| New Users |
Department Contacts |
CLASnet Users |
About CLASnet |
CLASnet Home |
In terms of security measures, there are few differences between a Unix (Solaris, AIX, HP-UX, Linux, *BSD, etc) server and a client. Both by default run many services, and thus both must be considered servers. Any servers connected to a CLASnet network should follow our server connection policy. Those outside our college should consider drafting a similar policy.
Unix servers are by design multi-user machines. Even a machine with a single user on the console actually has multiple user-ids running at any time -- a person on the console, a printer daemon, NFS users, a web daemon perhaps, and the super-user root. Any of these accounts can theoretically use security holes in the operating system to crack root, or become the super-user. Once root is compromised, the cracker may gather passwords from other users on the system (via UFC-Crack or modified system binaries), from the network (via a sniffer), or use the machine as a jumping off point to attack other systems on or off campus.
After your OS is known secure, make an inventory. We recommend the tripwire package. You should modify its database to monitor all SUID binaries, as well as commonly used programs.
System SUID binaries usually reside in /usr and /. Make those two partitions unwritable by normal users. Next, make the user-writable partions nosuid. This includes:
For Solaris, this involves editing /etc/vfstab and adding the nosuid option to each filesystem in question, then rebooting. As an example:
swap - /tmp tmpfs - yes nosuid,size=32m
Similarly, you should limit the number of people who have accounts on your system. An account granted to a visiting faculty member should be removed as soon as he or she leaves, lest a cracker find the account's password and start using it as his own with noone the wiser. A secure system should have an account policy stating who can have an account, how long the account will exist, and under what conditions the account should be used. Thus, you will have a responsible person for each account.
Similarly, you should disable or remove any non-required SUID programs. A cracker with access to your system could use bugs in a program you don't even know is installed to gain super-user access. You can check for SUID/SGID programs by using the find(1) command:
find / \( -perm -4000 -o -perm -2000 \) -ls -o -fstype nfs -prune
You need to move those password strings out of the user space. Switch to NIS+C2 (passwd.adjunct), NIS+, Kerberos, rdist'ed /etc/shadow, or some similar method of sharing accounts/passwords between your networked machines.
Also, use the cracker's tool, crack, and check your own users' passwords against the dictionary words. Be aware that this can be computationally expensive, and some organizations may have policies against this (not that this will stop the crackers, mind you).
The current standard on campus for encrypted remote access is the Secure Shell software, aka SSH.
If at all possible, install and use non-promiscuous ethernet cards. However, since many servers may require promiscuous mode, make sure they are on switched networks, instead of shared-media hubs.
Sometimes, it is easier to replace certain system binaries with third-party versions. Some versions are merely upgrades, while others are equivalent function programs from another source.