search

tongcheng-security-team / NextScan

飞刃是一套完整的企业级黑盒漏洞扫描系统,集成漏洞扫描、漏洞管理、扫描资产、爬虫等服务。 拥有强大的漏洞检测引擎和丰富的插件库,覆盖多种漏洞类型和应用程序框架。
https://next-scan.ly.com/user-guide/start/
1.13k stars 105 forks source link

minio 对外开放未授权问题 #16

Closed saf3d0s closed 1 year ago

saf3d0s commented 1 year ago

如果使用官方docker默认搭建会出现9000端口对外暴露问题,使用默认密码可进入: http://ns-minio:9000 vi75e hFimqbrlBE;

即使不使用默认密码,直接访问以下地址也可进入minio后台。 :9000/minio/next-scan/

djerryz commented 1 year ago

尝试这个:

version: '3'
#必须安装redis、mongo、etcd
services:
  web:
    image: "lysec/ns-admin:latest"
    networks:
        scanner_node:
            ipv4_address: 172.2.0.4
    depends_on:
      - redis
      - mongo
      - etcd
      - minio
      - createbuckets
    container_name: ns-admin
#    volumes:
#      # 配置文件
#    - ./conf.ini:/go/next-scan/conf.ini
  redis:
    image: "redis:alpine"
    command:
      # redis 密码,需要可修改
      --requirepass "3d7a6447328dcde6"
    container_name: ns-redis
    networks:
        scanner_node:
            ipv4_address: 172.2.0.5
  mongo:
    image: "mongo:4.2.23"
    networks:
        scanner_node:
            ipv4_address: 172.2.0.6
    command: [--auth]
    environment:
      MONGO_INITDB_ROOT_USERNAME: root
      MONGO_INITDB_ROOT_PASSWORD: root
      MONGO_DATABASE: NextScan
      MONGO_USERNAME: NextScan
      # 数据库NextScan密码
      MONGO_PASSWORD: 56074e26d5a39aad
    volumes:
      - ./mongo/init:/docker-entrypoint-initdb.d
      - ./mongo/data:/data/db
    container_name: ns-mongo
  etcd:
    image: "bitnami/etcd:3.5.6"
    environment:
      # etcd root用户密码
      - ETCD_ROOT_PASSWORD=0117be99f79bf9e2
    container_name: ns-etcd
    networks:
        scanner_node:
            ipv4_address: 172.2.0.7 # 必须配置,否则不在一个网络环境下,无法被访问到
  minio:
    image: minio/minio:RELEASE.2021-04-18T19-26-29Z
    container_name: ns-minio
    networks:
        scanner_node:
            ipv4_address: 172.2.0.8
    volumes:
      - ./minio/data:/data
    environment:
      MINIO_ACCESS_KEY: "vi75e"
      MINIO_SECRET_KEY: "hFimqbrlBE"
    command: server /data
    restart: always
  createbuckets:
    image: minio/mc
    container_name: ns-minio-buckets
    networks:
        scanner_node:
            ipv4_address: 172.2.0.9
    depends_on:
      - minio
    entrypoint: >
      /bin/sh -c "
      sleep 10;
      /usr/bin/mc alias set myminio http://ns-minio:9000 vi75e hFimqbrlBE;
      /usr/bin/mc mb myminio/next-scan;
      /usr/bin/mc anonymous set download myminio/next-scan;
      exit 0;
      "
  scan:
    image: "lysec/ns-scan:latest"
    depends_on:
      - web
    container_name: ns-scan
    networks:
        scanner_node:
            ipv4_address: 172.2.0.10
  craw:
    image: "lysec/ns-craw:latest"
    depends_on:
      - web
    container_name: ns-craw
    networks:
        scanner_node:
            ipv4_address: 172.2.0.11
networks:
  scanner_node:
    ipam:
      driver: default
      config:
        - subnet: 172.2.0.0/16

配置一条web的转发到 172.2.0.4:80 端口即可控制最小暴露面