SSC UNIX Documentation: Security, Security, Security Archives

May 14, 2007

IBM DevWorks on Linux System Auditing

This is a great article that covers some of the methods used to perform regular security audits of your Linux system. Pay especial attention to the first section, on identifying suid binaries. The principles of 'defense-in-depth' suggest that not only do we limit the software installed on a system to strictly those necessary to provide the services desired, but that even within that installation, we minimize the access of the bits of software that aren't strictly necessary to the functioning of our server.

Blogged with Flock

Posted by ssc_upenn at 9:32 AM | Comments (0) | TrackBack

January 11, 2007

Something to think about if you forward your work mail to Gmail...

Firms Fret as Office E-Mail Jumps Security Walls

Posted by ssc_upenn at 8:25 PM | Comments (0) | TrackBack

February 22, 2006

Denying access if SSH is dictionary attacked

If you're running your own UNIX box (Solaris, Linux, OS X), you may notice (if you ever peruse your SSH logs, often /var/log/secure) sections of your logfile where the same host attempts to connect to your server via SSH with an assortment of common usernames and common passwords. This is what is known as a dictionary attack.

Fortunately, there's a program called DenyHosts which is designed to deal with this very problem.

Here's an article on DenyHosts from Linux Today (original article at How-To Forge).

Posted by ssc_upenn at 12:03 PM | Comments (0) | TrackBack

August 12, 2005

How to change your UNIX password

Ok, Ok. You've convinced me. I have to change my password. I'm a Windows user, and I don't want to have to fool around with logging into a terminal session, or finding an SSH client, or any of that foolishness. What do I do? Huh? I can't hear you, Mr. Smugly-Superior-UNIX-Guy...

Changing your password on the SSC UNIX systems is actually very easy, and is one of the few things that we recommend that you do on a Windows box (if you happen to have one handy, as Mr. S-S-UNIX-Guy never seems to...).

Type Ctl+Alt+Del (we refer to this as 'giving Windows the three-finger salute')

Click "Change Password"

In the window that appears you'll see the field Log in to: and next to it, you'll see some text. Clear that field, and type:

lambic.ssc.upenn.edu

Then, type your old password in the Old Password: field, and then a new password in the New Password: and Confirm New Password: fields, respectively.

If you typed everything properly, you'll see a dialog box that says "Password changed."

Posted by ssc_upenn at 10:32 AM | TrackBack

July 13, 2005

Passwords (AGAIN)?!?

My LSP just visited, and told me that I need to change my password. I like my password, and I don't want to change it. Why should I?

Your password (in combination with your username) is what we use to enable your access to the services we offer on our UNIX servers. If your password becomes compromised, the attacker will be able to impersonate you on our system. At first blush, this may not seem like much of a big deal, until you consider the possible ramifications (those of you who've had your Windows machine hacked know what I'm talking about already...):

Scenario 1: An attacker uses a password she stole from you to log into our system. Once she's logged in as a valid user, she begins running attack software called a 'rootkit' in order to try and gain administrative-level access to our system. Whether she's successful or not, the rootkit will need to be identified, forensic analysis taken to ensure that the system was not compromised, and the system restored to its pre-attack state.
Scenario 2: A user who has stolen your password will log into our system as you, and then use your home directory as a respository for illicit files (these might be music files, movie files, pirated software, what-have-you). The attacker will then often share these files out via the Web, resulting in resource drain on the system (which itself can negatively impact the productivity of yourself and other users on the machine). In the worst case, the copyright owner of the files demands that we take the files down (under the DMCA), and then finds out that 'you' were the one infringing on their copyright.
Scenario 3: Your home directory contains your personal email, or other privileged (or private) information. An attacker steals your password, and suddenly has access to all your stuff. Depending on what you keep, that could be costly, financially and personally.

As far as you liking your password, that's probably because it's something that's easy to type, easy to remember, or both. And that's exactly why it needs to be changed. If it's easy to remember and type, then it's easy to crack, whether over the network or locally.

As far as how we can check the strength of your passwords, there are a variety of 'cracking' programs out there that can be used to attempt to guess your password. We'll periodically run one of these against our password lists to determine whether or not your password needs to be changed. If we've identified that you have a weak password, that's when you get the visit from your LSP.

When your LSP arrives, he or she will help you pick a complex password that will better withstand password cracking attempts. They'll help you pick something that you can remember mnemonically, so that you won't forget it, without sacrificing its strength.

Ultimately, if you don't change your password after we've notified you that you need to change it, your account will be locked until you do. It's that important.

Posted by ssc_upenn at 12:44 PM | Comments (0) | TrackBack

April 1, 2005

Password-protected Web directories

How do I make a directory on my website password protected? I have some data I want people to download, but I want only certain people to have access to it...

There are a number of reasons why you might want to limit access to some data in your website -- your data may be proprietary, and you need to limit access in order to comply with licensing requirements; your data may contain personal identifiers, and you need to limit access to meet institutional privacy requirements; or, it may simply be that the data are for an in-progress research project, and thus need to have access to them restricted.

In any case, password protecting a directory on your SSC website is easy.

In the following example, we'll pretend that:

I'm user sarahf
I want to save data in the sensitive_data directory of my personal website
I want to call the secured area ("Realm") "Authorized Users Only"
I want to save the password file for my secured area inside of my home directory but NOT inside of my public_html directory (this is important, because if I saved it in my website, I'd have to take extra precautions to make sure this file isn't available to anyone browsing my site.
I want to give access to a user "allieg" with a password of "dashow"

Step 1

Log into the appropriate server via an SSH client. If you want to create a directory within your personal website (ie: inside of $yourusername/public_html), you should log in to lambic.ssc.upenn.edu. If you want to password-protect a directory within an organizational website (a project or departmental website, for example), you should log into porter.ssc.upenn.edu. So, for this example:

$ ssh sarahf@lambic.ssc.upenn.edu

Step 2

Create the directory which will contain your sensitive data.

[sarahf@lambic ~]$ cd public_html
[sarahf@lambic ~]$ mkdir sensitive_data

Step 3

Once you've created the directory wherein you're going to place your sensitive data, you need to create a userlist file and a password file to set up password access. Given the directory we created in Step 2, do the following.

[sarahf@lambic ~]$ cd sensitive_data
[sarahf@lambic ~]$ vi .htaccess

What I've just done is opened a file called .htaccess for editing, using the vi editor. If you're not comfortable using the vi editor, you may use emacs, or pico, or jed, or any other editor we have available on the webserver. In the .htaccess file, I would need the following information:

AuthType Basic
AuthName "Authorized Users Only"
AuthUserFile /home/sarahf/.htpasswd

<Limit GET>

require user allieg

</Limit>

Once you've got the required info in this file, save it (in vi, that's :wq).

Step 4

You will have noted, of course, that we were asked to provide a path to a file called '.htpasswd'. I'll need to create this file, as follows:

[sarahf@lambic ~]$ htpasswd -cm /home/sarahf/.htpasswd allieg
New password: dashow
Re-type new password: dashow
Adding password for user allieg

In the above example, you can see that we gave the htpasswd command the username we're adding the password for ("allieg"), as well as typing the password we want our user to use to access our data ("dashow"). The -cm tells the htpasswd command to create a new passwd file and to encrypt it using md5 encryption.

This brings up an interesting question: Is it better to have one username and password for everyone with whom I wish to share my data, or should I issue each user their own username and password?

It's certainly more convenient for your users to share a password, but it doesn't allow you to keep track of who's accessing your data. My recommendation is to use individual users and passwords, but it really is up to you.

Posted by ssc_upenn at 3:21 PM | Comments (0) | TrackBack

March 31, 2005

Expired password

When I try to log in to the server, I get a message that says my password has expired. This didn't use to happen on sun -- why am I getting this message?

You're getting this message because your password is older than the 180 day limit that has been put into place on the new servers.

If you find that your password has expired, and you don't know how to go about changing your password, please contact the SSC Helpdesk.

The best way to avoid this is to change your password before it expires; to find out how much longer you have before your password expires, enter the 'chage -l' command from the shell prompt in an SSH session.

Posted by ssc_upenn at 8:24 PM | Comments (0)

Why all the emphasis on security?

It seems that you put a lot of emphasis on the issue of security. I just want to get my work done -- why is security important to me?

There are a number of ways to answer this question, but we'll start by addressing the concern voiced in this question. We understand that there are always trade-offs between convenience and ease-of-use and security. It's always our goal to balance these two, and we strive to make sure that we are able to provide an alternative to each service we eliminate.

But why is security important? We often hear folks say "My data isn't really of interest to anyone -- why do I need to bother with security?" This is, as far as it goes, true. But the reality is that often, the data that is located on a server is often the last thing that interests would-be attackers.

More interesting to a 'bad-guy' is access to a server from which to carry out other activities -- whether those 'other' activities are as banal as hosting an FTP site for illicit material ('warez'), or as sophisticated as serving as a point of attack for a distributed denial-of-service (DDOS) attack.

If your userid and password combination is compromised (someone gets hold of these two bits of information), they now have access to a valid account on the server, from which they have an elevated level of access to server and network resources. This makes it easier for attackers to penetrate our systems and network.

Preventing these sort of compromises is why we eliminated plain-text FTP, as well as why we have put into place limitations on the length of time your password is valid on the servers.

If you have questions as to why we have chosen to implement security measures in the manner in which we have, please don't hesitate to contact the SSC Helpdesk.

Posted by ssc_upenn at 8:14 PM | Comments (0)

What happened to FTP?

I used to use FTP to upload files to my website (and my work directories) on sun.ssc.upenn.edu. When I try to do this now (since the server upgrade), I get an error and can't move my files. What's going on?

Sun.ssc.upenn.edu (and soda.pop.upenn.edu) allowed standard FTP connections. This service allowed you to use a regular FTP client, WinFTP for example, to upload and download files to and from the server.

Standard FTP, while very convenient, is very insecure. When you use standard FTP, your username and password are transmitted in plaintext ("in the clear") between your computer and the server. This allows someone who is listening on the wire to learn these sensitive bits of information.

Because of this problem with security, we are no longer offering standard FTP on SSC's UNIX servers.

Instead, we are providing access via a similar, more secure, method. This method is known as Secure FTP, and works in conjunction with the SSH (Secure SHell) protocol to encrypt not only your username and password during your session, but also all the data that's going back and forth between your desktop and the server.

Instead of using a program like WinFTP, you can use the Filezilla program to access your files. You likely already have Filezilla installed on your computer If you need help configuring Filezilla, please contact the SSC helpdesk.

Posted by ssc_upenn at 2:42 PM | Comments (0)

I can't access my home (or work) directory in Windows...

After the upgrade, you may notice that you're prompted for a password when you try and connect to your UNIX home or work directory from your Windows PC. This didn't happen before. What changed?

On our previous server, we didn't require that the username and password information that authenticated you to the server be encrypted. We did this to allow maximum interoperability among the file server and the various versions of Windows desktop systems which were out on desktops across SSC.

Now that we have standardized on Windows XP (with a fair number of Windows 2000 clients out there), we encrypt your username and password to keep these bits of personal information from prying eyes.

In order to get access to your home and work directories (called 'shares') on the UNIX servers, you'll need to create an encrypted password.

We're working on creating an automated way for you to create and manage this password on your own; until it's ready, please contact ssc-help and ask to "change your smb passwd".

Posted by ssc_upenn at 12:59 PM | Comments (0)

SSC UNIX Documentation

THE source for information about SSC's UNIX systems and services... as well as other random computing nuggets...