- 需求:hadoop集群,运行flink on yarn多个任务,被扫描出多个flink任务的未授权访问漏洞,主要是org.apache.flink.yarn.entrypoint.YarnJobClusterEntrypoint相关客户端进程
解决问题,暂用iptables 拦截访问
- 源漏洞主机:获取漏洞端口并自动添加防火墙规则(设置仅白名单访问)
bash
IP=$(hostname -I)
IP2=$(echo -n $IP)
ports=$(ps -ef |grep org.apache.flink.yarn.entrypoint.YarnJobClusterEntrypoint |awk '{print "ss -nltp |grep " $2}' |bash |sed 's@*:@@' |awk '{print "echo "$4 "; curl -s http://IP:"$4"/config?wt=json; echo IP"}' |sed "s@IP@$IP2@g" |bash |grep flink-revision -B 1 |grep -v flink-revision |grep -v '\-' |awk '{printf $1 " "}' ) # 3123 2343
#给端口添加防火墙规则,拦截非白名单访问
dodrop(){
pp=$1
ips=(192.168.56.12 192.168.56.13 )
for ip in "${ips[@]}"; do
iptables -A INPUT -p tcp --dport $pp -s $ip -j ACCEPT
echo iptables -A INPUT -p tcp --dport $pp -s $ip -j ACCEPT
done
iptables -A INPUT -p tcp --dport $pp -j DROP
echo iptables -A INPUT -p tcp --dport $pp -j DROP
}
#遍历有漏洞的端口, 给没有添加防火墙的端口补充iptables规则
for i in $(echo $ports)
do
flag=$(iptables -nL |grep DROP |grep $i)
#如果没有拦截则补充iptables规则
if [ -z "$flag" ]; then
echo $i
dodrop $i
fi
done