[ntp:hackers] UDel security
David L. Mills
mills at udel.edu
Thu May 12 11:40:09 PDT 2005
Mark, Todd, Danny, et al,
All our SSH configurations are host based. Potential users must have
valid group and user IDs and passwords in the NIS databases. There are
two NIS databases, the department and pogo. The pogo database has only
the NTP groupies, so they can rumble only with pogo and its dependents.
All my machines are behind the department routers, which have black and
white lists based on address and port. SSH version 1 is disabled
everywhere. Right now ssh access is allowed from outside only for
certain department machines, but left open for my subnets
128.4.1-128.4.9. What I plan to do is adopt the same policy as the other
subnets while making only pogo available from outside for ssh.
We already have plaintext services like telnet, rsh and ftp blocked for
all department (ECE and CIS) hosts with exception only ftp.udel.edu aka
louie.udel.edu open for ftp. Even on that machine ftp upload is manually
cleansed of copyrighted material before making available for download.
Mail and the web are not currently blocked; however, all mail servers
have industrial strength antispam filters. In addition to those, I run
additional filters on my own mail. All web servers are Apache chrooted.
We have our own department mail servers distinct from the campus mail
servers. The campus IT just spent a million dollars on a superduper
antispam system. Mail sent to me at mills at udel.edu will fly that system
and land on our department server huey.udel.edu. Mail sent to ntp.org or
whimsy.udel.edu goes directly to those servers.
The www.ntp.org machine (aka maccarony.udel.edu) is a special case. It
is completely stand alone and has no NIS or NFS access. I would prefer
it conform to the department conventions in ssh, mail and web access and
use the same filters and be available for ssh from outside only via
pogo. This would make it easier to maintain by our summer hires. Is this
okay with the troops?
Mark Martinec wrote:
>>From my point of view as a developer, as long as I can SSH into pogo
>>as necessary that's fine. I usually SSH to pogo before I go anywhere
>>else anyway. This sounds like a good choice.
>Due to increased number of password guessing attempts over ssh seen in
>recent months, we (at our institute) now only allow ssh logins through
>DSA or RSA keys, no longer by passwords. Also the ssh protocol version 1
>is to be disabled, it has known weaknesses. After some grace period,
>PasswordAuthentication should be set to no in sshd_config.
More information about the hackers