So you think you've been rooted...

2009-03-01

Since we had a break-in on pilot recently, I thought I would bring up a couple of points.

(1) WHAT HAPPENED

First of all, it appears that what happened to pilot was that a vulnerability in "RoundCube", a fancy web mail package, was exploited by a script that installs a "bot" (part of a botnet).

As far as I can tell, no files or emails were damaged. Everything appeared to be intact. It looks to me like it was just talking to a lot of other machines via an IRC channel (and that's how we noticed it).

The bot was running as user 'www-data'. So technically, we were not 'rooted'... we were 'apache-ed'.

(2) KEYS AND PASSPHRASES

But since we have had a break-in, it makes me think of what damage could have been done.

Personally, I was thinking about my SSH keys. On any semi-public machine like pilot, I encrypt my SSH keys with a passphrase (see "ssh-keygen -p"). So if someone were able to read my private key in ~porter/.ssh/id_rsa, all they would get was a load of DES-encrypted bits. In this case, it's doubtful that they could have read the file, since it has 700 perms.

But if an attacker had read these files, and if my key were not encrypted, then now would be a good time to go onto all my other accounts and make sure that my TriLUG SSH key was not listed in the ~/.ssh/authorized_keys files. This would keep one break-in from leading to a series of break-ins. This is left as an exercise for the paranoid reader.

As it stands, it looks like your SSH keys were never at risk. At least not from the bot... remember that myself and the other sysadmins can read these files. So the extreme paranoid users (you know who you are) might want to look into SSH key passphrases.

(3) BACKUPS

I also wanted to make a note here that our unofficial policy on backups is that users are responsible for backing up their home directories (and now that your mail is stored in ~/Maildir, that means email, too). We currently do not back up /home. Remember, we're a group of volunteers, and we're doing "best effort" service. We try, but we're not guaranteeing anything.

I am VERY happy that we did not lose anything in this latest incident.

In the meantime, I am making daily backups of everything EXCEPT /home. And I am also entertaining the idea of putting a larger disk on dargo so we can back up /home, too. Donations are gladly accepted.

Alan


February 12th meeting - CA Cert

2009-01-13

CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates).

At the February TriLUG meeting, we will learn about certificates and certificate authorities, and we will have a chance to become "certified" to issue our own certificates through CA Cert. These certificates can be used to enable SSL on a web server or a mail server.

If you would like to be certified, bring 2 forms of government-issued ID. You might also want to do some homework on the CA Cert web site beforehand.

Time: Thursday, 12 February, 7:00pm Place: Red Hat HQ, NCSU Centennial Campus Directions: http://www.redhat.com/about/contact/ww/americas/raleigh.html


(UPDATE - 2009-02-04 - How you should prepare)

The February TriLUG meeting is rapidly approaching (next week), and I wanted to send out a quick note that might help you get the most out of the talk.

First of all, some background. What is "CAcert"?

It is a certificate authority, just like Verisign or Thawte or GoDaddy. You can generate certificates to use on your web server or mail server, and they will sign it.

Many people use self-signed certificates on their web servers and mail servers. This provides HTTPS/IMAPS (SSL) encryption, but it is trivial to spoof. An attacker just sits in between you and your server, providing you with his own self-signed certificate.

YOU <---encrypted---> SPOOFER <---encrypted---> WEBSERVER

For this reason, on Firefox 3, you get the screen with the yellow passport man icon saying "Secure Connection Failed". And then they make you jump through several hoops before you can accept the certificate and see the page. In theory, you're supposed to verify fingerprints and what-not, but who does?

If you want to avoid this problem, you can get your certificate signed by somebody: Verisign, Thawte, GoDaddy, or CAcert.

There are two main differences between these CA's:

(1) price... CAcert is free, the others are not

(2) ease-of use... most browsers already know who the other guys are, but you have to tell it who CAcert is (by downloading their root certificate and importing it into your browser).

We'll talk a lot about these points at the meeting.

BUT... if you follow these steps, you will be able to generate your own certificates, and then have your certs signed by CAcert.

I did it today, and it was very easy.


THE STEPS -- DO THIS BEFORE THE MEETING

0) See the detailed instructions here:

http://wiki.cacert.org/wiki/FAQ/AssuranceByCAP

If you have a concern or spot a conflict between those instructions and these in this email, contact Cristóbal Palmer, cmp@cmpalmer.org

1) SIGN UP with CAcert here:

https://www.cacert.org/index.php?id=1

2) PRINT out a CAP form. See here:

http://wiki.cacert.org/wiki/FAQ/AssuranceByCAP Click on item #4.

3) BRING two forms appropriate government-issued ID.

Examples: passport, id-card, driver's license

The names should match on both. One must have a photo, but both is ideal.

4) COME to the meeting! Enjoy the show! Get assured!

Alan and Cristóbal


January 8th Meeting - VMware

2008-12-14

In January, we will welcome Justin Parker into the LUG in the harshest way we know how... by inviting him to be a speaker.

Justin recently moved to the Triangle. His previous job was with VMware, one of the pioneers of virtualization. He will give us an overview of virtualization, and the features of the various VMware products. And he will guide us through setting up a virtual server. All of this, he says, without trying to sound too much like a "fanboy".

Slides available here (OpenOffice ODP format).


December 11th Meeting - Holiday Social

2008-11-21

Following the TriLUG tradition, the December meeting will be a social event, with no formal program. Members and friends are invited to gather, eat, and blow each other to bits (in bzflag or any other game of your choice).

Dinner will be potluck. Bring a dish to share. Sign up on the wiki.



October 9th Meeting - Linux at NASA

2008-09-23

Robert Singleterry, a researcher from NASA Langley Research Center will be speaking on his discovery of open source software in his quest to study space radiation.

Robert will discuss the trials and tribulations of a Student / GPC / EI International / Grad Student / ANL-W / NASA engineer, and his trip from sole source software to the open source world. There were mountains to climb, holes to watch out for, and eventually smooth sailing ahead for this engineer's usage of open source software at NASA, all while doing his real job of space radiation research.

Robert will share his experiences of sole source and open source software, and how the two interact with each other. And he will describe the environments in which he made the open source transition, which range from a single work laptop to high performance computing clusters.


September 11 Meeting - Rolling Your Own, building a REAL internet appliance

2008-08-15

Have you ever wanted to run a bare-bones Linux system? One that is smaller than your normal desktop or server distro? Does DSL (Damn Small Linux) seem bloated and bulky to you?

Have you ever wanted to cook your food over an SSL connection? Do any of your kitchen appliances have a penguin sticker on them?

This month, our very own Alan Porter will share his experience at "the oven place" (www.tmio.com), creating a Linux-based kitchen appliance for home use. Weighing in at 256 MB of flash and 256 MB of RAM, this 550-pound appliance connects to the internet, refrigerates AND cooks food, and allows you to control it remotely. Alan will show us what goes into the minimalist Linux distro that powers this nifty gadget. Cooking demo included.


August 14 Meeting - Women in Technology, panel discussion

2008-07-14

This month's program will be a panel discussion on Women in Technology, and the issues that women face in a male-dominated industry. The discussion will be led by five local women who work in various areas of technology, and will be moderated by Janet Babin of the Marketplace Innovations Desk at WUNC.


[TriLUG]

The Linux Users Group of the Triangle. Serving Raleigh, Durham, Chapel Hill, and RTP.

Sponsors

Our monthly meetings are hosted by:



Dr. Warren Jasper



Hosting Sponsor

Hosting for TriLUG's infrastructure is provided by:

NetActuate


3D Printed "TriTuxes" provided by:
Brian Henning