[ntp:hackers] UDel security

David L. Mills mills at udel.edu
Thu May 12 11:40:09 PDT 2005

Mark, Todd, Danny, et al,

All our SSH configurations are host based. Potential users must have 
valid group and user IDs and passwords in the NIS databases. There are 
two NIS databases, the department and pogo. The pogo database has only 
the NTP groupies, so they can rumble only with pogo and its dependents.

All my machines are behind the department routers, which have black and 
white lists based on address and port. SSH version 1 is disabled 
everywhere. Right now ssh access is allowed from outside only for 
certain department machines, but left open for my subnets 
128.4.1-128.4.9. What I plan to do is adopt the same policy as the other 
subnets while making only pogo available from outside for ssh.

We already have plaintext services like telnet, rsh and ftp blocked for 
all department (ECE and CIS) hosts with exception only ftp.udel.edu aka 
louie.udel.edu open for ftp. Even on that machine ftp upload is manually 
cleansed of copyrighted material before making available for download. 
Mail and the web are not currently blocked; however, all mail servers 
have industrial strength antispam filters. In addition to those, I run 
additional filters on my own mail. All web servers are Apache chrooted.

We have our own department mail servers distinct from the campus mail 
servers. The campus IT just spent a million dollars on a superduper 
antispam system. Mail sent to me at mills at udel.edu will fly that system 
and land on our department server huey.udel.edu. Mail sent to ntp.org or 
whimsy.udel.edu goes directly to those servers.

The www.ntp.org machine (aka maccarony.udel.edu) is a special case. It 
is completely stand alone and has no NIS or NFS access. I would prefer 
it conform to the department conventions in ssh, mail and web access and 
use the same filters and be available for ssh from outside only via 
pogo. This would make it easier to maintain by our summer hires. Is this 
okay with the troops?


Mark Martinec wrote:

>>From my point of view as a developer, as long as I can SSH into pogo
>>as necessary that's fine. I usually SSH to pogo before I go anywhere
>>else anyway. This sounds like a good choice.
>Due to increased number of password guessing attempts over ssh seen in
>recent months, we (at our institute) now only allow ssh logins through
>DSA or RSA keys, no longer by passwords. Also the ssh protocol version 1
>is to be disabled, it has known weaknesses. After some grace period,
>PasswordAuthentication should be set to no in sshd_config.
>  Mark

More information about the hackers mailing list