French-based server host OVH has warned that its systems have been penetrated in a multi-stage attack that leaves US and European customers at risk. In an advisory on its forum board, the company warned that an attacker had gained control of a system administrator's account, and used that to gain access to a VPN account of one …
I've always seen OVH in my Fail2Ban reports more than any other non-Chinese owners of blocks of IPs. And they never reply to reports of abuse.
So I guess this is about to get worse...
This might explain why I've already firewalled off most of their address space for repeatedly prodding my VoIP server...
"In short, we were not paranoid enough so now we're switching to a higher level of paranoia."
It's not paranoia if it's proven that they *are* out to hack you, it's prudence, otherwise known as due diligence.
From the article:
"European customers' surname, first name, nic, address, city, country, telephone, fax, and encrypted password are all open to the attackers," and
"customers of the firm's Canadian hosting company have be[e]n advised to change SSH keys"
From the mail I received from the [non-Canadian branch of the] hosting company:
"Even if your password encryption is very strong, we encourage you to change it [assuming they mean the password] as soon as possible."
So different advice being given there. Hashed, salted password compromised definitely means you should change password (as my email said). But SSH keys(*)? That would imply that the attacker can log in to steal the private SSH key. Totally different kettle of fish. Bad reporting, or was the hack on Canadians worse than that for (at least this) non-Canadian customers?
* the other possibility is that the attacker somehow managed to grab an admin's ssh login. My account was set up wtih one by default. If this is standard and the admin account's private key was snatched, then it definitely warrants advice to delete that from the authorized_keys file. Still, doesn't sound exactly like a cause to change one's own private SSH key, and deleting the admin login wasn't what I was advised to do.
So what exactly is the extent of the breach and proper remedial action? Inquiring minds want to know!
OVH install 'maintenance' ssh keys on their default builds.
So, your keys may not have been compromised, but the OVH ones have.
I would like to know from where that hack originates.
We have legally mandated requirements to lock our admin interfaces from only being accessible from inside the country. We've gone one further and locked it to the office IP range only, plus added cert based VPN tunnels, but that's because we rather over-engineer than have to say sorry afterwards (we ARE paranoid :) ).
Or is this another case of "we have so many clients we can afford to lose some" negligence? Enquiring minds want to know.
Had nothing from OVH re this, nor the last breach.
Fortunately my personal details, nor any payment details are stored on my ovh account and the server we have with them does not run their build of linux (thus no ovh back door).