I haven't written about this issue yet but felt I should say something as it took most of my last week in resolving. I've read a lot about people dealing with this problem and yet very few seem to truly understand the implications. The bottom line as far as I'm concerned is that all Debian and Ubuntu systems built with the vulnerable package should be considered compromised. And that means a lot more work is needed to secure the systems than just regenerating ssh keys and ssl certificates. Now, I realize that rebuilding all machines might be too much work for many sysadmins. My plan is to rebuild all my host machines and simply consider my virtualized guests to be compromised. Whether that is a wise idea remains to be seen. At a minimum people should not only update all of their keys and certificates but also reset all passwords on the system. At that point one can just hope that no one compromised their machines during the extended period of vulnerability.

When working on backup systems I hacked together a script that would allow a set of commands, sometimes with substitutions, through a single ssh key. I figured someone else must have this needs and have designed a more robust program. So far the closet thing I have found it authprogs. It has some features my script lacks but lacks some features that my script possesses. So I’m not sure it I’ll use it or just borrow ideas to improve my script.

• The Authprogs SSH Command Authenticator

Today (April 22, 2008) SILC Server 1.1.6 was released following 3 other releases since April 12, 2008. I’m glad to see the attention the software is getting though it seems unlikely that these fixes will be in Debian or Ubuntu anytime soon. Debian Sid is keeping pace but the updates have not yet made it into Debian Lenny. And it seems likely that Ubuntu 8.04 will ship with version 1.1.1 (hopefully with some additional security patches). Unfortunately neither the ChangeLog nor the Release Notes for these recent releases is accessible on the website.

• SILC Server

Here are some of the applications with available packages for Debian and Ubuntu:

• AIDE
• FCheck
• Integrit
• Samhain
• Stealth
• Tripwire

I’m leaning toward trying Stealth because I like the design. Lots of folks seem to like FCheck for its simplicity.

I decided to give the newer version of Tor a try today. It took a few more steps than I was expecting. I ended up having to move the existing /var/lib/tor directory and recreating it with the proper ownership (debian-top:debian-tor) and permissions (0700). After that everything worked fine. It seems like something about the existing configuration in the 0.1.2 branch prevents the 0.2.x branch from working after upgrading. Of course, if I decide to go back to the stable version I expect I may want to restore the previous version of the directory. But for now the 0.2.20 version seems to be running pretty well.

I think a sign of security-mindedness for a server GNU/Linux distribution is whether it can withstand simple attacks out of the box. At the moment Ubuntu fails this test as a simple fork bomb from any user or any compromised service can render the system useless.

It seems to me that if someone wanted a web application framework to be successful that focusing on a strong, yet unobtrusive, security model would be important. One reason PHP is avoided by many developers is that so many PHP applications are full of security vulnerabilities. I’ve always been a fan of escaping all content except when otherwise specified, the opposite of how Rails operates. I remember investigating early plugins to accomplish this but without much luck. It seems like there has been a lot of activity in this area and I thought I would investigate the landscape again.

New kernel releases have been released by both the Ubuntu and Debian teams. Both address CVE-2008-0600 which could allow an attacker to escalate their privileges. The Debian vserver kernels have also been updated to address CVE-2008-0163 which allows users in one vserver to access information in another. For Ubuntu this comes just a week after the last Linux kernel security update.

• DSA-1494-1 linux-2.6 — missing access checks
• USN-577-1: Linux kernel vulnerability
• USN-574-1: Linux kernel vulnerabilities
• Patching CVE-2008-0600, Local Root Exploit

I’m becoming increasingly convinced that PAM is far more important than it is usually treated. It seems like more reading on how to leverage PAM to increase security would be wise for any GNU/Linux system administrator. I came across Been Cracked? Just Put PAM On It! and found it to be a good guide.

I was happy to read the article Digital Certificates: Do They Work? which mentioned the excellent paper by Carl Ellison and Bruce Schneier titled Ten Risks of PKI: What You’re not Being Told about Public Key
Infrastructure. I have always found the certicate industry to be a racket because it strongly encourages websites to pay money to give their users what amounts to an illusion of security. The solution is to support efforts like CAcert.org which generates certificates for free.

I’m happy to see that my favorite password manager has finally been packaged for Debian and Ubuntu. I’ve never found a graphical password manager that I liked as much as Password Gorilla. Plus, of all the password saving programs, it has the best name.

• http://packages.debian.org/password-gorilla
• http://packages.ubuntu.com/password-gorilla

I was looking for information on some port numbers to see if any software used them and came across this link. I suspect it may come in handy in the future.

http://www.speedguide.net/ports.php