1. 发生了什么 / What Happens?
Ollama 是一个大模型的服务端软件,默认启动会绑定127.0.0.1:11434端口,在这种绑定模式下,只有本机能够访问ollama。
Ollama is a server-side software for large language models. By default, it binds to 127.0.0.1:11434 upon startup. allow access only from the local machine.
如果想把ollama服务暴露给其他机器使用,根据官网文档,管理员可以通过配置OLLAMA_HOST=http://0.0.0.0:11434实现。
If you want to expose the ollama service to other machines, according to the offical document, you can configure OLLAMA_HOST=http://0.0.0.0:11434 to achieve this.
但这个操作将使ollama服务暴露在所有的地址里,任何用户无需权限验证即可访问这个部署好的ollama服务。
However, this operation will expose the Ollama service to the all interface. allowing any user to access the deployed service without authentication.
这个feature通过这个commit引入。
This feature is imported by this commit.
2. 怎么防护 / How to protect?
对Ollama管理员 / For Ollama Service Administrator
不要使用 http://0.0.0.0:11434 直接暴露服务,正确的做法是在Ollama前置一层Nginx或者Caddy的Web中间件,在中间件里解决好验证的问题(这也是Ollama官方推荐的做法,可以查看这个讨论链接)
Do not expose Ollama via OllamaHost, use nginx or caddy proxy request to ollama. nginx and caddy provide many different auth services. This suggestion is replyed by the author of ollama in this issue.
对网络安全管理员 / For Security Team
你可以从很多蛛丝马迹里找到Ollama服务的踪迹,所以也有很多的方法面对这个问题。
You can find traces of the ollama service for many clues, so there are many ways the address the issue
从风险的角度,首要查看的是自己是否有暴露在公网的Ollama服务,一些攻击面管理软件应该具备这个能力。
From a risk perspective, the first priority is to check whether your Ollama service is exposed to the public internet. Some attack surface management software should have this capability.
如果你发现了公司存在暴露在公网的Ollama服务,你面临的问题可能比Ollama服务暴露更麻烦。或许你应该回答的问题是,Ollama服务为什么能暴露在公网上,如果是一个未授权的数据库或者带敏感数据的日志文件,安全团队将陷入大麻烦。
if you found your exposed service in pub internet. You are face a more big problem than ollama service: How this ollama service can be exposed? Does the dev team also has the capability to expose a unauthed database or log file with sensitive data?
还有其他的方法可以让你确保不受这个事件影响。例如检查NDR上的流量日志、EDR采集的进程日志,七层中间件里的流量日志等等。
There are other ways to ensure you are not affected by this cause, such as checking traffic logs on NDR, process logs collected by EDR and traffic logs in L7-proxy midware.
3. 网络攻击现状怎么样 / What’s the current state of cyber attacks?
我在一台腾讯云的服务器上部署了一个Ollama的蜜罐,和Ollama服务监听相同端口并在返回和Ollama同样的格式的数据,它的的核心代码是开源的,链接地址
I deployed an Ollama honeypot on a Tencent Cloud server. the honeypot listen on same port and same protocol of ollama server, Its core code is open-source: https://github.com/imfht/hollama.
蜜罐上线之后不到1天即受到了安全爱好者的探测请求,202.xx.xx.55 这个IP访问了蜜罐 11434端口的根目录,5个小时后又访问了 /api/tags 这个路径,在Ollama的设计里,这个路径是用来返回可用的模型,所以基本可以确定是针对Ollama服务的针对性探测。
Less than a day after I deployed the honeypot, it received probing request from security enthusiasts, The ip 202.xx.xx.55 access the root directory of port 11434 on the honeypot and, five hours later, visited the `/api/tags` path. In Ollama’s design, the path is used to return available models. so it can be reasonably conculded that this was a targeted probe for the Ollama service.
蜜罐一共上线了10天左右的时间,一共捕获到了 310条探测请求,没有收到有攻击行为的数据包。
We found about 310 probe to my ollama honeypot service, no attack payload is collected. (only probe message)
下面是一些统计的数据
Here is some statistics data
请求数据 / Request Data
| method | path | cnt |
|---|---|---|
| GET | / | 183 |
| GET | /favicon.ico | 41 |
| GET | /api/tags | 46 |
| GET | /robots.txt | 6 |
| GET | /.well-known/security.txt | 3 |
| GET | /api/version | 20 |
| HEAD | / | 1 |
| GET | /sitemap.xml | 3 |
| GET | /config.json | 3 |
| GET | /v1/models | 4 |
UserAgent 数据 / User Agent
在没有特意配置UA的情况下,zgrab/fasthttp/python requests被使用的频率相对比较高。
Without special conguration of User-Agent, zgrab/fasthttp/python requests are used relatively frequently.
| ua | distict_ip_count |
|---|---|
| Mozilla/5.0 zgrab/0.x | 12 |
| python-requests | 11 |
| fasthttp | 6 |
| curl | 4 |
总结 / Summary
对开发者/资源管理员来说,应该谨慎配置任何绑定在0.0.0.0的服务,尤其在没有内网隔离的情况下。
Developers/Resource Owner shoud be cautions when conguring any service bound to 0.0.0.0, especially when there is no intranet isolation.
在企业里,开发团队不应该具备将服务直接暴露在公网的权限。
In an enterprise, development teams should not have the authority to expose services directly to the public internet.
蜜罐目前还没有观察到对Ollama服务的恶意请求,猜测当前还没有能够直接窃取数据或者拿到服务器权限的漏洞存在。
My honeypot has not observed any malicious requests the the Ollama service so far. and it is speculated that ehre are current no vulnerabilities that can directly steal data or obtain server permissions.
update
ollama 存在一个RCE的漏洞,但是已经在2024.6月被修复,蜜罐流量里没有观察到被利用的迹象