You’ve probably heard: “More than half of Ubuntu’s production servers had to be pulled offline after a security breach caused those servers to actively attack other machines.”
The root causes of the intrusion and compromise are, according to an email in the Ubuntu community mailing list:
- The servers, especially zambezi were running an incredible amount of web software (over 15 packages that we recognised) and of all the ones where it’s trivial to determine a version, they were without exception out-of-date and missing security patches. An attacker could have gotten a shell through almost any of these sites.
- FTP (not sftp, without SSL) was being used to access the machines, so an attacker (in the right place) could also have gotten access by sniffing the clear-text passwords.
- The servers have not been upgraded past breezy due to problems with the network card and later kernels. This probably allowed the attacker to gain root.
According to Maligno’s blog, the servers had been running unpatched for 9 months and a half!
The probability of intrusion and/or compromise is determined on how well you manage your systems. The choice of OS just means different attack vectors. What is the use of a [sarcasm]Super-Secure-Unbreakable[/sarcasm] operating system if you don’t patch and update it, use poor configuration management, use clear-text passwords, etc?
From an Slashdot commenter:
“Ubuntu had to shutdown 5 of 8 production servers that are sponsored by Canonical, when they started attacking other systems. Canonical blames the community, saying they were community hosted, and were poorly maintained. However, kernel upgrades couldn’t be done because of poor backwards compatibility with the very hardware that Canonical had sponsored! While people point fingers at each other it is pretty clear that both sides are equally to blame, the community administrators for practicing bad security practices, such as using unencrypted FTP transfers with accounts, not properly maintaining the system. However Canonical should have been well aware of what they are hosting. The question remains, if any of the files distributed to users have been compromised. A major blow for Canonical though who are attempting to enter the business market with Ubuntu Server.”
