Linode SSH key blunder left virtual servers open to man-in-the-middle fiddles for months

Regen your keys ASAP

Web hosting biz Linode broke the security in its customers' virtual machines, allowing attackers to eavesdrop on SSH connections and hijack them.

Nodes that installed Linode's Ubuntu 15.10 image between November 10, 2015, and February 4, 2016, all use the same SSH server key. Usually, a unique key is generated during installation of a Linux distro, but that doesn't appear to have happened for months in this case.

With that key in hand, a man-in-the-middle attacker could set up a malicious server that masquerades as your vulnerable virtual machine, allowing the hacker to quietly intercept passwords, commands, and other sensitive data sent to and from you and your real server.

Earlier today, people who used the dodgy image received the following email from Linode's Alex Fornuto, who urged them to regenerate their SSH server keys. Here's an extract of the message:

It has come to our attention that there is an issue with the Ubuntu 15.10 image we offered from November 10th, 2015, through February 4th, 2016. Any Linodes deployed using this image within this time frame are using identical SSH server keys. If you're receiving this ticket, you have a disk image currently affected by this issue.

For those unfamiliar with these terms, consider this fuller explanation: Each Linux server running the SSH daemon should have a set of unique keys, used to generate the encryption between client and server. While this traffic is still secure against an attempt to access data by "wire sniffing," someone could use those keys to institute a "man in the middle" attack. The network rules on our infrastructure prevent such an attack from a neighboring Linode, but connections made from insecure wifi-networks or clients with compromised DNS could be vulnerable.

The steps required to resolve this issue are easy and few. First, from your Linode terminal, as root or with the sudo prefix, run:

rm -f /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
service ssh restart

If you have any questions regarding this issue, please feel free to reply to this ticket. Furthermore, you can be confident that we have implemented new processes to ensure that this sort oversight doesn’t happen again.

Linode corrected its Ubuntu 15.10 image on February 4.

This blooper comes after the New Jersey-based Linux server hoster weathered a ten-day distributed denial-of-service attack on its data centers after Christmas, and reset its users' account passwords after a hack attack scare in January. As it happens, Linode is advertising for Linux technical support workers... ®

Similar topics

Other stories you might like

  • Akamai's Linode buy: Good for enterprise, risky for others
    Feisty indies that do too well don't stay indie for long

    Opinion The one thing AWS can't offer is not being AWS. Google and Microsoft can, but then you're stuck with Google and Microsoft. Each of these cloud infrastructure options – AWS, GCP and Azure – are big, centralised components of bigger organisations with other things on their minds, and a deep aversion to sharing customers.

    Akamai has the edge here. It has always just sold cloud infrastructure services to customers it knows shop elsewhere. It doesn't care who's hosting its fleet of enterprise clients. The stuff Akamai sells is designed to bolt onto AWS, GCP, Azure, you name it, and do the delivery to the world. The company is intrinsically multi-platform. With last week's Linode acquisition, Akamai has as little problem adding hosting, storage, and developer-friendly cloud services to its portfolio as a supermarket does adding own-brand cornflakes to its shelves.

    Akamai is no supermarket. It's a highly competent, highly trusted deliverer of high-availability network services to rich companies, and it has the sales and support network to match. Linode's chief attraction to Akamai wasn't primarily its technologies or existing infrastructure, things that Akamai could do for itself out of parts it already has at home. Rather, it was Linode's reputation among its customers, which closely matches what Akamai has among its client base. That it's up and running is great and gives Akamai a near-instant entry to the cloud compute provider's club, but it's Linode's decades of trust with developers that's the golden ticket.

    Continue reading
  • Akamai buys Linode for $900m
    Combined internet titan plans offerings that do the 'cloud to edge' thing at super-size scale

    Internet content delivery concern Akamai has announced it will acquire junior cloud Linode for about $900m.

    Linode positions itself as a cloud built by, and for, developers, and offers hyperscale services at prices that undercut larger cloud providers. The American-based biz operates eleven data centers spread across America, Canada, Germany, the UK, India, Japan, Singapore, and Australia.

    Akamai CEO and co-founder Dr Tom Leighton said the acquisition will mean the corporation he leads can handle workloads that span all environments from the cloud to the edge, and suggested developers will enjoy working with a combined cloud and content delivery network to test and deploy such applications.

    Continue reading
  • Email blocklisting: A Christmas gift from Microsoft that Linode can't seem to return
    Sorry, that IP address is on the naughty step

    Microsoft appears to have delivered the unwanted Christmas gift of email blocklisting to Linode IP addresses, and two weeks into 2022 the company does not seem ready to relent.

    Problems started as large chunks of the world began packing up for the festive period. Complaints cropped up on Linode's support forums when customers began encountering problems sending email to Microsoft 365 accounts from their own email servers.

    On that thread, a Linode staffer acknowledged there was an issue and suggested a number of alternative third-party email services as a stopgap as well as saying: "Microsoft has acknowledge[d] the problem and looking into it [sic]."

    Continue reading

Biting the hand that feeds IT © 1998–2022