Spotlight | Reviews | Current Issue | Academy | Newsletter | Subscribe | Shop |
News
Features
Blogs
RSS Feeds
White Papers
Conference Videos
Departments
Current Issue
Special Editions
Spotlight
Reviews
Event Calendar
Archives
Article Code

Partner Links
Make your own website
WinWeb OnlineOffice
Comparing prices of hardware is worth it.
Price Comparison
UK Linux Jobs
What:
Where:
Country:
vacatures Netherlands njobs Linux vacatures
arbeit Deutschland njobs Linux arbeit
work United Kingdom njobs Linux jobs
Lavoro Italia njobs Linux lavoro
Emploi France njobs Linux emploi
trabajo Espana njobs Linux trabajo

user friendly

Admin Magazine

ADMIN Network & Security

Subscribe now and save!

ADMIN - Explore the new world of system administration! Special introductory offer! Order by September 30th to save 10% off the regular subscription price! Each issue delivers technical solutions to the real-world problems you face every day. Learn the latest techniques for better:

  • network security
  • system management
  • troubleshooting
  • performance tuning
  • virtualization
  • cloud computing

 

on Windows, Linux, Solaris, and popular varieties of Unix.

http://www.admin-magazine.com/

  linux-magazine.com » Online » News » (Update:) Fedora: Chronicle of a Server Break-in  

Print this page. Recommend
Share

(Update:) Fedora: Chronicle of a Server Break-in

Mar 31, 2009

In August 2008, the Fedora team noticed irregularities on its server. Project leader Paul W. Frields has now released a detailed report of the break-in.

Paul Frields's Update and Report on Fedora August 2008 Intrusion on the fedora-announce-list reads like a detective novel. It all started on August 12, 2008, when a cron job on a Fedora host reported an error. While reviewing the logs, Fedora admins found a change in the package complement that no one could explain. On short notice, the changes turned out to be tampering by an intruder. The project notified the community of the break-in and promptly pulled the server off the net.

It's now become clear how the rogue entered the server structure: he used no hacker tools, but simply authenticated himself using a copy of an SSH private key that was not passphrase-protected. The key belonged to a Fedora admin and in the log entries it showed that the intruder also cracked or knew the admin's password. How the intruder got to the SSH private key, however, nobody knows.

One of the compromised computers also contained the Fedora package signing key. The intruder created modified versions of the two packages OpenSSH and RPM to get to user passwords and, eventually, the password for the package signing key. Had he been successful, he could have introduced fraudulent packages into the repository. Fortunately the investigation found that
Fedora admins discovered the modified packages before anyone could use the server for package signing.

To mitigate any risk of this ever happening again, the Fedora project quickly rebuilt their entire infrastructure, generated new package signing keys and came up with a new security policy. In a week the most essential systems were back to normal and all admins got new SSH keys. A new repo security policy also required Fedora admin groups to use passphrases on their private keys, a definite break from the past.

Frields assured users that no compromised packages were ever delivered as a result of this break-in, either from the master repository or the mirror sites. He went on to thank the Red Hat security response team for their timely assistance.

(Marcel Hilzinger)

Comments

Server

Susan Jul 23, 2009 3:16pm GMT

I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.


Susan

<a href="http://8080proxy.com">http://8080proxy.com</a>

Debian timing?

Mackenzie Apr 07, 2009 8:55pm GMT

Given the timing, I wonder if he didn't have his passphrase-less SSH key stored on a machine to which a Debian/Ubuntu user had SSH access. This was *right* after the Debian OpenSSL thing, and a lot of people thought "that's a Debian problem, I'm fine" ignoring that they had Debian-sourced SSH keys on their systems from other users.

SELinux is still secure

loupgaroublond Apr 06, 2009 5:07pm GMT

This kind of attack can't be mitigated with SELinux. The credentials of a user with administrator access was compromised. Don't start spreading FUD that SELinux is insecure, when no other security layer would have protected Fedora.

Re: Corrections

Britta Wuelfing Apr 06, 2009 3:50pm GMT

Sorry about the mistake, it got in with the translation. Originally Marcel described it differently, and we've changed that paragraph according to his text. The true crime story obviously was a temptation to make up a slightly different novel. We apologize!

Fedora compromised. Ironic since it is presumably SELINUX protected?

pgmer6809 Apr 05, 2009 11:52pm GMT

I have been running a Centos based server for years, but avoided Fedora, in part because I cant stand the hassle that SELINUX imposes by default. I find it very ironic that the one distro which pushes SELINUX is the one that was compromised.

pgmer6809

Corrections.

Paul W. Frields Apr 03, 2009 5:00pm GMT

In the third paragraph, you appear to refer to the Fedora package signing key, claiming that the intruder "used this key to create modified versions of OpenSSH and RPM." This is false, and our announcement plainly states that our investigation has supported that the intruder did not gain access to this key. Moreover, even had the intruder gained such access, he would need a different passphrase to use it to fraudulently sign packages. Again, our investigation showed this was not the case.

I still love fedora

lily Apr 02, 2009 6:29pm GMT

I really dont care. I love fedora and all its features:
The cron may report an error but that hardly matters to my servers

was reading how to Set up RPM Fusion with Fedora to shore up multimedia support
http://www.techunits.com/linux/list/fedora

Print this page. Recommend
Share
Related Articles
Fedora converts package keys
OpenSUSE Henceforth Without EULA
Fedora Jumps into the Trademark Guidelines Ring
Fedora Awards Student Scholarships
Fedora 11 Seeks Testers on Way to Beta
Fedora Investigates Security Incident
Get your backstage pass to Linux!

If you're ready for a deeper look, Linux Magazine gives you a view behind the scenes.

Don't miss out on the tools, tutorials, and reviews you'll need to unlock the secrets of Linux.

more...

In the US and Canada, Linux Magazine is known as Linux Pro Magazine.

© 2012Linux New Media USA, LLC

Linux New Media Websites
International: [Linux Magazine] [ADMIN Magazine] [Ubuntu User] [Smart Developer] [Linux Magazine Academy]
North America: [Linux Pro Magazine] [ADMIN Magazine] [Ubuntu User] [Smart Developer]
Germany: [Linux-Magazin] [ADMIN Magazin] [LinuxUser] [EasyLinux] [Linux-Community]
[Ubuntu User] [Smart Developer] [Android User] [Linux-Magazin Academy]
Poland: [Linux Magazine] [EasyLinux]
Spain: [Linux Magazine] [Ubunutu User]
Netherlands: [Linux Magazine Academy]
Brazil: [Linux Magazine] [ADMIN Magazine] [Ubuntu User] [Guia de TI]