通过以下 Referral 链接购买 DigitalOcean 主机,你将可以帮助 V2EX 持续发展
› DigitalOcean - SSD Cloud Servers
如题,希望能够抛砖引玉
1. 仔细审查 cloud-init 内容
cloud-init 负责网络/ssh 密钥设置......,但有些服务商可能会在 user-data 里设置 runcmd ,安装监控服务。推荐关闭 cloud-init ,静态配置 IP
2. 尽可能关闭 qemu-guest-agent
vps 开启 qemu-guest-agent 可以方便关机/获取基本操作系统信息。但是可能很多人没有注意到,服务商是可以执行任何命令的。
socat unix-connect:/tmp/qga.sock readline
{"execute":"guest-get-osinfo"}
{"return": {"name": "Debian GNU/Linux", "kernel-release": "6.12.63+deb13-arm64", "version": "13 (trixie)", "pretty-name": "Debian GNU/Linux 13 (trixie)", "version-id": "13", "kernel-version": "#1 SMP Debian 6.12.63-1 (2025-12-30)", "machine": "aarch64", "id": "debian"}}
{"execute": "guest-info"}
{"return": {"version": "10.0.7", "supported_commands": [{"enabled": true, "name": "guest-network-get-route", "success-response": true}, {"enabled": true, "name": "guest-get-load", "success-response": true}, {"enabled": true, "name": "guest-get-cpustats", "success-response": true}, {"enabled": true, "name": "guest-get-diskstats", "success-response": true}, {"enabled": true, "name": "guest-ssh-remove-authorized-keys", "success-response": true}, {"enabled": true, "name": "guest-ssh-add-authorized-keys", "success-response": true}, {"enabled": true, "name": "guest-ssh-get-authorized-keys", "success-response": true}, {"enabled": true, "name": "guest-get-osinfo", "success-response": true}, {"enabled": true, "name": "guest-get-timezone", "success-response": true}, {"enabled": true, "name": "guest-get-users", "success-response": true}, {"enabled": true, "name": "guest-get-host-name", "success-response": true}, {"enabled": true, "name": "guest-exec", "success-response": true}, {"enabled": true, "name": "guest-exec-status", "success-response": true}, {"enabled": true, "name": "guest-get-memory-block-info", "success-response": true}, {"enabled": true, "name": "guest-set-memory-blocks", "success-response": true}, {"enabled": true, "name": "guest-get-memory-blocks", "success-response": true}, {"enabled": true, "name": "guest-set-user-password", "success-response": true}, {"enabled": true, "name": "guest-get-fsinfo", "success-response": true}, {"enabled": true, "name": "guest-get-disks", "success-response": true}, {"enabled": true, "name": "guest-set-vcpus", "success-response": true}, {"enabled": true, "name": "guest-get-vcpus", "success-response": true}, {"enabled": true, "name": "guest-network-get-interfaces", "success-response": true}, {"enabled": true, "name": "guest-suspend-hybrid", "success-response": false}, {"enabled": true, "name": "guest-suspend-ram", "success-response": false}, {"enabled": true, "name": "guest-suspend-disk", "success-response": false}, {"enabled": true, "name": "guest-fstrim", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-thaw", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-freeze-list", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-freeze", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-status", "success-response": true}, {"enabled": true, "name": "guest-file-flush", "success-response": true}, {"enabled": true, "name": "guest-file-seek", "success-response": true}, {"enabled": true, "name": "guest-file-write", "success-response": true}, {"enabled": true, "name": "guest-file-read", "success-response": true}, {"enabled": true, "name": "guest-file-close", "success-response": true}, {"enabled": true, "name": "guest-file-open", "success-response": true}, {"enabled": true, "name": "guest-shutdown", "success-response": false}, {"enabled": true, "name": "guest-info", "success-response": true}, {"enabled": true, "name": "guest-set-time", "success-response": true}, {"enabled": true, "name": "guest-get-time", "success-response": true}, {"enabled": true, "name": "guest-ping", "success-response": true}, {"enabled": true, "name": "guest-sync", "success-response": true}, {"enabled": true, "name": "guest-sync-delimited", "success-response": true}]}}
{
"execute":"guest-exec",
"arguments":{
"path":"/bin/sh",
"arg":["-c","echo hacked > /root/pwned"],
"capture-output":false
}
}
{"return": {"pid": 912}}
3. 全盘加密
VPS 服务商可以复制和挂载用户的磁盘,所以磁盘加密是必要的。但全盘加密会降低磁盘性能,折中的方案是分一个专门放密钥的区,仅加密此分区。
听说 VPS 服务商还可以打快照,读取内存?这个应该防不胜防
1. 仔细审查 cloud-init 内容
cloud-init 负责网络/ssh 密钥设置......,但有些服务商可能会在 user-data 里设置 runcmd ,安装监控服务。推荐关闭 cloud-init ,静态配置 IP
2. 尽可能关闭 qemu-guest-agent
vps 开启 qemu-guest-agent 可以方便关机/获取基本操作系统信息。但是可能很多人没有注意到,服务商是可以执行任何命令的。
socat unix-connect:/tmp/qga.sock readline
{"execute":"guest-get-osinfo"}
{"return": {"name": "Debian GNU/Linux", "kernel-release": "6.12.63+deb13-arm64", "version": "13 (trixie)", "pretty-name": "Debian GNU/Linux 13 (trixie)", "version-id": "13", "kernel-version": "#1 SMP Debian 6.12.63-1 (2025-12-30)", "machine": "aarch64", "id": "debian"}}
{"execute": "guest-info"}
{"return": {"version": "10.0.7", "supported_commands": [{"enabled": true, "name": "guest-network-get-route", "success-response": true}, {"enabled": true, "name": "guest-get-load", "success-response": true}, {"enabled": true, "name": "guest-get-cpustats", "success-response": true}, {"enabled": true, "name": "guest-get-diskstats", "success-response": true}, {"enabled": true, "name": "guest-ssh-remove-authorized-keys", "success-response": true}, {"enabled": true, "name": "guest-ssh-add-authorized-keys", "success-response": true}, {"enabled": true, "name": "guest-ssh-get-authorized-keys", "success-response": true}, {"enabled": true, "name": "guest-get-osinfo", "success-response": true}, {"enabled": true, "name": "guest-get-timezone", "success-response": true}, {"enabled": true, "name": "guest-get-users", "success-response": true}, {"enabled": true, "name": "guest-get-host-name", "success-response": true}, {"enabled": true, "name": "guest-exec", "success-response": true}, {"enabled": true, "name": "guest-exec-status", "success-response": true}, {"enabled": true, "name": "guest-get-memory-block-info", "success-response": true}, {"enabled": true, "name": "guest-set-memory-blocks", "success-response": true}, {"enabled": true, "name": "guest-get-memory-blocks", "success-response": true}, {"enabled": true, "name": "guest-set-user-password", "success-response": true}, {"enabled": true, "name": "guest-get-fsinfo", "success-response": true}, {"enabled": true, "name": "guest-get-disks", "success-response": true}, {"enabled": true, "name": "guest-set-vcpus", "success-response": true}, {"enabled": true, "name": "guest-get-vcpus", "success-response": true}, {"enabled": true, "name": "guest-network-get-interfaces", "success-response": true}, {"enabled": true, "name": "guest-suspend-hybrid", "success-response": false}, {"enabled": true, "name": "guest-suspend-ram", "success-response": false}, {"enabled": true, "name": "guest-suspend-disk", "success-response": false}, {"enabled": true, "name": "guest-fstrim", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-thaw", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-freeze-list", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-freeze", "success-response": true}, {"enabled": true, "name": "guest-fsfreeze-status", "success-response": true}, {"enabled": true, "name": "guest-file-flush", "success-response": true}, {"enabled": true, "name": "guest-file-seek", "success-response": true}, {"enabled": true, "name": "guest-file-write", "success-response": true}, {"enabled": true, "name": "guest-file-read", "success-response": true}, {"enabled": true, "name": "guest-file-close", "success-response": true}, {"enabled": true, "name": "guest-file-open", "success-response": true}, {"enabled": true, "name": "guest-shutdown", "success-response": false}, {"enabled": true, "name": "guest-info", "success-response": true}, {"enabled": true, "name": "guest-set-time", "success-response": true}, {"enabled": true, "name": "guest-get-time", "success-response": true}, {"enabled": true, "name": "guest-ping", "success-response": true}, {"enabled": true, "name": "guest-sync", "success-response": true}, {"enabled": true, "name": "guest-sync-delimited", "success-response": true}]}}
{
"execute":"guest-exec",
"arguments":{
"path":"/bin/sh",
"arg":["-c","echo hacked > /root/pwned"],
"capture-output":false
}
}
{"return": {"pid": 912}}
3. 全盘加密
VPS 服务商可以复制和挂载用户的磁盘,所以磁盘加密是必要的。但全盘加密会降低磁盘性能,折中的方案是分一个专门放密钥的区,仅加密此分区。
听说 VPS 服务商还可以打快照,读取内存?这个应该防不胜防
 |
1
aminobody 17 小时 41 分钟前
这么在意的话,到手先 dd
|
 |
2
Chingjyu 17 小时 40 分钟前
到手重装系统
|
 |
3
miyuki 17 小时 14 分钟前
fail2ban
|
Select Language