kimsufi 服务器曝出严重安全漏洞。。。大神帮忙看看什么意思
On May 2, 2017 at 16:00 CEST, a security flaw was detected in our Proxmox 4 installations.In order to use Proxmox in a ‘cluster’ configuration (Proxmox VE Cluster), a pair of SSH keys is automatically generated to facilitate communication between the different physical nodes of the cluster.
Our system that generates the distribution (March 16, 2017 at 12:26 CEST) did not correctly those pair of keys, making possible the connection between two client machines.
In order to reduce the attack surface and as a measure of precaution, we used the private key available in the image to remove the public key which corresponds to the authorize keys file found in ‘/etc/pve/priv’. The traditional "/root/.ssh/authorized_keys" file being a symbolic link to the latter.
We are not able to intervene on the Proxmox configurations configured in cluster mode, without disrupting service.
We have logged in your manager our intervention under the reference: 'Remote Intervention OVH for correction Proxmox installation'.
The corrective action taken is not a permanent solution because in order to fully secure your configuration, the new pair of keys must be generated by you. If you restart the ‘pve-cluster’ service (also in case of server reboot), the previous SSH key will be redeployed, making the server vulnerable again.
It is strongly advised that you conduct a complementary analysis of your system.
In order to help you, the following script will secure your infrastructure:
- wget ftp://ftp.ovh.net/made-in-ovh/dedie/proxmox4-fixssh.sh
- chmod +x proxmox4-fixssh.sh
- ./proxmox4-fixssh.sh
貌似大意是:我们发现了Proxmox 4的安全漏洞,并帮您采取了临时补救措施,但是需要你亲自动手才能彻底解决这个问题,解决方法请运行以下命令:
- wget ftp://ftp.ovh.net/made-in-ovh/dedie/proxmox4-fixssh.sh
- chmod +x proxmox4-fixssh.sh
- ./proxmox4-fixssh.sh
各位大神啊!中文大意是这样吗? 我还没收到相关信息,可以使用5.0BATE版,也是稳定的 收到了 但沒理 我擦这货都出现5.0了啊 我的免费虚拟主机瑟瑟发抖 /root/.ssh下面的密钥没删除?别人可能会用现有的私钥登陆ssh,因为他的模板私钥都是一样的。。直接删了/root/.ssh 重新生成一个
Proxmox 不意外 好像OVH早就发了Proxmox的漏洞让解决了 没使用Proxmox,不担心。 运行了OVH提供的脚本,貌似已搞定这个问题yc002t
页:
[1]