back to article Breaching Fort Apache.org - What went wrong?

Administrators at the Apache Software Foundation have pledged to restrict the use of Secure Shell keys for accessing servers over their network following a security breach on Monday that briefly forced the closure the popular open-source website. In an detailed postmortem describing how hackers penetrated several heavily …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Thumb Up

    Diversity won over the hackers

    It would appear that a key method to avoid reaching all the systems is to have different Operating Systems in a network so that each attack is going to be limited by the specific OS characteristics.

    Steering clear from "mono-culture" like Microsoft from now on...

  2. milo5
    Thumb Up

    diversity...?

    Yep... Steering clear from "mono-culture" like Linux from now on...

  3. Jean-Luc
    Joke

    @Diversity won over the hackers

    """

    For example, core servers on the network employed a variety of hardened operating systems, including CentOS, FreeBSD-7, and Solaris 10, creating a diverse target that made it hard to attackers to escalate privileges.

    """

    Not diverse enough, obviously. I don't see any Windows servers listed.

    A shame.

  4. Anonymous Coward
    FAIL

    best practice guys!

    OMG.

    you should always ensure that you use SSH wrappers ('from' protection) and you should never use password-less SSH keys .

    and backup scripts etc should have restricted shell accounts too.

    sheesh.

  5. Alex L
    Thumb Up

    Just goes to show..

    For the Apache Foundation, security is no doubt the first thing they take into consideration, and if skilled hackers want to compromise such an infrastructure then they will eventually succeed. It was a targeted attack and it was pretty successful. I doubt our government or overseas governments have the kind of security the Apache Foundation already had a long time ago which leads me to question, if targeted by people as skilled and determined as these culprits, how secure are we ?

  6. Chris Lewis

    @Anonymous Coward, 20:46

    Oh hay, armchair admin!

    Fancy posting the addresses of all the systems you're responsible for online, so that interested parties can check you're following all the "best practice"?

    No? Didn't think so.

    Apache are to be commended for coming clean, making amends, and explaining their policy in the way that they have.

  7. northern monkey
    Thumb Up

    Refreshing...

    ...better than the standard 'suffered a security breach [no details here], however we wish to reassure no user's data were at risk...'

    Also such a detailed disclosure serves as a reminder of best practice (and worst practice!) to admins everywhere (I'm sure there were plenty that read the article and suddenly thought- hmmm, probably should implement that actually). Round of applause to Apache - maybe could've done better beforehand but certainly couldn't have dealt with it any better. Any other major sw houses care to follow? No, though not.

  8. -tim
    Flame

    Flaw in the SSH protocol

    ssh keys are very handy for automated moving of files but they open all the doors that used to be used by the old rsync command. OpenSSH desperately needs a feature where the server can require a password and the key since the key password isn't inside the servers envelope of trust.

  9. sandman
    Thumb Up

    Good for Apache

    Most (all?) organisations running complex, connected setups will have vulnerabilities in their systems and software. By being open about the mistakes they have made, Apache have done everyone a favour, they deserve praise and not criticism in this case.

  10. John G Imrie
    Paris Hilton

    To The Register Sysadmins

    It looks like someone has breached your web servers and is replacing your carefully drafted and lovingly created vitriol with articles in praise of how a major software outfit handled a security breach. (see the article this comment is attached to).

    Please fix this shocking lapse in security so we can all get back to reading the important stories on how Paris Hilton makes a better OS than Linux.

  11. Anonymous Coward
    Anonymous Coward

    Not enough sleep, too lazy for a title

    Looks like the attack on Fort Apache amounted to the attacker getting across the moat, scaling the perimeter wall then getting lanced on the parapet by the sentry.

  12. Anonymous Coward
    Thumb Up

    Key / Lock / Burglar

    At the end of the way anything that is possible with enough time time and resources. Admitting mistakes were made is to be commended. It is all too easy to point the smart arse finger in hindsight. Windows wasn't used because it is not open source and therefore it would be a bit of double standard for an open source community to use.

  13. Kevin Bailey

    @Anonymous Coward Posted Thursday 3rd September 2009 20:46 GMT

    you should always ensure that you use SSH wrappers ('from' protection) and you should never use password-less SSH keys

    And auto backup scripts should login how?

  14. Anonymous Coward
    Anonymous Coward

    Quite a slick attack though

    I wish more firms would publish details like this. I find it much easier to learn from this sort of real-life example.

  15. SynnerCal
    Thumb Up

    Kudos to Apache

    I'm impressed with this response from Apache - not only did they 'fess up' to being attacked, but they're also saying "this is how they did it" and "here's how we're closing the door". The latter two being particular valuable information to others (me included) in how to secure their systems (in case they're vulnerable to the same hit). I don't see anything here that'll convince me to stop using their products on Windows, Linux, Solaris, AIX, etc.

    Re: "diversity...?" (by milo5) " Yep... Steering clear from "mono-culture" like Linux from now on."

    Clear off back under your bridge MS-troll! You can't have it both ways, claiming Linux is "too disparate" (as Ballmer claims) and the opposite when it suits you. Oh, and an fyi - Solaris (mentioned in the platform list given) is _no_ form of Linux.

    The point being made in the post "Diversity won over the hackers" is that following the Redmond corporate line and only having Windows (although I would have assumed that this would be Windows+IIS rather than Windows+Apache) servers is a bad idea. One gets pwned, then they all get pwned.

  16. Gordon Grant
    Thumb Up

    Diverse attack

    Wow a refreshing change for sure to see someone like Apache openly fess they've been hacked and not to how the fix the problem but how to they are preventing it happening again in the future.

    Windows + IIS unless it's behind a freaking hardware firewall and for internal use only is FAIL..

    Reminds me need to check my apache logs I'm sure they'll need truncating with all the "IIS overflow attempts" people try .....

  17. dave lawless
    Boffin

    root of the problem

    > Other changes include the requirement that all users with elevated privileges use a one-time password for everything for sudo on certain machines.

    running processes (inc a shell) as root == fail

    requiring root as part of your workflow == fail

    root is concentrated fail, wrapped in "how can you admin without it" ignorance

This topic is closed for new posts.

Other stories you might like