A Security Primer for UNIX system administrators at MIT
Achieving reasonable security for multi-user systems (such as UNIX)
takes time and effort, and once implemented, requires periodic review.
It's not remarkably difficult, but does require a certain throughness of
effort. Security is often an endeavor where a 90% effort is the same as
no effort at all...
Some steps to
take when you discover a break-in on a machine you administer.
What to do if you realize your password has been compromised.
Some FAQ's:
Q) Why doesn't MIT filter and restrict access to MITnet? That
would keep the crackers away from our machines, wouldn't it?
A) MITnet is an "open" computing environment: we do not normally
restrict access into or out of our network. This reflects both the
traditional openness of the academic environment, and our opinion of
where security efforts give the best return. Building walls around a
network (usually via firewalls)
often merely raises barriers to legitimate traffic, and gives a false
sense of security to users within.
Q) Then how should we make our network secure?
A) Owners, administrators, and users of machines on MITnet must
make reasonable efforts to protect their computers. This includes:
- Correctly configuring the operating system to eliminate security
holes
- Choosing and using good passwords, that are
not easy to guess or crack
- Keeping abreast of (and correcting!)
newly identified weaknesses in the operating system, and other threats:
- The Computer Emergency Response Team (CERT) at Carnegie Mellon University
issues advisories detailing system weaknesses and how to correct them,
along with other security information. Worth checking for information
about your operating system.
- Subscribe to the netusers mailing list, a
low-traffic list where significant network events, like outages or
security notifications, are sent by the operations staff. You can
subscribe by the Athena mailmaint
program, or by sending mail to netusers-request@mit.edu.
- Never sending passwords or other sensitive information over the
network "in the
clear"
What tools are available to help? What are crackers using to get
in?
There are a number of excellent tools that
system administrators can use to test and strengthen the security of
their systems. Any serious look at security probably merits a good look
at these packages. For an alternate view, look at some of the tools
available to system crackers.
Other resources
- The Bugtraq mailing list is for detailed discussion of
UNIX security holes: what they are, how to exploit, and what to do to
fix them. You may subscribe to the list by sending email to listserv@netspace.org with the
words subscribe bugtraq in the body of your
message. Alternatively, you may read the list via the local MIT
archive.
- The Best of Security mailing list is a compilation of the
interesting information from several other security-oriented mailing
lists. You may subscribe to the list by sending email to majordomo@suburbia.net with the
words subscribe best-of-security in the body of your
message. Alternatively, you may read the list via the local MIT
archive.
- net-defense@mit.edu is a forum for the coordination, discussion,
and improvement of campus-wide network security. You can add yourself with
the Athena mailmaint
program. Archived in the net-defense discuss meeting on
bloom-picayune.mit.edu.
- linux-security@redhat.com discusses security holes in Linux. To
subscribe, send mail with subscribe as the subject to
linux-security-request@
redhat.com. This list is archived in the net-defense
discuss meeting on bloom-picayune.mit.edu.
- The Linux-Athena website,
http://web.mit.edu/linux/www/ is the best place to go if you're
running the Athena extensions on your Linux system.
- For pointers to ssh-related resources,
http://www.ssh.org/ is the place to go.