≡ Menu


Critical Red hat / Fedora Linux Openssh Security Update

Last week one or more of Red Hat's servers got cracked. Now, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. The intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only).

This update has been rated as having critical security impact. If your Red hat based server directly connected to the Internet, immediately patch up the system.

From the RHN announcement:

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test
the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than
those of official Red Hat subscribers.

Following products are affected:
=> Red Hat Desktop (v. 4)
=> Red Hat Enterprise Linux (v. 5 server)
=> Red Hat Enterprise Linux AS (v. 4)
=> Red Hat Enterprise Linux AS (v. 4.5.z)
=> Red Hat Enterprise Linux Desktop (v. 5 client)
=> Red Hat Enterprise Linux ES (v. 4)
=> Red Hat Enterprise Linux ES (v. 4.5.z)
=> Red Hat Enterprise Linux WS (v. 4)

How do I patch up my system?

Login as the root and type the following command:
# yum update

This is the main reason I don't use Fedora in a production.

More information:

Now, Red hat did not disclosed how the hell attacker got in to the server. I'd like to know more about that - was it 0 day bug or plain old good social engineering hack?

Updated for accuracy - CentOS is not affected by this bug, see the comments below.

Understanding Forensics

Forensics is the art and science of applying computer science to aid the legal process. Linux journal has published a nice introduction to Forensics:

A break-in can happen to any system administrator. Find out how to use Autopsy and Sleuthkit to hit the ground running on your first forensics project.

There are certain aspects to system administration that you can learn only from experience. Computer forensics (among other things the ability to piece together clues from a system to determine how an intruder broke in) can take years or even decades to master. If you have never conducted a forensics analysis on a computer, you might not even know exactly where to start. In this guide, I cover how to use the set of forensics tools in Sleuthkit with its Web front end, Autopsy, to organize your first forensics case.

One of the most common scenarios in which you might want to use forensics tools on a system is the case of a break-in. If your system has been compromised, you must figure out how the attacker broke in so you can patch that security hole. Before you do anything, you need to make an important decision—do you plan to involve law enforcement and prosecute the attacker?

=> Introduction to Forensics