Debian has published Security Advisories for two consecutive days, trying to get a grip on what looks like a massive security hole in their SSH and SSL offerings. I spent 4 hours yesterday and another one this morning going through all the systems locking things down.
Details are still surfacing, but this time it seems they outdone themselves, making the key space apparently very, very small (we're talking '5 minute brute force' small). There are some bits of info on http://wiki.debian.org/SSLkeys
Comment 1 by jaklumen
Since Ubuntu is essentially a Debian build, any idea how this would apply to Hardy Heron?
Comment 2 by TTimo
yes, ubuntu is affected as well, they released their own advisory yesterday .. I don't have any ubuntu systems so I don't know the details
Comment 3 by TTimo
http://metasploit.com/users/hdm/tools/debian-openssl/ best analysis so far. The key space is indeed tiny .. debian sshd checks and denies the most common keys now, but sshd from other distros doesn't, so if you have uploaded weak keys anywhere else those systems remain exposed.
Comment 4 by osde8info
[Debian SSL & TOR
](http://archives.seul.org/or/announce/May-2008/msg00000.html)[http://archives.seul.org/or/announce/May-2008/msg00000.html](http://archives.seul.org/or/announce/May-2008/msg00000.html</a>
)
_A bug in the Debian GNU/Linux distribution's OpenSSL package was
announced today. This bug would allow an attacker to figure out private
keys generated by these buggy versions of the OpenSSL library. Thus,
all private keys generated by affected versions of OpenSSL must be
considered to be compromised.
Tor uses OpenSSL, so Tor users and admins need to take action in order
to remain secure in response to this problem.
If you are running Debian, Ubuntu, or any Debian-based GNU/Linux
distribution, first follow the instructions at
http://lists.debian.org/debian-security-announce/2008/msg00152.html
to upgrade your OpenSSL package to a safe version.
_
Comment 5 by Berni
While you are in there take a look at /etc/ssh/sshd_config.
Try not not to offer ssh services on Port 22 to the world.
Also consider using AllowedUsers:
AllowUsers @ip
...
AllowUsers @ip...
Where ip, ip... are addresses or DNS names of the incoming sites you trust. As many as you like.
Berni