Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
20200209MINI_INFRA
Search
delphinz
February 09, 2020
Technology
1
360
20200209MINI_INFRA
delphinz
February 09, 2020
Tweet
Share
More Decks by delphinz
See All by delphinz
【セキュリティ競技】MINI Hardeningのご紹介 / MINI Hardneing4 introduction
delphinz
1
1.3k
MINI Hardening Road to Taiwan(2019 HITCON CMT)
delphinz
0
890
WAFのルールである OWASP ModSecurity Core Rule Set (CRS)を 使った可視化までの苦労話/20180921_owasp_connect_crs
delphinz
2
1.6k
淡路島で開催されたhardening2017fesにプレミアムサポートメンバーで参加してきたよ。/20171202-go-for-hardening2017fes
delphinz
0
130
Other Decks in Technology
See All in Technology
DevOps文化を育むQA 〜カルチャーバブルを生み出す戦略〜 / 20250317 Atsushi Funahashi
shift_evolve
1
110
ルートユーザーの活用と管理を徹底的に深掘る
yuobayashi
6
730
LINE Notify互換のボットを作った話
kenichirokimura
0
180
SSH公開鍵認証による接続 / Connecting with SSH Public Key Authentication
kaityo256
PRO
2
220
OPENLOGI Company Profile
hr01
0
61k
職種に名前が付く、ということ/The fact that a job title has a name
bitkey
1
250
技術好きなエンジニアが _リーダーへの進化_ によって得たものと失ったもの / The Gains and Losses of a Tech-Enthusiast Engineer’s “Evolution into Leadership”
kaminashi
0
210
大規模アジャイル開発のリアル!コミュニケーション×進捗管理×高品質
findy_eventslides
0
560
SaaSプロダクト開発におけるバグの早期検出のためのAcceptance testの取り組み
kworkdev
PRO
0
460
Dapr For Java Developers SouJava 25
salaboy
1
130
Keynote - KCD Brazil - Platform Engineering on K8s (portuguese)
salaboy
0
130
React Server Componentは 何を解決し何を解決しないのか / What do React Server Components solve, and what do they not solve?
kaminashi
6
1.2k
Featured
See All Featured
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.1k
Adopting Sorbet at Scale
ufuk
75
9.3k
Building Adaptive Systems
keathley
41
2.5k
Facilitating Awesome Meetings
lara
53
6.3k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.3k
Six Lessons from altMBA
skipperchong
27
3.7k
Large-scale JavaScript Application Architecture
addyosmani
511
110k
Building Your Own Lightsaber
phodgson
104
6.3k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
102
18k
StorybookのUI Testing Handbookを読んだ
zakiyama
28
5.6k
We Have a Design System, Now What?
morganepeng
51
7.5k
Transcript
MINI Hardening ԋशڥΛ࡞Ζ͏ MINI Hardening ӡӦνʔϜ ా ߂
ࣗݾհ ▸ ా ߂(Masahiro Tabata )@delphinz ▸ ීஈձܭγεςϜίϯαϧλϯτ ▸ MINI
HardeningӡӦϦʔμʔ(ׂ:ࣾ) ▸ OWASP JAPANϓϩϞʔγϣϯνʔϜॴଐ ▸ 2019ηΩϡΞཱྀஂ ࢀՃ ▸ “झຯͰηΩϡϦςΟΛ͍ͬͯΔऀ”Ͱ͢
Hardening Projectͱ ▸ Hardening ProjectͱຊൃͷηΩϡϦςΟٕज़ڝٕͱη ΩϡϦςΟࢪࡦͷൃදΛߦ͏ΠϕϯτͰ͢ɻ ͦͷత࠷ߴͷʮकΔʯٕज़Λ࣋ͭτοϓΤϯδχΞΛൃ ۷ɾݦজ͢ΔͷͰ͢ɻ ▸ 2014ʹ࢝·Γݱࡏ·Ͱຖय़ळͷ։࠵͞Ε͍ͯ·͢ɻ
͜ͷΠϕϯτwasforum͕։࠵͍ͯ͠·͢ɻ ۙͰ1/24ɺ25ʹԭೄͷສࠃྊؗͰ։࠵͠·ͨ͠ɻ https://wasforum.jp/hardening-project/
MINI Hardeningͱ ▸ Hardening Project ͔Βੜͨ͠ϛχϓϩδΣΫτ 2014ͷ Hardening 10 Evolutions
Πϕϯτʹ͓͍ͯɺ ΞϯΧϯϑΝϨϯεͷՌͱͯ͠ൃ ▸ ΧδϡΞϧʹHardeningΛମݧ–MINI HardeningͰ ఔͰHardeningڝٕৼΓฦΓ·ͰମݧͰ͖Δ ▸ ͋͘·Ͱʮॳ৺ऀ͚ΠϕϯτʯͰ͢ ίϯηϓτɿ ʮηΩϡϦςΟΠϯγσϯτΛΧδϡΞϧʹମݧʂʯ https://minihardening.connpass.com
աڈͷ։࠵֓ཁ ▸ ݱࡏ·Ͱʹ16ճ։࠵ όʔδϣϯ3ͷςʔϚʮԾ௨՟ࢢγϛϡϨʔγϣϯʯ ࡢ8݄ʹͰ։࠵͠·ͨ͠ɻ ▸ Owasp SendaiͷΈͳ͞·ɺ12/14ͷେࡕ։࠵ͷ ΦϯϥΠϯࢀՃ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ
MINI Hardeningڝٕ֓ཁ ▸ ʮגࣜձࣾSORAMINEʯͰ͕ࣾಥવʮ͜Ε͔ΒԾ ௨՟ͩʯͱએݴ͠ɺࣾࣗΒωοτຊͳͲΛࢀߟʹԾ ௨՟ަॴγεςϜΛߏஙͯ͠͠·ͬͨɻ ▸ ऻ͍དྷΔϋοΧʔͷຐͷख͔ΒαʔόΛकΔͨΊɺࢀՃऀ ΤʔεڃͷαϙʔτΤϯδχΞͱͯ͠Ծ௨՟γεςϜΛ ҆ఆՔಇͤ͞ΔΑ͏ɺڧݻͰ҆શͳڥʹ͍ͯ͘͠ɻ
ʲධՁํ๏ʳ ΫϩʔϥͷΞΫηε͕ޭ͢ΔຖʹಘɺSLAΛอͭ͜ͱ͕େࣄʂ
ϝϯόʔհ ▸ ݱࡏ8໊·Ͱ૿ྔ͠·ͨ͠ɻ(࠷ॳ໊̏Ͱͨ͠(ʣʣ
͜͜Ͱ࣭
Έͳ͞Μݕূɾԋशڥ Ͳ͏ͬͯ࡞ͬͯ·͔͢ʁ
͋ΔΠϯϑϥ୲ͷ͍ͳ͍ҟੈքʹసੜ ▸ όʔδϣϯ3͕࢝·Δ࣌ʹΠϯϑϥ୲ͷલऀ͕! ࣄ͕͘͠ͳΓɺόʔδϣϯ3͔ΒࢀՃͰ͖ͳͦ͞͏Ͱ͢ʂ ͍··ͰͷΠϯϑϥͷίʔυͬͯͲ͏ͯ͠·͚ͨͬ͠ʁ ͬͯͨγΣϧεΫϦϓτͷίϚϯυϦετͷϝϞૹΓ·͢Ͷ
݁Ռ
ͥΜͥΜΘ͔Βͳ͍ʂ ԶͨͪงғؾͰ ΫϥυΛ͍ͬͯΔʂ ʮԶୡงғؾͰδΣωϨʔλʔΛ͍ͬͯΔʯͰָ͓͠Έ͍ͩ͘͞ IUUQTQPUBUPEHJUIVCJPIVOJLJ@HFOFSBUPS UFYUΫϥυ
Πϯϑϥ୲ऀͷಓ ▸ AWS-CLIɺGitɺAnsibleͷΠϯετʔϧ() 20182݄͔Β20185݄GW໌͚·Ͱ11σϓϩΠमߦʂ ▸ ࣅͨΑ͏ͳڥΛߏங͍ͯ͠ΔࣄྫΛௐࠪ ▸ Micro Hardening(ޱઃܭ) ࢀՃऀ45ͱ͍͏ݶΒΕͨ࣌ؒͷͳ͔Ͱɺఏڙ͞ΕͨECαΠτʹ
ର͢Δ༷ʑͳαΠόʔ߈ܸʹରॲ͢Δ (͘͞ΒͷΫϥυͰTerraform,PackerΛ༻) ▸ 2017/09/14 ʮϛχϓϩάϥϜίϯςετʯ ʮαΠόʔԋशڥͷࣗಈߏங(Seed(KBC))ʯ (OpenStack্Ͱ࣮ݱ) https://microhardening.connpass.com
ԋशڥͷઆ໌ʢΠϯϑϥʣ ▸ ӡӦνʔϜɺڝٕνʔϜͷαϒωοτΛׂ ▸ ӡӦ-ڝٕؒ௨৴ΛڐՄɺڝٕνʔϜؒ௨৴ෆՄ ▸ ౿ΈαʔόΛܦ༝֤ͯ͠αϒωοτʹΞΫηε͠·͢
ԋशڥͷઆ໌ʢΞϓϦʣ ▸ ڝٕνʔϜ͕ཧ͢ΔΞϓϦέʔγϣϯҎԼͷ௨Γ
Πϯϑϥߏஙखॱ ▸ ΈΜͳେ͖Hashi CorpͷPackerɺTerraformͱAnsibleΛ ༻͍ͯ͠·͢ɻ .JUDIFMM)BTIJNPUPࢯ͕ઃཱ )BTIJDPSQ5BP ಓ Λཧ೦ʹ։ൃɾӡ༻ऀ͚ͷπʔϧΛ։ൃ ʮٕज़ͷΪϟοϓΛຒΊΔͨΊͷπʔϧΛఏڙ͍ͨ͠ʯ
https://www.hashicorp.com
ڥల։༻ίʔυΛॻ͘·Ͱ४උ ▸ ݩͷڥ͔ΒTerraformͷల։༻ίʔυΛϦόʔεΤϯδχ ΞϦϯάʂ MINI Hardeningڥ͔Β TerraformingΛͬͯ ઃఆϑΝΠϧ(*.tf)Λੜ ੜͨ͠tfϑΝΠϧͷ ݻ༗IDΛશͯมԽ
ڞ௨มΛઃఆ AWSͷߏஙʹඞཁͳઃఆϑΝΠϧ ec2.tf igw.tf nif.tf r53z.tf rta.tf sn.tf eip.tf nacl.tf r53r.tf rt.tf sg.tf vpc.tf ڞ௨߲ ɾόʔδϣϯ ɾڝٕνʔϜ(࠷େ26νʔϜ) ɾϩʔΧϧυϝΠϯ໊ ɾIPΞυϨε(ୈ2ΦΫςοτ·Ͱʣ ɾΠϯελϯεαΠζ
Πϝʔδ࡞ɺΞϓϦͷϓϩϏδϣχϯά ▸ ֤αʔόΠϝʔδ࡞ʹPackerΛ༻ɺ ߏཧπʔϧʹAnsibleΛ༻ ▸ Θ͟Θ͟ηΩϡΞͰͳ͍ڥΛ࡞Δͷख͕ؒଟ͍ʂ ྫɿAnsibleͷPHPΠϯετʔϧ
ڥల։ޙͷݻ༗ઃఆ߲ ▸ ΠʔαϦΞϜͷΥϨοτID ▸ ϝʔϧઃఆ(Thunderbirdͷઃఆը໘ͷΈɺslackʹҠߦʣ ▸ Windowsͷݴޠύοέʔδ(ͳ͔ͥPowershellͰࣦഊ͢Δʣ ▸ WindowsͷϚγϯ໊(ಉ্)
ࣗಈԽͰ͖ͨ͜ͱ ▸ αʔόͷΠϝʔδ࡞ ▸ Πϯϑϥͷࣗಈల։(νʔϜʹԠͯ͡૿ݮʣ ˎ30ఔͰ100ऑͷαʔόల։ՄೳɺҰׅআ؆୯ ▸ IPΞυϨεɺυϝΠϯ໊ͷઃఆ(Route53࠷ڧʂ) ▸ ϝʔϧαʔόͷߏங(ຯʹ໘͕ଟ͍ɺ͏ͬͯͳ͍)
▸ ڝٕऴྃޙͷϩάɺbash historyऔಘ ྫɿTerraformͷҰׅআίϚϯυ࣮ߦ݁Ռ
࣮Θͨ͠(ͨͪ)ɾɾɾ ▸ ӡӦνʔϜͷΠϯϑϥڞ௨Խͯ͠·ͤΜͰͨ͠ʂ ▸ τϥΠˍΤϥʔ͕ଟ͍ͷͰ୯७ͳύοέʔδΠϯετʔϧ Ͱࡁ·ͳ͍ ▸ ४උΛΪϦΪϦ·ͰΔͷͰڞ௨Խ͋ͱ·Θ͠ ▸ ςετॻ͍ͯ·ͤΜʂ
·ͱΊ
ҟੈքͰੜ͖͍͚ͯΔΑ͏ʹͳΓ·ͨ͠ʂ ▸ 40ࡀ͔ΒͰϓϩάϥϛϯάʹ͚ͭΒΕΔʂ ▸ ࠷৽ͷΫϥυɺπʔϧࣄΛ࠷͔ͭίʔυϨϕϧͰ ʹ͚ͭΔ͜ͱ͕Ͱ͖ͨ ▸ ։ൃऀɺӡ༻୲ऀͷؾ͕࣋ͪΘ͔ͬͨ ▸ ʮίʔυʹԿਓԡ͠ཹΊΔ͜ͱ͕Ͱ͖ͳ͍ڰؾ͕॓
Δʯͱݴ͍ͬͯͨਓͷؾ͕࣋ͪཧղͰ͖ΔΑ͏ʹͳΓ·ͨ͠
͜Ε͔ΒΓ͍ͨ͜ͱ ▸ Terraformͷ0.12όʔδϣϯΞοϓ ▸ WindowsͷAnsibleద༻(ݱࡏPoweshell) ▸ AWSػೳͷࣗಈԽ(cloudtrailɺcloudwatchɺguard dutyʣ ▸ CIɺCDͷಋೖ
▸ ίʔυͷΦʔϓϯιʔεԽ ▸ ΒΕαʔόΛmetasploitable3Ͱ࡞Δ(ݕূத) ▸ ϞχλϦϯάπʔϧಋೖ(elastic search?) ݸਓͰձࣾͰίϛϡχςΟͰݕূɾԋशͬͪΌ͍ͳΑʂ
ଓ͖ΣϒͰ ▸ ʢએʣTerraformɺPackerͷͷଓ͖ ηΩϡΞཱྀஂͷຊͰ͝ཡ͍ͩ͘͞w(ଞͷӡӦدߘ͋Γ) https://secure-brigade.booth.pm/items/1317173 https://secure-brigade.booth.pm/items/1575413
͝ਗ਼ௌ͋Γ͕ͱ͏ ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ