[clue-tech] Debian Server Contract work

Richard Knechtel richard.knechtel at gmail.com
Tue Nov 18 21:47:39 MST 2008 

All,
I know someone here in Wisconsin that is looking for someone to do some 
short term contract work on a Debian Linux server. The person -does not- 
need to reside in Wisconsin. If someone is good with Linux servers - 
specifically Debian distribution. Below are the individuals needs. The work 
can be done via VPN from my understanding. Or if you reside here in 
Wisconsin that would probably be more helpful to this person. If you have 
the knowledge/expertise to do what they need please send me your contact 
information and I will forward it on to this person and have the individual 
contact you directly.

Disclaimer:
I am not a recruiter and am making no money on this. I am doing this as a 
favor for this person - as they do not have any contacts within the Linux 
community. I used to live in Denver but moved to Wisconsin. (Go Pack!)

Thanks,
Richard Knechtel

Here is the information I was given.
-------

We have a dedicated production e-commerce web server ( Apache/2.2.3 
(Debian) mod_ssl/2.2.3 OpenSSL/0.9.8c ) that is possibly vulnerable to an 
SSL attack. The reference to this attack can be found here: 
<http://www.debian.org/security/2008/dsa-1571>http://www.debian.org/security/2008/dsa-1571. 


We would like an estimate for the following tasks.
1. Determine whether or not the servers openssl package has already been 
patched.
2. If the openssl package needs to be patched, determine the risks if any 
and when the client has reviewed the risks and approved the patch, apply 
the openssl package patch.
3. Determine which keys need to be regenerated. ( Affected keys include SSH 
keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 
certificates and session keys used in SSL/TLS connections. )
4. Create a plan to regenerate / update all the weak keys to ensure the SSL 
for the E-Commerce site does not go down. Instructions to do this are 
referenced here: 
<http://www.debian.org/security/key-rollover/>http://www.debian.org/security/key-rollover/

Additional Notes:
The updates and patches need to happen during non-traditional buying hours 
so minimal revenue is lost. More than likely, the updates will need to 
happen between 11pm and 2am.
Known website / server configuration dependencies are:
1. Website is using a custom PHP Environment Variable that is set in the 
php.ini file.
2. Cron jobs.
3. MySql server that is used to run the site.
4. Possible shell commands used by the PHP files running the site, I don't 
know what they are.
5. The developers and maintainers of the website / server are no longer in 
business and getting additional help from them will either be very 
difficult or unavailable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue-tech/attachments/20081118/c75f21a4/attachment.html

More information about the clue-tech mailing list