Re: Computer Security (SGI)

Dan Borchardt (dan.borchardt@ucr.edu)
Fri, 10 Sep 1999 08:46:29 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: rnunlist@Purcell.Cchem.Berkeley.EDU: "Re: Computer Security (SGI)"
Previous message: Silverman, Bob: "Probe needed"
Maybe in reply to: Karen Ann Smith: "Computer Security (SGI)"
Next in thread: rnunlist@Purcell.Cchem.Berkeley.EDU: "Re: Computer Security (SGI)"

Hi,

I think Karen's experience has been repeated more than one would like to
think among this group. I feel it is very important to implement some type
of security measures. I have done most of what Karen listed and have not had
any computers compromised in well over a year.
I would like to comment about tcp wrappers set up. As Karen states it is
very easy to set up and is probably the best first line of defense you can
install. I would, however, caution against allowing the whole domain access
unless you are behind a firewall. I set my computers up initially allowing
all of ucr.edu access. Unfortunately this leaves your computers only
slightly more secure than the least secure computer in your domain. Once a
machine in your domain is compromised it can now be used to attack and gain
access to your computer. We had this happen on our campus. A computer was
hacked. The intruder set up a packet sniffer and collected passwords for
several accounts on several computers. I have since configured tcp wrappers
to only allow access to computers that I know to be at least as secure as my
computers.
All others requiring access must use secure shell. In fact I am moving
toward only allowing secure shell connections for all users.

Dan

Karen Ann Smith wrote:
<snip>

> 2) Installed tcp wrappers. This turned out to be surprisingly
> easy. A person from the computer center came over and did it on one
> system, and then I installed it on the others. He didn't tell me
> where he got the code from ("do a web search") but we did the
> default installation, and it has already repelled an invader. With
> tcp wrappers, you can give the system a list of specific names/ips
> to allow connection to. All others get a "connection refused"
> message. At the moment I allow connection from all .unm.edu
> systems- that may change if necessary. Installation took less than
> 15 minutes- including rebooting the computer. I really recommend
> this.

<snip>

--
_____________________________________________________________________
Dan Borchardt                           e-mail: danb@ernst.ucr.edu
ACIF, Dept of Chemistry                         dan.borchardt@ucr.edu
University of California                   Tel: 909-787-3628
Riverside  CA  92521                       FAX: 909-787-4713
---------------------------------------------------------------------
The judge decreed it, clerk he wrote it.....
---------------------------------------------------------------------

Next message: rnunlist@Purcell.Cchem.Berkeley.EDU: "Re: Computer Security (SGI)"
Previous message: Silverman, Bob: "Probe needed"
Maybe in reply to: Karen Ann Smith: "Computer Security (SGI)"
Next in thread: rnunlist@Purcell.Cchem.Berkeley.EDU: "Re: Computer Security (SGI)"