Re: Security incident on Alioth and other Alioth news

To: debian-project@lists.debian.org
Subject: Re: Security incident on Alioth and other Alioth news
From: Raphael Hertzog <hertzog@debian.org>
Date: Wed, 6 Sep 2006 16:40:08 +0200
Message-id: <[🔎] 20060906144008.GA16248@ouaza.com>
Mail-followup-to: debian-project@lists.debian.org
In-reply-to: <[🔎] 20060906105802.GB4835@df7cb.de>
References: <20060906102554.GL13426@ouaza.com> <[🔎] 20060906105802.GB4835@df7cb.de>

On Wed, 06 Sep 2006, Christoph Berg wrote:
> Re: Raphael Hertzog 2006-09-06 <20060906102554.GL13426@ouaza.com>
> > Alioth's web server was unavailable for most of the 5th of september. It was
> > simply stopped because we discovered that some script kiddies were running an
> > IRC proxy. After thorough investigation, we discovered that they exploited a
> > pmwiki security hole[1] to deface some web pages, to install some malicious php
> > pages which in turn were used to setup the IRC proxy.
> [...]
> > On a related matter, we're preparing the move of Alioth to a new (and bigger)
> > machine (called wagner.debian.org), and we'll make use of that opportunity to
> > further strengthen the security measures as well as add more security checks. 
> 
> In that light, wouldn't it make sense to keep svn.debian.org separate
> from the highly exposed http://*.alioth.debian.org services?

It could be argued that way.

We decided to merge them for various reasons:
- Many groups have their website under VCS control and would like to use
  the commit hooks to auto-update the website
- Local (read-only) access to the repository can also be interesting 
  for some specific web applications (cf my idea of web interface for the
  collaborative maintenance, http://wiki.debian.org/CollaborativeMaintenance)
- Even if gforge was meant to be used on multiple machines, having gforge
  infrastructure on multiple machines is complicated and is already
  causing us numerous support request because people do not pay
  attention to the propagation delays between the change made on the
  web-interface.
  Having immediate SVN access once someone has been added is a nice
  enhancement for everybody.

Concerning security:
- the new Alioth will be hosted in a Xen host (wagner.debian.org will be
  restricted to Alioth admins only, whereas alioth.debian.org will point
  directly to the Xen host). 
  This means it's easy to stop (or shutdown) the Alioth host for
  inspection, or to simply reinstall it from scratch. That's why while
  preparing the new Alioth, I'm documenting the configuration of all the
  services.
- The most common security issues come up with web applications and thus
  concerns mainly the www-data user. The combination with a local exploit
  is less frequent and requires another hole in a packaged software.
- We're running famke and are thus informed within 24 hours if some
  security updates are waiting to be installed.
- Using Xen also has the advantages that it's easier to install a new
  kernel, and since official Xen Debian kernels will be shipped with etch,
  we'll have security support for that as well.
- And last point, the new host will be firewalled, and will not allow
  incoming connections on random ports anymore.

If I'd have more time I'd look further in things like SELinux or NuFW to
impose additionnal restrictions on the www-data user or apache process.
But external help is always welcome. :-)

Cheers,
-- 
Raphaël Hertzog

Premier livre français sur Debian GNU/Linux :
http://www.ouaza.com/livre/admin-debian/

Reply to:

References:
- Re: Security incident on Alioth and other Alioth news
  - From: Christoph Berg <myon@debian.org>

Prev by Date: Re: New website layout / design contest?
Next by Date: Re: Security incident on Alioth and other Alioth news
Previous by thread: Re: Security incident on Alioth and other Alioth news
Next by thread: Re: Security incident on Alioth and other Alioth news
Index(es):
- Date
- Thread