We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

IMPORTANT and URGENT: dedicated server security bug


Allot
12-02-2008, 10:56
Hello,

A major security fault has been highlighted this weekend on all Linux kernels 2.6.XX that you can use at OVH (and other places). No security patch (grsecurity, PaX, Openwall, etc) is currently blocking this bug. The only way to fix the bug is to upgrade your kernel to the latest version of Linux 2.6.24.2 (updated yesterday evening at 21:51!).

This bug is VERY dangerous and any user of the server can have root access in less than 10 seconds, extremely easily! Unfortunately if this happens, it is too late and the server has to be reinstalled. Even if you do not offer shell / bash on your servers, through PhP scripts, CGI, etc, root access on the machine will be granted.

Do not postpone this update until tonight or tomorrow! Approximately one hour ago, we have had to block the first server hacked using this method. With this bug, your network security is in danger. Therefore, we will not hesitate to block your server if it is hacked. So we strongly advice that you take 10 minutes now to execute these simple commands.
OVH offers patched kernels, checked and secured against this security bug. Also, the new kernel supports most network cards used as part of the hardware at OVH. For example, iSCSI, as well as a ton of other little kernel bugs.

How to upgrade the kernel in less than 5 minutes? Very simple. Even if you have never done it before, you are going to succeed this update

1.)Log into the server and type in SSH and type (or copy and paste):
# Wget-O-q ftp://ftp.ovh.net/made-in-ovh/dedie/...3ware-sysfs.sh - | / bin / bash
# Wget-O-q ftp://ftp.ovh.net/made-in-ovh/rtm/install_rtm.sh - | / bin / bash
This updates your RTM, the sysfs patch, 3ware. An additional security procedure before the reboot.

2.)In the manager, select "netboot" and then "ipv4," then the version "32bits" or "64-bit" (it depends on the distribution you are using)
For example, "bzImage-xxxx-std-ipv4-32"
Next, log back into the server and type in SSH and type # Reboot

Wait for the server to reboot (takes between 2 - 5 minutes, depending on the server) then log into the server in SSH then type:
# uname-a
The command must send you the version 2.6.24.2.
For example: # uname-a
Linux Oles2.ovh.net 2.6.24.2 Linux-xxxx-std-ipv4-32 # 1 SMP Mon Feb 11 14:51:26

If you do not use the netboot, you can download our kernels On ftp://ftp.ovh.net/made-in-ovh/bzImage
BzImage-2.6.24.2-xxxx-std-ipv4-32
BzImage-2.6.24.2-xxxx-std-ipv4-32-hz1000
BzImage-2.6.24.2-xxxx-std-ipv4-64-hz1000
BzImage-2.6.24.2-xxxx-std-ipv6-32
BzImage-2.6.24.2-xxxx-std-ipv4-32-filer
BzImage-2.6.24.2-xxxx-std-ipv4-64
BzImage-2.6.24.2-xxxx-std-ipv4-64-rescue
BzImage-2.6.24.2-xxxx-std-ipv6-64

GRSecurity kernels are not yet available. The patch will be available within the next few days. If you compile the kernel yourself, you can find our tar.gz as well as the .config on ftp://ftp.ovh.net/made-in-ovh/bzImage

If you have any problems, please use the forum or mailing list so that we can help you directly. Do not forget to put the name of your dedicated server on your posts (each message). On the forum: http://forum.ovh.com/showthread.php?t=31396

Thank you all and good patch!

P.S. Customers who have opted for the total security, the updates are in progress (already).

Yours sincerely

Octave