« git, duplicity and dupinanny | Main | QuakeCon! »

05/14/2008

Comments

jaklumen

Since Ubuntu is essentially a Debian build, any idea how this would apply to Hardy Heron?

TTimo

yes, ubuntu is affected as well, they released their own advisory yesterday .. I don't have any ubuntu systems so I don't know the details

TTimo

http://metasploit.com/users/hdm/tools/debian-openssl/ best analysis so far. The key space is indeed tiny .. debian sshd checks and denies the most common keys now, but sshd from other distros doesn't, so if you have uploaded weak keys anywhere else those systems remain exposed.

osde8info

[this is good] Debian SSL & TOR

http://archives.seul.org/or/announce/May-2008/msg00000.html

  A bug in the Debian GNU/Linux distribution's OpenSSL package was
  announced today. This bug would allow an attacker to figure out private
  keys generated by these buggy versions of the OpenSSL library. Thus,
  all private keys generated by affected versions of OpenSSL must be
  considered to be compromised.

  Tor uses OpenSSL, so Tor users and admins need to take action in order
  to remain secure in response to this problem.

  If you are running Debian, Ubuntu, or any Debian-based GNU/Linux
  distribution, first follow the instructions at
    http://lists.debian.org/debian-security-announce/2008/msg00152.html
  to upgrade your OpenSSL package to a safe version.

Berni

[this is good] While you are in there take a look at /etc/ssh/sshd_config.

Try not not to offer ssh services on Port 22 to the world.

Also consider using AllowedUsers:

AllowUsers *@ip
...
AllowUsers *@ip...

Where ip, ip... are addresses or DNS names of the incoming sites you trust. As many as you like.

Berni

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)