[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to ensure the integrity of Debian mirrors?

Thomas Gebhardt wrote:
> Hi,
> yesterday I had to take a look at a machine that was emerging
> ping floods and did other nasty things. It turned out that it
> was a freshly installed Linux box (not a Debian system but
> another well known Linux distribution) and some investigation
> revealed that pretty soon after the installation several
> people from different sites got root access and reconfigured
> the system for their "needs".
Do you mind telling what distribution this was?
If this was a redhat machine I know 2 people personally that had their
machines hacked (yes I don't like saying cracked) just last week so it
may not have come from the mirror.

> So there is some strong evidence that the system was installed
> from an compromised ftp mirror which included a Troan horse
> ehm... Trojan horse and some mechanism to distribute the ip
> address of the installed host.
> I'd suggest to provide some mechanism to make compromising a
> Debian mirror more difficult. For now one could provide
> a PGP and/or GPG signed list of MD5 sums of all .deb
> packages. This list could be generated when constructing
> the Packages file. In the future one might implement a
> more elaborate certification scheme.

This sounds like a good idea, I don't see why it can't be done.

Stephen Crowley                 crow@debian.org, stephenc@wf.net
-* Finger crow@va.debian.org for my public key.	PGP#22714B25  *-

Reply to: