[ntp:hackers] UDel security

David L. Mills mills at udel.edu
Thu May 12 06:30:17 PDT 2005


Being a public university we are absolutely deludged with hacker 
attacks. Every one of our several hundred staff and student machines is 
attacked many times each day, and I do not underestimate the frequency. 
I caught a password cracker on deacon last night and am told crackers 
attack every machine many times a day. My tcpdump catches subnet 
indexing on an almost continuous basis. It has come to the point that 
the attacks, although not apparently successful, have overwhelmed our 
staff, as the volume of security logs has grown to immense proportions.

The department staff has closed all access from outside 128.4 to only a 
few carefully watched public machines and closed off all RPC ports 
except NTP and a couple of others. The 128.4 NTP test machines on the 
campus and backroom subnets are currently open to ssh (only). I should 
probably change that to require login to pogo first before allowing 
access to other machines. Will this be a problem for the legitimate 
testers and hackers?

Most of our machines are now closed access via NTP unless 
cryptographically authenticated. I intend to do that for all campus 
servers, including those that are now open access. UDel will thus turn 
into a black hole for everything except the web and a few portholes like 
our campus, department public servers.

I am asking the ISC to regularize the Autokey group key provision via 
the web. Can we set up a scheme that allows registration and retrieval 
of a group key for designated machines? I am open to any scheme that 
provides cryptographically secure storage and retrieval of a group key 
for any specific registered group.


More information about the hackers mailing list