[ntp:hackers] UDel security
David L. Mills
mills at udel.edu
Thu May 12 06:30:17 PDT 2005
Being a public university we are absolutely deludged with hacker
attacks. Every one of our several hundred staff and student machines is
attacked many times each day, and I do not underestimate the frequency.
I caught a password cracker on deacon last night and am told crackers
attack every machine many times a day. My tcpdump catches subnet
indexing on an almost continuous basis. It has come to the point that
the attacks, although not apparently successful, have overwhelmed our
staff, as the volume of security logs has grown to immense proportions.
The department staff has closed all access from outside 128.4 to only a
few carefully watched public machines and closed off all RPC ports
except NTP and a couple of others. The 128.4 NTP test machines on the
campus and backroom subnets are currently open to ssh (only). I should
probably change that to require login to pogo first before allowing
access to other machines. Will this be a problem for the legitimate
testers and hackers?
Most of our machines are now closed access via NTP unless
cryptographically authenticated. I intend to do that for all campus
servers, including those that are now open access. UDel will thus turn
into a black hole for everything except the web and a few portholes like
our campus, department public servers.
I am asking the ISC to regularize the Autokey group key provision via
the web. Can we set up a scheme that allows registration and retrieval
of a group key for designated machines? I am open to any scheme that
provides cryptographically secure storage and retrieval of a group key
for any specific registered group.
More information about the hackers