File size: 2,375 Bytes
020c337 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 | #!/usr/bin/python
# coding: utf-8
# -------------------------------------------------------------------
# 宝塔Linux面板
# -------------------------------------------------------------------
# Copyright (c) 2015-2099 宝塔软件(http://bt.cn) All rights reserved.
# -------------------------------------------------------------------
# Author: lkq <lkq@bt.cn>
# -------------------------------------------------------------------
# Time: 2022-08-10
# -------------------------------------------------------------------
# Docker API 未授权访问
# -------------------------------------------------------------------
# import sys, os
# os.chdir('/www/server/panel')
# sys.path.append("class/")
import public, os,requests
_title = 'Docker API 未授权访问'
_version = 1.0 # 版本
_ps = "Docker API 未授权访问" # 描述
_level = 3 # 风险级别: 1.提示(低) 2.警告(中) 3.危险(高)
_date = '2022-8-10' # 最后更新时间
_ignore = os.path.exists("data/warning/ignore/sw_docker_api.pl")
_tips = [
"在安全-系统防火墙将2375端口的来源设置为指定IP或域名",
"若不为业务需要,建议关闭该api"
]
_help = ''
_remind = '此方案可以修复Docker的未授权访问漏洞,防止攻击者利用Docker入侵服务器。需要对API访问进行限制,确保不会影响原有的网站业务运行。'
#
def get_local_ip():
'''获取内网IP'''
import socket
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(('8.8.8.8', 80))
ip = s.getsockname()[0]
return ip
finally:
s.close()
return '127.0.0.1'
def check_run():
'''
@name 面板登录告警是否开启
@time 2022-08-12
@author lkq@bt.cn
'''
try:
if os.path.exists("/lib/systemd/system/docker.service"):
data=public.ReadFile("/lib/systemd/system/docker.service")
if not data:return True, '无风险'
if '-H tcp://' in data:
datas=requests.get("http://{}:2375/info".format(get_local_ip()),timeout=1)
datas.json()
if 'KernelVersion' in datas.text and 'RegistryConfig' in datas.text and 'DockerRootDir' in datas.text:
return False,"Docker API 存在未授权访问"
return True, '无风险'
except:return True,"无风险" |