0,Cloudera 管理页面相关debug端口
- CDH 管理页面相关端口:
Cloudera Management Service 配置 --> 相关debug端口:8087,8084,8091,8086)
1,Hadoop端口未授权访问
- 解决方案:https://hadoop.apache.org/docs/stable/hadoop-project-dist/hadoop-common/HttpAuthentication.html
- cloudera管理页面,配置hdfs
#配置修改:搜索auth
hadoop.security.authorization ==> true (勾选)
hadoop.http.authentication.type ==> simple
#配置修改:搜索core-site.xml,选择【core-site.xml 的群集范围高级配置代码段(安全阀)】,添加如下配置
hadoop.http.filter.initializers ==> org.apache.hadoop.security.AuthenticationFilterInitializer
hadoop.http.authentication.simple.anonymous.allowed ==> false
#设置--仅某用户可访问(可选): /opt/cloudera/hadoop-http-auth-signature-secret ==> /opt/cloudera/hadoop-http-auth-signature-secret
# [root@c73 ~]# cat /opt/cloudera/hadoop-http-auth-signature-secret
# hdfsadmin
访问hadoop web页面
-
hdfs-50070 (正确访问方式:
http://ip:50070?user.name=hdfs)
-
yarn-8088 (正确访问方式:
http://ip:8088/cluster?user.name=hdfs)
2,检测Jetty版本漏洞
- CVE-2019-10247:Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older
- CVE-2022-2048: Jetty 9.4.46及之前版本、10.0.9 及之前版本、11.0.9及之前版本
- CVE-2017-7657: Jetty versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x
临时修复办法:直接修改jetty版本号
- vim jetty-xx.jar
: %s @旧版本号@新版本号@g,例如:: %s @9.3.25.v20180904@9.4.49.v20220914@g - jetty版本号参考:https://www.eclipse.org/jetty/download.php
- 验证是否生效:http://ip:60010 (hbase web ui页面,f12查看header, 其中有Jetty version信息)
[root@c73 ~]# ls /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/jetty* |awk '{print "vim ",$0}' > /tmp/1.sh
[root@c73 ~]# cat /tmp/1.sh
vim /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/jetty-6.1.26.jar
vim /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/jetty-annotations-9.3.25.v20180904.jar
vim /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/jetty-client-9.3.25.v20180904.jar
...
vim /opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/jetty-xml-9.3.25.v20180904.jar
[root@c73 ~]# sh /tmp/1.sh
Manifest-Version: 1.0
Created-By: Apache Maven Bundle Plugin
Built-By: jesse
Build-Jdk: 9.0.4
Implementation-Vendor: Eclipse.org - Jetty
Implementation-Version: 9.4.49.v20220914
url: http://www.eclipse.org/jetty
Bnd-LastModified: 1536096335442
Bundle-Classpath: .
Bundle-Copyright: Copyright (c) 2008-2017 Mort Bay Consulting Pty. Ltd
....
/opt/cloudera/parcels/CDH-6.3.2-1.cdh6.3.2.p0.1605554/jars/jetty-annotations-9.3.25.v20180904.jar [RO] 5,1 3%
:%s @9.3.25.v20180904@9.4.49.v20220914@g