All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Evorack Security Advisory (2012-07-21)
Dear Customers,
We would like to report the following security advisory that requires your immediate attention.
Who This Affects
All Evorack customers using any version of Debian or Ubuntu. All other customers (CentOS, Fedora, NetBSD, Slackware, Arch Linux) remain unaffected.
Description
The Debian and Ubuntu templates used by Evorack contain a set of default SSH host keys. While Evorack does have filtering rules in place to prevent "Man In The Middle (MITM)" attacks from other Evorack VPSs, there may be other vectors outside of the Evorack network that could potentially leave your VPS vunerable to MITM attacks.
Steps that require immediate action
Each affected customer should issue the following commands on their VPS:
/bin/rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
The first command will remove all of your current SSH host keys. The second command will generate a new set.
Upon next log in to your Evorack VPS, you should get a warning that states that something bad may be going on. If you are using Putty on Windows, you can safely ignore this prompt and proceed to cache the new fingerprint. If you are using Linux/Mac to log into your VPS via SSH, then issue the following command to remove the old host fingerprint:
ssh-keygen -R
If you do not get a warning, please try again. If you still don't get a warning, please contact us.
Evorack would like to apologise for any inconvenience these steps may cause.
If anyone has any questions, please feel free to contact us.
Regards,
Evorack Customer Services
Comments
same like in virtualizor previous version. right @breton?
I'd like to stress that we do have filtering rules in place to prevent MITM attacks from occurring from within the Evorack network.
Additionally, I can confirm that this issue was caused by our upstream template provider. We obtain our templates from a very reputable source of Virtualisation Templates who unfortunately, in this case, has let us down.
Please be rest assured that Evorack has implemented scripts into the images on our template server to make sure that no SSH host keys exist and that they are automatically generated on first boot of the Evorack VPS
that's why you make your own....
Right
Damn, I even wrote about that to the WHT. It was, like, 3 months ago.
I also wonder why Virtualizor guys didn't announce it as a security advisory themselves.
@kbar, you will find that it is very common for providers to obtain images from a trusted third party due to the sheer number of images available. We like to give our customers choice
In any case, security advisories are, unfortunately, a regular occurrence of life. Even if we were to compile our own kernel, make our own filesystem with buildroot (or compile glibc and all userspace tools from scratch), there would still be security issues with the final build. I'm not trying to say that this reported issue isn't important, just trying to say that you always have to give you trust to someone else at some point
I'd like to stress that we had guys working on this issue immediately once it was discovered and a notice was sent to customers within 2 hours (after updating all Debian/Ubuntu images on our template server)
@breton, can you enlighten me on this? I'm guessing you guys has this issue before yourselves?
Thanks
The idea for posting this topic was not provider-bashing etc but to get your VPSes fixed as per the email instructions. Now that we all have it done, we can even put this as a way to "strengthen" new VPSes from any provider just in case.
Thanks all for your comments
@Jonny_Evorack thanks for the notice in time
Yep, I found this issue on @Mon5t3r 's server. And made a post on the WHT - http://www.webhostingtalk.com/showthread.php?t=1120305. Virtualizor guys released an update and we forgot about the problem.
@Asim, I completely understand
It's good to make as many people aware of this as possible I guess. It mite even be a good idea to add some key regeneration to the LEB scripts here? It could go something like this:
ssh-keygen -f /etc/ssh/ssh_host_rsa_key -t rsa -N ''
ssh-keygen -f /etc/ssh/ssh_host_dsa_key -t dsa -N ''
Note that the above comands are from my head, not sure if they are 100% correct. They are different commands from the Evorack advisory as those were just specific to Debian/Ubuntu while the above should work for any OS.
@breton, that's very interesting. I've submitted a ticket to the company that does our images so hopefully they will get this fixed. Nonetheless, we'll we adding our script to every template that makes sure that these SSH host keys do not exist prior to first boot.