Administrators at the Apache Software Foundation have pledged to restrict the use of Secure Shell keys for accessing servers over their network following a security breach on Monday that briefly forced the closure the popular open-source website. In an detailed postmortem describing how hackers penetrated several heavily …
Diversity won over the hackers
It would appear that a key method to avoid reaching all the systems is to have different Operating Systems in a network so that each attack is going to be limited by the specific OS characteristics.
Steering clear from "mono-culture" like Microsoft from now on...
Yep... Steering clear from "mono-culture" like Linux from now on...
@Diversity won over the hackers
For example, core servers on the network employed a variety of hardened operating systems, including CentOS, FreeBSD-7, and Solaris 10, creating a diverse target that made it hard to attackers to escalate privileges.
Not diverse enough, obviously. I don't see any Windows servers listed.
best practice guys!
you should always ensure that you use SSH wrappers ('from' protection) and you should never use password-less SSH keys .
and backup scripts etc should have restricted shell accounts too.
Just goes to show..
For the Apache Foundation, security is no doubt the first thing they take into consideration, and if skilled hackers want to compromise such an infrastructure then they will eventually succeed. It was a targeted attack and it was pretty successful. I doubt our government or overseas governments have the kind of security the Apache Foundation already had a long time ago which leads me to question, if targeted by people as skilled and determined as these culprits, how secure are we ?
@Anonymous Coward, 20:46
Oh hay, armchair admin!
Fancy posting the addresses of all the systems you're responsible for online, so that interested parties can check you're following all the "best practice"?
No? Didn't think so.
Apache are to be commended for coming clean, making amends, and explaining their policy in the way that they have.
...better than the standard 'suffered a security breach [no details here], however we wish to reassure no user's data were at risk...'
Also such a detailed disclosure serves as a reminder of best practice (and worst practice!) to admins everywhere (I'm sure there were plenty that read the article and suddenly thought- hmmm, probably should implement that actually). Round of applause to Apache - maybe could've done better beforehand but certainly couldn't have dealt with it any better. Any other major sw houses care to follow? No, though not.
Flaw in the SSH protocol
ssh keys are very handy for automated moving of files but they open all the doors that used to be used by the old rsync command. OpenSSH desperately needs a feature where the server can require a password and the key since the key password isn't inside the servers envelope of trust.
Good for Apache
Most (all?) organisations running complex, connected setups will have vulnerabilities in their systems and software. By being open about the mistakes they have made, Apache have done everyone a favour, they deserve praise and not criticism in this case.
To The Register Sysadmins
It looks like someone has breached your web servers and is replacing your carefully drafted and lovingly created vitriol with articles in praise of how a major software outfit handled a security breach. (see the article this comment is attached to).
Please fix this shocking lapse in security so we can all get back to reading the important stories on how Paris Hilton makes a better OS than Linux.
Not enough sleep, too lazy for a title
Looks like the attack on Fort Apache amounted to the attacker getting across the moat, scaling the perimeter wall then getting lanced on the parapet by the sentry.
Key / Lock / Burglar
At the end of the way anything that is possible with enough time time and resources. Admitting mistakes were made is to be commended. It is all too easy to point the smart arse finger in hindsight. Windows wasn't used because it is not open source and therefore it would be a bit of double standard for an open source community to use.
@Anonymous Coward Posted Thursday 3rd September 2009 20:46 GMT
you should always ensure that you use SSH wrappers ('from' protection) and you should never use password-less SSH keys
And auto backup scripts should login how?
Quite a slick attack though
I wish more firms would publish details like this. I find it much easier to learn from this sort of real-life example.
Kudos to Apache
I'm impressed with this response from Apache - not only did they 'fess up' to being attacked, but they're also saying "this is how they did it" and "here's how we're closing the door". The latter two being particular valuable information to others (me included) in how to secure their systems (in case they're vulnerable to the same hit). I don't see anything here that'll convince me to stop using their products on Windows, Linux, Solaris, AIX, etc.
Re: "diversity...?" (by milo5) " Yep... Steering clear from "mono-culture" like Linux from now on."
Clear off back under your bridge MS-troll! You can't have it both ways, claiming Linux is "too disparate" (as Ballmer claims) and the opposite when it suits you. Oh, and an fyi - Solaris (mentioned in the platform list given) is _no_ form of Linux.
The point being made in the post "Diversity won over the hackers" is that following the Redmond corporate line and only having Windows (although I would have assumed that this would be Windows+IIS rather than Windows+Apache) servers is a bad idea. One gets pwned, then they all get pwned.
Wow a refreshing change for sure to see someone like Apache openly fess they've been hacked and not to how the fix the problem but how to they are preventing it happening again in the future.
Windows + IIS unless it's behind a freaking hardware firewall and for internal use only is FAIL..
Reminds me need to check my apache logs I'm sure they'll need truncating with all the "IIS overflow attempts" people try .....
root of the problem
> Other changes include the requirement that all users with elevated privileges use a one-time password for everything for sudo on certain machines.
running processes (inc a shell) as root == fail
requiring root as part of your workflow == fail
root is concentrated fail, wrapped in "how can you admin without it" ignorance
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- AMD demos 'Berlin' Opteron, world's first heterogeneous system architecture server chip