Welcome
Welcome to refracta

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Security update: Refracta-7 and Refracta Snapshot

For general announcements.

Security update: Refracta-7 and Refracta Snapshot

Postby fsmithred » Mon Sep 09, 2013 1:33 am

...
Summary:
Refracta Snapshot versions 9.0.9-2 and earlier copy the ssh host keys along with the rest of the system. This could facilitate a Man-in-the-Middle attack if you're logging in from a remote location.

If you have your ssh server open to the internet, and you are installing or have installed Refracta version 7.0 or 7.1, you need to change your ssh host keys. This is easy to do and is explained below.


Fixed in:
The issue has been fixed in Refracta_7.1.1 and Refracta Snapshot 9.0.9-4.


Who is at risk?
This affects i386 and amd64 versions of:
- Refracta-7.0 through 7.1_20130901 (replaced by 7.1.1_20130908)
- Refracta Snapshot through 9.0.9-2 (replaced by 9.0.9-4.)

If you install from any of the older isos, you should replace your ssh host keys, whether you're at risk or not. An alternative is to uninstall openssh-server or turn it off.

The ssh server is running by default in Refracta. If you're not behind a firewall/router, or if your router is set up to forward ssh traffic to your computer, and you're planning to actually log into your computer from outside your local network, you should generate new keys. (Note: if you're running like this with the live-CD or you didn't change the root and user passwords when you installed, you have more serious risks, since the passwords are publicized.)

If you disabled password logins and set up public/private key authentication for your user, this is not an issue, but you should still make new host keys.


How to generate new host keys
Log into a terminal as root, change directory, delete the old keys and create new ones, all with the following commands.
Code: Select all
su
(give root password)
cd /etc/ssh
rm ssh_host_*key*
ssh-keygen -A

Four key-pairs will be generated. You can get rid of the RSA1 keys; they aren't used.
Code: Select all
rm ssh_host_key ssh_host_key.pub


After changing the keys, anyone who has logged into your machine on ssh in the past will get the scary warning about the host not matching what's in the known hosts file the next time they log in. They'll need to delete or edit ~/.ssh/known_hosts.


Alternative solution:
If you don't need to use the ssh server, you can just uninstall openssh-server (apt-get purge openssh-server) or turn it off (Main Menu -> System -> Services, or run services-admin from a terminal, or kill ssh and disable it with sysv-rc-conf.)


Do I need to download a new iso file?
You can use the zsync file to bring your iso up to date without downloading the whole thing. (apt-get install zsync if you need to.) Run one of the following commands for i386 or amd64 as unprivileged user from the directory that contains the old iso file, replacing <old-version> with the actual version number of the iso file you have.

i386:
Code: Select all
zsync -i refracta-7.-<old-version>.iso http://downloads.sourceforge.net/project/refracta/isohybrid/refracta_7.1.1_i386-20130908_1131.iso.zsync

amd64:
Code: Select all
zsync -i refracta-7.-<old-version>.iso http://downloads.sourceforge.net/project/refracta/isohybrid/refracta_7.1.1_amd64-20130908_0334.iso.zsync


Updated deb packages
refractasnapshot-base_9.0.9-4_all.deb
refractasnapshot-gui_9.0.9-4_all.deb


If you use refractasnapshot or a modified version of it on another distro:
Add the following to the excludes list:
Code: Select all
- /etc/ssh/ssh_host_*_key*
- /etc/ssh/ssh_host_key*

Add the following to the append line in the isolinux (or syslinux) boot menu if you want openssh-server to work. Unique ssh host keys will be generated at boot.
Code: Select all
config=openssh-server

...
User avatar
fsmithred
 
Posts: 1372
Joined: Wed Mar 09, 2011 9:13 pm

Re: Security update: Refracta-7 and Refracta Snapshot

Postby golinux » Mon Sep 09, 2013 2:48 am

I don't have a 'services' option in the menu:

Main Menu -> System -> Services


Where is it hiding?
User avatar
golinux
 
Posts: 423
Joined: Thu Nov 08, 2012 1:23 am

Re: Security update: Refracta-7 and Refracta Snapshot

Postby fsmithred » Mon Sep 09, 2013 2:54 am

It's um, the next item after Refracta Snapshot in my menu. :shock:
User avatar
fsmithred
 
Posts: 1372
Joined: Wed Mar 09, 2011 9:13 pm

Re: Security update: Refracta-7 and Refracta Snapshot

Postby golinux » Mon Sep 09, 2013 2:56 am

'Sensor Viewer' is my next item. I'm working off an upgraded beta though. I checked and it is installed. Might want to rethink your instructions. I might not be the only one.
User avatar
golinux
 
Posts: 423
Joined: Thu Nov 08, 2012 1:23 am

Re: Security update: Refracta-7 and Refracta Snapshot

Postby fsmithred » Mon Sep 09, 2013 3:14 am

Edited: Try running 'services-admin'. Your beta might be from before gnome-system-tools got installed. You could probably update the iso you have using the zsync instructions.

I don't have Sensor Viewer. What is it?
User avatar
fsmithred
 
Posts: 1372
Joined: Wed Mar 09, 2011 9:13 pm

Re: Security update: Refracta-7 and Refracta Snapshot

Postby golinux » Mon Sep 09, 2013 3:48 am

'services-admin' opened a menu with ssh on it and I unchecked the box. So is it turned off?

'sensor viewer' is a failed experiment. Not working right. probably need to uninstall.
User avatar
golinux
 
Posts: 423
Joined: Thu Nov 08, 2012 1:23 am

Re: Security update: Refracta-7 and Refracta Snapshot

Postby fsmithred » Mon Sep 09, 2013 9:14 am

golinux wrote:'services-admin' opened a menu with ssh on it and I unchecked the box. So is it turned off?

Yes. You can check it with (as root)
Code: Select all
/etc/init.d/ssh status
It's also possible to turn it on and off with the same command, replacing status with start or stop, but you can't turn it off permanently with that. It would come on again at the next boot.
User avatar
fsmithred
 
Posts: 1372
Joined: Wed Mar 09, 2011 9:13 pm

Re: Security update: Refracta-7 and Refracta Snapshot

Postby nadir » Mon Sep 09, 2013 5:35 pm

Thanks for the detailed info.

I can't figure out when one will be affected and how a possible attack would look like. Right now it looks like a very unusual case (That is still a security problem, but, as far it's me not a dramatic one. I would remove the old keys, like you described and not worry much more about it).
*

What i always do when using ssh:
1) disable password, use ssh-keys
2) diable root login
3) use a non-default port
4) write (rather use an existing) .ssh/config file
5) install i2pban
6) disable the autostart of sshd with sysv-rc-conf


* To me it looks like this:
1) Someone runs refracta and figures out the problem
2) He sets up a machine with said keys
3) He needs to know who (IP) is using ssh on refracta too and
4) redirect the traffic to his site (IP) (well: how? He has no access to the router, no?)
5) While he can redirect you to his site, i can't see how he will be able to login to your site (by this problem, else it is just like usual. But no further security risk seems to be added from that point of view. I mean: He needs to say: "Yup, i know that host", not the other way around - he connects via ssh and you say: "Yup, i know that host." I think).

Is that possible? I guess yes (Probably much easier if in the same LAN). Is it probable? Is it easy? I'd say: rather not.
But that is really wild guessing. If you read about cracking (or watch youtube videos) you think: oh, that is damn easy. If you do it .... nearly impossible. In other words: i understand shit how all that works.
The interested ones might want to look at dsniff (won't hurt to look at to understand more about the internet protocol: I am the attacker. I tell the router: "Hey, i am the PC" and i tell the PC: "Hey, i am the router". The router will now forward traffic for the PC to me, the PC will send his traffice supposed for the router to me. You could sniff (say passwords) but could you do more harm (unless you will find some - clear text- passwords). Or similar to that. Yes?). securitytube is good.

STRESS:
Really, i am sure about nothing of that. Trying to figure it out, but it's very difficult.
So i herd u liek mudkip?
User avatar
nadir
 
Posts: 937
Joined: Wed Mar 09, 2011 4:18 am
Location: here

Re: Security update: Refracta-7 and Refracta Snapshot

Postby golinux » Mon Sep 09, 2013 6:29 pm

fsmithred wrote:Yes. You can check it with (as root)
Code: Select all
/etc/init.d/ssh status

Looks like it worked. YEA!

Code: Select all
# /etc/init.d/ssh status
[FAIL] sshd is not running ... failed!
User avatar
golinux
 
Posts: 423
Joined: Thu Nov 08, 2012 1:23 am

Re: Security update: Refracta-7 and Refracta Snapshot

Postby fsmithred » Sun Oct 20, 2013 10:46 am

Uploaded new iso (i386) and new refractasnapshot. Minor bugfixes - Updated to Debian 7.2, iso is once again smaller than 700MB, owing to newer version of refractasnapshot, which excludes a few more things that were just taking up space. Also, numlock is off again.

Changelogs for refractasnapshot (9.0.9-5)
Code: Select all
  * added browser sqlite files to rsync excludes:
  * urlclassifier3, places, cookies, signons, formhistory, downloads
  * added icon cache, failed thumbs and some backup files to excludes.
  * pkglist now includes held packages
  * Changed function check_space to use df only once
  * Run updatedb before copying filesystem
  * Added debug mode
 

--  Sat, 19 Oct 2013 23:40:00 -0400
User avatar
fsmithred
 
Posts: 1372
Joined: Wed Mar 09, 2011 9:13 pm

Next

Return to Announcements

Who is online

Users browsing this forum: No registered users and 0 guests

cron
suspicion-preferred