The website of Apache was taken offline for several hours on Friday after the SSH remote administration key on one of its servers was compromised. SSH is a widely used technology for remote administration, so in the worst scenario the compromise created a means for hackers to upload Trojanised code onto the download section of …
Well, the impact might not be that big anyway. Only people downloading copies / patches in the timeframe where the server was compromised are at risk. Let's say the average lifetime of a webserver-installation is 6 months, then one days compromise is still less than one percent.
And I expect that the Apaches you get from various distribution repositories have had their source verified by some secure-ish hashing mechanism anyway.
Still a bummer. I'll install IIS on our servers as soon as I find out where they hide the versions that can run on real OS'es.
leave apache alone
WTF they had SSH open to the world
It boggles the mind that high profile target like apache.org had SSH port open to everyone.
Any admin worth their salt knows that you should have SSH and any other login protocols accessible only over local network on publicly visible target like that.
Happens more than we hear about.
Too bad OpenSSh doesn't have a "Use password AND Key" option which would have prevented this.
We can all learn from this...
After such a high profile site is compromised it serves as a good point in time to review all your systems to be sure you haven't made the same mistake...
1. Always use SSH password/passphrases on keys...
2. Make them complex and long.
3. Never allow inbound SSH to systems that can publish to the greater world, from the greater world.
4. Always check the checksums, but --not against-- the site you got the file from.... Software companies need to start publishing and signing the checksums separate from the website.