00ed verzi WP, tak si mysl\u00edm, \u017ee nem\u00e1m d\u016fvod to skr\u00fdvat. Dokonal\u00e9 skryt\u00ed WP webu je velmi slo\u017eit\u00e9 a je pot\u0159eba vynalo\u017eit dost \u00fasil\u00ed. I kdy\u017e zak\u00e1\u017ei readme.html, \/feed\/, skryji meta generator, p\u0159ejmenuji wp-content a podobn\u00e9, tak lze st\u00e1le zjistit, \u017ee se jedn\u00e1 o WP – nap\u0159\u00edklad ze skript\u016f a css, kter\u00e1 na\u010d\u00edt\u00e1 a podle jejich tvaru jde i pom\u011brn\u011b p\u0159esn\u011b ur\u010dit verze.<\/em><\/p>\n

N\u00e1zor na p\u0159esunut\u00ed wp-config.php o slo\u017eku v\u00fd\u0161e?<\/strong><\/p>\n

Osobn\u011b to neodporu\u010duji. Toto doporu\u010den\u00ed vzniklo kdy\u017e chyba v syst\u00e9mu Plesk (spr\u00e1va serveru) mohla znefunk\u010dnit vykon\u00e1v\u00e1n\u00ed PHP a tak byl tento soubor, obsahuj\u00edc nap\u0159\u00edklad hesla do datab\u00e1ze, ve\u0159ejn\u011b \u010diteln\u00fd. To je v\u0161ak ji\u017e velmi dlouh\u00e1 doba a podobn\u00e9 probl\u00e9my se p\u0159\u00edli\u0161 neobjevuj\u00ed. Fakt, \u017ee WP m\u00e1 p\u0159istup mimo svou slo\u017eku, pokud wp-config.php p\u0159esunu v\u00fd\u0161e, mi p\u0159ijde potenci\u00e1ln\u011b v\u00edce nebezpe\u010dn\u00fd.<\/em><\/p>\n

Hi, Lynt, bude Vase prezentace ke stazeni?<\/strong><\/p>\n

Samoz\u0159ejm\u011b: https:\/\/www.slideshare.net\/vsmitka\/wordcamp-praha-2016-bezpenost-wordpress<\/a> \ud83d\ude09<\/em><\/p>\n

3 nejd\u016fle\u017eit\u011bj\u0161\u00ed rady pro zabezpe\u010den\u00ed WP<\/strong><\/p>\n

    \n
  1. aktualizovat<\/em><\/li>\n
  2. z\u00e1lohovat<\/em><\/li>\n
  3. pou\u017e\u00edvat bezpe\u010dnostn\u00ed plugin<\/em><\/li>\n<\/ol>\n

    + m\u00edt dobr\u00e1 hesla spravovan\u00ed password managerem<\/em><\/p>\n

    Pokud m\u00e1te n\u011bjak\u00e9 dal\u0161\u00ed dotazy, ptejte se v koment\u00e1\u0159\u00edch, r\u00e1d na n\u011b odpov\u00edm.<\/p>\n

    M\u016f\u017eete mne tak\u00e9 sledovat na twitteru<\/a>.<\/p>\n

    Vl\u00e1\u010fa Smitka<\/p>\n","protected":false},"excerpt":{"rendered":"

    B\u011bhem p\u0159edn\u00e1\u0161ky bylo polo\u017eeno n\u011bkolik zaj\u00edmav\u00fdch dotaz\u016f na jejich\u017e zodpov\u011bzen\u00ed nezbyl \u010das. Dotazy v\u0161ak byly zaznamen\u00e1ny a odpov\u011bdi na n\u011b naleznete n\u00ed\u017ee: Vid\u00ed\u0161 n\u011bjak\u00e9 \u0159e\u0161en\u00ed\/vylep\u0161en\u00ed (tv\u016fj n\u00e1zor) pro syst\u00e9m distribuce plugin\u016f? (P\u0159edch\u00e1zen\u00ed \u0161\u00ed\u0159eni hacknut\u00fdch plugin\u016f) Nad t\u00edm jsem popravd\u011b je\u0161t\u011b nep\u0159em\u00fd\u0161lel, osobn\u011b beru jako samoz\u0159ejmost pou\u017e\u00edv\u00e1n\u00ed d\u016fv\u011bryhodn\u00fdch zdroj\u016f. Pokud by se tato oblast m\u011bla n\u011bjak … Pokra\u010dov\u00e1n\u00ed textu Vl\u00e1\u010fa Smitka – odpov\u011bdi na nezodpov\u011bzen\u00e9 dotazy<\/span><\/a><\/p>\n","protected":false},"author":5814035,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[761981],"tags":[],"class_list":["post-1550","post","type-post","status-publish","format-standard","hentry","category-odpovedi"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p6VUAp-p0","_links":{"self":[{"href":"https:\/\/prague.wordcamp.org\/2016\/wp-json\/wp\/v2\/posts\/1550","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/prague.wordcamp.org\/2016\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/prague.wordcamp.org\/2016\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2016\/wp-json\/wp\/v2\/users\/5814035"}],"replies":[{"embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2016\/wp-json\/wp\/v2\/comments?post=1550"}],"version-history":[{"count":5,"href":"https:\/\/prague.wordcamp.org\/2016\/wp-json\/wp\/v2\/posts\/1550\/revisions"}],"predecessor-version":[{"id":1555,"href":"https:\/\/prague.wordcamp.org\/2016\/wp-json\/wp\/v2\/posts\/1550\/revisions\/1555"}],"wp:attachment":[{"href":"https:\/\/prague.wordcamp.org\/2016\/wp-json\/wp\/v2\/media?parent=1550"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2016\/wp-json\/wp\/v2\/categories?post=1550"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/prague.wordcamp.org\/2016\/wp-json\/wp\/v2\/tags?post=1550"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}