FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-21-2012, 05:03 AM
Dr Beco
 
Default man in the middle attack ?

Dear debian users,

First of all, thanks David and Phil,

> David <bo...cats@...>
> >On 21/08/2012, Phil Dobbin <bu...cat@...> wrote:
> >
> > I'd like to apologise for the abuse you have suffered at the hands of
> > certain members of this list. Uncalled for, rude & unhelpful.
>
> I agree. Attacking strangers might be a brief distraction from a bad
> day, or a sad life, but it is not the majority spirit here. Please
> ignore.


I am astonished for what happened. I'm sure it is just some exception.

I'm a debian user for a long time, I buy t-shirts and buttons, I
download and incentive my students to use it. I'm not moving away just
because of that. On the contrary, if the majority of the list is
friendly, so am I. Maybe there are moderators who could ask for who
doesn't fit to leave. Not me.

It is funny when a doctor asks for how to update a wifi driver, nobody
makes jokes. But talking about security, such bullies come. Why do
they feel the need to judge? "Hey, look how stupid that doctor is,
asking that! I'm no doctor and I know the answer!"

Yes, I'm a doctor, proud of it. It took me 5 years away from friends
and family, eating bread+eggs inside a lab. I passed uncountable
vacations, Christmas, family birthdays (and mine), alone in a freezing
room, studying, being judged by supervisors, and others. I'm 38, now.
If you want to judge me, maybe you can start by putting yourself on my
shoes.

People overestimate a Ph.D. As a biologist friend of mine said: you
keep studying more and more from less and less subject, until you know
everything of nothing.

So, forgive me my stupidity. I'll keep my email signature as it is, though.


Now, the technicality of the question:

After disconnecting the net cable, I realized the server was still up! :O

I logged with a innocuous account to read that that was the old server
which miraculous revived. Some intern from TI turned on the old server
and it took precedence over the new one. That explained the change of
the KEY.

The /var/log/auth.log shows:

Jun 20 14:17:01 zebu CRON[24183]: pam_unix(cron:session): session closed
Aug 20 10:16:23 zebu sshd[1301]: Server listening on port 22.

Mistery solved. I panicked and wrote you guys a message wondering what
would be an "immediate" action. Thank you
Jochen, Phil, David, Lina and Jerome, very much for your time and kind
attention.

Jerome, I'll read the link you suggested. I'm sure I'll learn a lot
from it. Security is definitely not my area, but I do my best to
administer this server. It is just a server where students may log in
using ssh, have some contact with the linux terminal, how to program
in C, and other languages, without the vicious from Windows
programming (like system("PAUSE") or include <conio.h>! argh!).


Although I have solved this case, if anyone feel like send any links
or tips on how to proceed in case of emergence, I'm willing to read
more.

Thanks,

Ruben Carlo Benante, Ph.D.
Doctor in Artificial Intelligence,
Master Degree in Philosophy.
Painter, Lousy Chess Player, Poet,
(among other things I can't recall right now)

PS. My biologist friend is Ph.D. in Yellow Butts Ants. Don't ask him
about Red Butts Ants: he knows nothing about them!


--
Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CALuYw2ysfnWg-50ihWqLLvM6Oev0RgtH5GN8Qce7X+7T0P=eDA@mail.gmail.c om
 
Old 08-21-2012, 05:59 AM
Ralf Mardorf
 
Default man in the middle attack ?

On Tue, 2012-08-21 at 08:45 +0300, [snip] wrote:
> [private on purpose]
>
> Dear Ralf,
>
> If you meant this as a joke it was definitely not perceived as such by
> Dr. Beco or other list subscribers. You should probably clarify and
> apologize.
>
> Kind regards,
[snip]

You're right.

I apologize.

Regards,
Ralf


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1345528745.6041.32.camel@localhost.localdomain
 
Old 08-21-2012, 06:34 AM
Ralf Mardorf
 
Default man in the middle attack ?

On Tue, 2012-08-21 at 02:03 -0300, Dr Beco wrote:
> It is funny when a doctor asks for how to update a wifi driver, nobody
> makes jokes. But talking about security, such bullies come. Why do
> they feel the need to judge? "Hey, look how stupid that doctor is,
> asking that! I'm no doctor and I know the answer!"

It has nothing to do with the fact that you're a doctor. It's because
you claim to be an expert regarding to "A.I. research" and that you're a
"Cognitive Scientist".

Again I apologize for my bad behavior.

> PS. My biologist friend is Ph.D. in Yellow Butts Ants. Don't ask him
> about Red Butts Ants: he knows nothing about them!

That's not the same. "Cognitive science is the interdisciplinary
scientific study of the mind and its processes." - Wiki

Regards
Ralf


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/1345530890.6041.39.camel@localhost.localdomain
 
Old 08-21-2012, 06:36 AM
Andrei POPESCU
 
Default man in the middle attack ?

On Ma, 21 aug 12, 14:02:48, David wrote:
> On 21/08/2012, Phil Dobbin <bukowskiscat@gmail.com> wrote:
> >
> > I'd like to apologise for the abuse you have suffered at the hands of
> > certain members of this list. Uncalled for, rude & unhelpful.
>
> I agree. Attacking strangers might be a brief distraction from a bad
> day, or a sad life, but it is not the majority spirit here. Please
> ignore.

Please don't make haste in assuming malice. Communication via e-mail
between people of different native languages and cultures is quite a
challenge, especially for humor and sarcasm.

http://www.ietf.org/rfc/rfc1855.txt

- A good rule of thumb: Be conservative in what you send and
liberal in what you receive. You should not send heated messages
(we call these "flames") even if you are provoked. On the other
hand, you shouldn't be surprised if you get flamed and it's
prudent not to respond to flames.

[...]

- Remember that the recipient is a human being whose culture,
language, and humor have different points of reference from your
own. Remember that date formats, measurements, and idioms may
not travel well. Be especially careful with sarcasm.


Kind regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 08-21-2012, 06:54 AM
Lisi
 
Default man in the middle attack ?

On Tuesday 21 August 2012 07:36:00 Andrei POPESCU wrote:
> Communication via e-mail
> between people of different native languages and cultures is quite a
> challenge,

+1

There are also different acceptable modes of behaviour. There are tribes in
Africa who wear almost no clothes. That is in general illegal in public
here.

Self-agrandisement is almost a duty in some cultures. In others it is very
much frowned on.

This list is international. Let's live and let live and try not to be
offended by each other.

Lisi


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201208210754.09952.lisi.reisz@gmail.com">http://lists.debian.org/201208210754.09952.lisi.reisz@gmail.com
 
Old 08-21-2012, 09:27 AM
Gal DONVAL
 
Default man in the middle attack ?

Le lundi 20 aot 2012 17:29 -0300, Dr Beco a crit :
> What should I do, or where should I look, to understand this problem?
>
> Can I log in with my account remotely to see the problem, or should I
> better log in locally?

Just do what it says. If you can log in locally, you can try
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
to get the fingerprint and compare it with the new one. You should NOT
need root privilege for that.

But as other said, an ssh public key can't change on its own: somebody
needs to have done something (IT, attacker, intern or else there is a
hardware failure. In any case, the only "immediate action" is to
investigate as you did by plugging off the server. In this case this was
an involuntary and harmless, yet real, MITM attack.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1345541247.4513.72.camel@p76-nom-gd.cnrs-imn.fr">http://lists.debian.org/1345541247.4513.72.camel@p76-nom-gd.cnrs-imn.fr
 
Old 08-21-2012, 09:41 AM
Keith McKenzie
 
Default man in the middle attack ?

On 21 August 2012 07:54, Lisi <lisi.reisz@gmail.com> wrote:
[...]
>
> Self-agrandisement is almost a duty in some cultures. In others it is very
> much frowned on.
>
[...]
> Lisi
>

Wow! - I wonder how many (international) people are going to
understand that. :-)


--
Sent from FOSS (Free Open Source Software)
Debian GNU/Linux


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CAL36VGnQGo+Akjpi3hTscAtWsvqcPiTDm7my_nNe+S3OfsFpQ A@mail.gmail.com">http://lists.debian.org/CAL36VGnQGo+Akjpi3hTscAtWsvqcPiTDm7my_nNe+S3OfsFpQ A@mail.gmail.com
 
Old 08-21-2012, 10:25 AM
Aidan Gauland
 
Default man in the middle attack ?

Dr Beco <rcb@beco.cc> writes:
> After disconnecting the net cable, I realized the server was still up! :O
>
> I logged with a innocuous account to read that that was the old server
> which miraculous revived. Some intern from TI turned on the old server
> and it took precedence over the new one. That explained the change of
> the KEY.
>
> The /var/log/auth.log shows:
>
> Jun 20 14:17:01 zebu CRON[24183]: pam_unix(cron:session): session closed
> Aug 20 10:16:23 zebu sshd[1301]: Server listening on port 22.
>
> Mistery solved.

Now I'm really curious, but confused. Why did the presence of another
server change the key on the original server? Or did you mean that an
old server was, in error, put up in place of the one you set up earlier
(before the warning from SSH)?

Kind regards,
Aidan Gauland


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87393g8ru2.fsf@dimension8.tehua.net">http://lists.debian.org/87393g8ru2.fsf@dimension8.tehua.net
 
Old 08-21-2012, 01:51 PM
Dr Beco
 
Default man in the middle attack ?

Aidan wrote:
> Now I'm really curious, but confused. Why did the presence of another
> server change the key on the original server? Or did you mean that an
> old server was, in error, put up in place of the one you set up earlier
> (before the warning from SSH)?
>
> Kind regards,
> Aidan Gauland

Hi Aidan,

I'm not sure I understand SSH keys to the point of answering that, but
I can tell what I think it happened: the original SSH key, I believe,
never changed. The external IP was the same for both servers, and
because of this conflict, people from outside could see only the old
server which took precedence.

Of course, the old server had a different key.

Please correct me if I'm wrong. As Gal said, maybe this command
> ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
can show me if that is the case. But I would have to have the original
SSH key to compare to, to see if it changed or not.

Can I run the same command on a client (my notebook) to compare to the
result of it from the server? I did not changed my know_hosts on the
notebook.

My best,
Beco



--
Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CALuYw2wDJGT9idWn_ShD28gejDdk2jF9-v86nb5iY3A+xA6ipQ@mail.gmail.com">http://lists.debian.org/CALuYw2wDJGT9idWn_ShD28gejDdk2jF9-v86nb5iY3A+xA6ipQ@mail.gmail.com
 
Old 08-21-2012, 02:12 PM
Gal DONVAL
 
Default man in the middle attack ?

Le mardi 21 aot 2012 10:51 -0300, Dr Beco a crit :
> can show me if that is the case. But I would have to have the original
> SSH key to compare to, to see if it changed or not.
The command I gave you should be used if you have a local access to the
ssh server to get the fingerprint.

When you first connect to the ssh server from a brand new client, the
client will give you a fingerprint. All you have to do is checking that
these two matches.

In your case, you were not sure of the nature of the attack: was it a
MITM attack? a compromised server? a disk failure? So I suggested you
could check the fingerprint (using your local access) and compare it to
the one given in the WARNING_PEOPLE_ARE_DOING_NASTY_THINGS message
(which is the original one, taken from the known_hosts file). The
purpose is to check whether the change came from the server (in case of
compromission or hardware faiure) or from somewhere in the middle
(MITM).

> Can I run the same command on a client (my notebook) to compare to the
> result of it from the server? I did not changed my know_hosts on the
> notebook.
ssh-keygen -lf ~/.ssh/known_hosts should match (at least one of its
lines) but if it does not, ssh would warn you in the scary way it
already did.





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1345558366.8298.70.camel@p76-nom-gd.cnrs-imn.fr">http://lists.debian.org/1345558366.8298.70.camel@p76-nom-gd.cnrs-imn.fr
 

Thread Tools




All times are GMT. The time now is 10:18 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org