Ubuntu community servers penetrated
The manufacturer has reported that five Ubuntu community servers have been compromised and exploited to attack other systems. As a result, they were taken off the net, but are now back in operation. According to Canonical, multiple failures during server maintenance facilitated the break-in. More than 15 outdated, unpatched Web applications running in parallel on separate servers contributed to the problem. Furthermore, the data exchange was conducted using unencrypted FTP. Finally, even the servers themselves had not been updated, but ran the no longer supported Version 5.10 (Breezy Badger). The reason for this is supposedly an incompatibility between the newer Ubuntu versions and the existing network card and hardware provided and sponsored by Canonical.
As a result of the penetration, Canonical is planning to change their requirements for servers of this type. Up to now, a country team (Local Community, LoCo) has been operating its own community server, over which Ubuntu users can communicate in forums and chatrooms. Canonical, the sponsor and manufacturer of Ubuntu, provides local teams with hardware and bandwidth or sponsors Web hosting. As an alternative, the sponsor now suggests that LoCo teams migrate their servers to the Canonical data centre. Indeed, better hardware is available there, there is an abundance of bandwidth and Canonical does the maintenance, but the teams would have to sacrifice root access to their system. However, a few team members are still allowed to access the server via SSH. Even the selection of the forums and blog software (Drupal, Wordpress) that runs on the system would be considerably restricted.
If the LoCo teams want to continue to operate their own server, the responsibilities must be regulated better in order to prevent uncontrolled installations and configurations. In particular, the teams would have to bear exclusive responsibility for the maintenance and security of the system. Support would cease if the server were breached.
- Changes to LoCo Server Policy, announcement on Ubuntu