Forgot your password?
typodupeerror
Security Software Linux

Ubuntu Servers Hacked 330

Posted by CmdrTaco
from the zomg-alert-the-media dept.
An anonymous reader noted that "Ubuntu had to shutdown 5 of 8 production servers that are sponsored by Canonical, when they started attacking other systems. Canonical blames the community, saying they were community hosted, and were poorly maintained. However, kernel upgrades couldn't be done because of poor backwards compatibility with the very hardware that Canonical had sponsored! While people point fingers at each other it is pretty clear that both sides are equally to blame, the community administrators for practicing bad security practices, such as using unencrypted FTP transfers with accounts, not properly maintaining the system. However Canonical should have been well aware of what they are hosting. The question remains, if any of the files distributed to users have been compromised. A major blow for Canonical though who are attempting to enter the business market with Ubuntu Server."
This discussion has been archived. No new comments can be posted.

Ubuntu Servers Hacked

Comments Filter:
  • by QuantumRiff (120817) on Wednesday August 15, 2007 @10:42AM (#20236563)
    Since this is a community based, open source project, I would love in the near future (after the investigation and cleanup are done) to read about how they determined that the machines were compromised, what the attackers did, and more importantly, how Ubuntu cleaned them up...

    This could really help the community as a whole, and I know I would enjoy reading it..
  • The real test (Score:5, Interesting)

    by ZachPruckowski (918562) <zachary.pruckowski@gmail.com> on Wednesday August 15, 2007 @10:46AM (#20236611)
    The real test is how they react to this, and how they clean up their mess. Everyone screws up, but what separates good people from bad is how they react to problems and screw-ups.

    It sounds like that part at least is still underway, with a meeting (FTA) in "#ubuntu-locoteams on Tuesday, August 14, 2007 at 2:00PM UTC". Seeing as that's yesterday, we should probably reserve judgement a day or two to see how they respond.
  • Re:sftp (Score:5, Interesting)

    by Anonymous Coward on Wednesday August 15, 2007 @11:29AM (#20237263)
    sftp and scp STILL do not allow anything like a REGET operations. Whenever anyone mentions this they got shot down in flames.
  • by gmack (197796) <{ten.erifrenni} {ta} {kcamg}> on Wednesday August 15, 2007 @11:31AM (#20237307) Homepage Journal

    It's important to note that the servers may not have been actually rooted. There is a large number of ssh dictionary breakin attempts on every machine I administrate on several completely different ip blocks. The worst hit is usually my personal server that tended to get hit with several thousand attempts per hour(enough that legitimate logins were a problem) before I installed countermeasures. Even now the countermeasures are locking out 5 to 8 hosts per day.

    They have managed to get user accounts on a few occasions and most of the time they never even attempt to gain root. They just start scanning for new hosts.

    I'm now running a python script called DenyHosts [howtoforge.com] to find and lockout dictionary attacks. "apt-get install denyhosts" for debian users. Even on much more liberal settings than the default it's lowered my cpu load considerably and locks out attacks in the first minute rather than the hour it would otherwise take me to notice.

  • by bealzabobs_youruncle (971430) on Wednesday August 15, 2007 @11:35AM (#20237365)
    to replace the horrid orange and brown default themes.

    I used to be an ardent Ubuntu supporter but since Dapper and the wider adoption there has been too much emphasis on making things more Windows-like and less on best practices throughout the Ubuntu community (note I said the community, not the developers). Stuff like Automatix and the general feeling that any script that or line of code that is posted on the Ubuntu forums is guaranteed safe has led to lax standards. I've brought this up a couple times and any valid discussion quickly descends into a flame-fest and the mods (rightly so) lock it down.

    The Ubuntu community has bent over backwards so far to prove they can include everyone they lost site of many of the things that make Linux a better choice for many people; time to get back to fundamentals and best practices, the sooner the better. Stop worrying about besting Windows at every silly thing (ahem, desktop transparency), stop trying to include aunt Tilly (who is never going to "switch" anyway) and remember that some things take more effort but are often worth it.

  • by twitter (104583) on Wednesday August 15, 2007 @11:37AM (#20237387) Homepage Journal

    How insecure is it to leave a system accessible to Windows users on any front?

    I won't give an gnu/linux account to any windows user because a minimum of 25% of them are part of a keylogging botnet [slashdot.org]. They are liable to access my machines from windoze and things go downhill from there, even if they use a better client. A system is only as strong as it's weakest link.

    Ubuntu itself is dangerous because it includes non free software like Adobe Flash, but this should not be of concern to business users. These dangers are orders of magnitudes smaller than those faced by windoze users, but Ubuntu needs more shelter and care than Debian itself. No gnu/linux system is in danger of being auto-rooted like a windoze machine. Business users should continue their move to gnu/linux systems like Ubuntu.

  • by discord5 (798235) on Wednesday August 15, 2007 @11:40AM (#20237429)

    Unless we're going to be composing a Linux Administration HOWTO: Best of Bloopers.

    I could fill about a 100 pages on my own from stupid things I've done and stupid things I've seen coworkers/customers do.

    The funniest one is still one where one of my coworkers nuked /lib on a fairly important machine unintentionally because he just loves his spacebar:

    rm -f /home/user/project /lib/*

    Upon which of course by he proceeded to ask everyone "Hey, suppose I deleted something like /lib, is there a way to get it back?", followed by 10 people laughing, followed by a minute of silence as soon as we realized what machine he just did that on. He never got a root password for an important server after that incident. In hindsight, that was a funny incident, and a valuable lesson to us all (we all became paranoid of rereading what we just typed).

    Yes, we had backups... Yes, tape drives are still slow

  • by Pecisk (688001) on Wednesday August 15, 2007 @11:41AM (#20237445)
    It is just became obvious recently that open source publishes their breaks as they are, because they can't actually hide anything. I bet breaks in coorporation servers are so frequent that is common practise to be silent about them.

    In mean time, there is a tradeoff between having one, LTS release which has rather old kernel with old drivers and new one, which has 18 month support but has everything up to date, including also unstable stuff of course. But in fact it doesn't even mather, because admin is who in charge.

    So Linux is more secure than Windows? You bet. Then why such break-ins happens? Because of lazy or hobbist admins who have no time or maybe not enough knowledge to lock down server to protect it from attacks. To lock down such Windows server/workstation is much harder because of "black box" mentality such software has. But it is also possible.

    So in resume - those are admins who are gulty persons here. Ubuntu Dapper and Feisty are secure enough releases to keep them locked down without causing trouble for services. And ohh, be careful to which persons you give access to and have good password management system.
  • by nuzak (959558) on Wednesday August 15, 2007 @02:10PM (#20239311) Journal
    Do you have a specific complaint, or is just it that the uncool kids are getting into the clubhouse? If you think the interface has gotten oversimplified, switch to kubuntu.
  • by saintlupus (227599) on Wednesday August 15, 2007 @03:25PM (#20240287) Homepage
    Just to mention, there are some interesting attacks against DenyHosts; check the bugtraq archives for details. Spoofed source packets can be used to block login attempts from any network address, for example, which can be... problematic.

    --saint
  • by samalone (707709) on Wednesday August 15, 2007 @04:20PM (#20241005) Homepage

    On my company's server, I solved the attempted SSH break-in problem by disabling password logins via SSH altogether. Only publicKey logins are allowed. The break-in attempts have completely stopped (or at least they are turned away so quickly that there's not even a security log message for them).

    Only a few computers have my public/private key pair on them (the private key is encrypted, of course), and I keep an extra copy on a USB thumb drive in case of emergency. If someone needs access to the server, I can use one of the existing logins to install their public key so that they can login.

    I highly recommend this solution to anyone who can manage it. It's much more straightforward than trying to maintain blacklists.

    --Stuart

  • by crabpeople (720852) on Wednesday August 15, 2007 @08:01PM (#20243275) Journal
    At least he had the courage to post under his own username.

    How are those peaceful protests working out for you anyway? Weed is still illegal, the war in iraq went on, and the disparity between the rich and poor is stronger than ever. If one person throws a brick, hes a vandal, if a hundred thousand do it, its a revolution. Thats actually my main problem with protests, their peaceful nature. Its almost like the people just want a shell of a protest to look "cool" while in reality risking nothing of substance for the cause they are fighting for.

    Thats also why I admire martyrs but now i've just gone and marked myself as an offtopic troll.

  • by rtb61 (674572) on Wednesday August 15, 2007 @09:49PM (#20244303) Homepage
    Technically speaking, if there was high pitched wailing every time a windows server got hacked (these were not Canonical servers they just pay for them for use and care by others), then nearby star systems would start complaining about the noise.

    Could you imagine the data load if everybody wanted the information about how every windows server that ever got hacked (I assume M$ takes greater care of it's servers than general users, just as Canonical does).

  • by xenocide2 (231786) on Thursday August 16, 2007 @03:19AM (#20246271) Homepage

    And up until last week the most frequent answer on the Ubuntu forums for many questions was "use Automatix".
    Possibly because web forum software is horrible on all fronts. It caters to a narrow, dangerous audience of experienced people who should know better. People who's been using the internet for long enough to know what a "web forum" is, but aren't familiar with mailing lists and IRC. So the forums were never planned for, but it eventually it was felt that the forums should be intergrated rather than continue to grow and divide the community.

    Automatix in particular is a fantastic story of why I avoid forums. Automatix began life as a bash script under a different title by someone other than "arnieboy", and shared by a sticky forum thread. A marginal step up from guides telling you what commands to run to enable various things, etc. Based on a fundamental misunderstanding of copyright, licensing and the GPL, Automatix was born as a fork of this script, [freecontrib.org] featuring numerous dubious personalizations that might be okay for arnieboy to accept but aren't good suggestions (such as enabling a root account). The forum admins have regularly played an active role, playing favorites amongst the various tools. Automatix at one point had it's own 3rd party project sub forum, where apparently traditional Ubuntu Code of Conduct did not apply ("his forum, his rules"). Eventually automatix was blamed for the failed upgrade of a number of users, and some people took to abusing a "popular searches" front page widget to advertise the phrase "automatix sucks", which was eventually fixed by telling the software that "automatix" was too common a word to search for, I think at the author's request.

    As things stand now, Automatix has it's own forum and remains mostly antagonistic towards criticism. It's functionality has been largely dupplicated though it still serves a purpose, to commit copyright infringement via w32codecs etc. Ubuntu has tools that function very similar to Automatix' normal behavior, and in some cases improve upon it. The codec detection stuff in totem is helpful, as you don't need to know about Automatix to learn how to make things work, though it doesn't install w32codecs. And the most significant, repeated complaint has not been solved: Automatix has scheduled for themselves a single week with which to test all bugs and upgrade flaws -- they plan to release one week before gutsy is published.

    A number of forum posts relating to this history have gone missing, which I disagree with. The proper thing to do in the face of misconduct is confront it and denounce it, not hide it by deletion. You might have the right to be offended by what people say, but not the right to erase history. Instead of the forums, use mailing lists and IRC when you feel like being sociable with other linux users, and launchpad's bugs and answers services if you have a problem.

It is impossible to enjoy idling thoroughly unless one has plenty of work to do. -- Jerome Klapka Jerome

Working...