[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ccp4bb]: Security, Firewalls etc.

To: Dr Peter C E Moody <pcem1@leicester.ac.uk>, ccp4bb@dl.ac.uk
Subject: Re: [ccp4bb]: Security, Firewalls etc.
From: Kevin Cowtan <cowtan@ysbl.york.ac.uk>
Date: Fri, 30 Aug 2002 16:03:48 +0100
In-Reply-To: <Pine.SGI.3.96.1020830150912.688208G-100000@harrier>
Organization: University of York
References: <Pine.SGI.3.96.1020830150912.688208G-100000@harrier>
Sender: owner-ccp4bb@dl.ac.uk
User-Agent: KMail/1.4.1

***  For details on how to be removed from this list visit the  ***
***          CCP4 home page http://www.ccp4.ac.uk         ***

How hard fixing your security will be depends on how much you've got already.

I wouldn't even contemplate putting a machine on the net without the following 
steps:

1. If its Windows 95/98/ME, reformat it and put a real OS on.

2. If its any other version of Windows, install all service packs, and remove 
Outlook/OutlookExpress, also disable scripting.

3. For Unix boxes, check what services are running and turn most of them off. 
You probably only need one machine with web or ftp servers running, or 
sendmail for that matter.

I recommend turning off rlogin and telnet as well and using slogin/ssh/scp. If 
you really must have rlogin, use tcpwrappers to block it from any non-local 
sites.

Next, install tcpwrappers, if you don't already have them. Disable all 
services in the hosts.deny file, and only reenable the ones you know will be 
used. For most machines, the only service you need is ssh (X sessions can use 
ssh as a secure tunnel).

Recent RedHat machines, and maybe some other linuces, have switched to using 
ipfilter instead of tcpwrappers - I don't know how to configure this 
properly.

If you are not behind a firewall, you can add one very cheaply - an old PC, 
running a BSD-based firewall distro is probably best. These will often fit on 
a single floppy. There are Linux versions as well, but Linux is more 
widespread and thus vulnerabilities are better known. Since these are 
designed for a single purpose, they are supposed to be quite easy to set up, 
but I haven't tried.

You don't necessarily need to block ftp to outside sites, so getting data from 
synchrotrons shouldn't be an issue.

On Friday 30 Aug 2002 3:30 pm, Dr Peter C E Moody wrote:
> Not really CCP4, but is there a consensus about the appropriate level of
> security for a PX lab? We had someone use our RAID server to try and
> launch attacks on various people (such as the US treasury) and to
> re-distribute mp3 files. The University disconnected us 'till we sort out
> the problem.
> Do you all have firewalls or rely on keeping your operating systems up to
> date? Is Smoothwall on a PC enough? How much will it cost, and how easy
> is it to set up? How do you manage to log in and ftp data from
> synchrotrons without allowing in hackers?

-- 
Department of Chemistry, University of York, Heslington, York YO10 5DD

Follow-Ups:
- Re: [ccp4bb]: Security, Firewalls etc.
  - From: <klaas@ultr.vub.ac.be>
- Re: [ccp4bb]: Security, Firewalls etc.
  - From: Bart Hazes <bhazes@ualberta.ca>

References:
- [ccp4bb]: Security, Firewalls etc.
  - From: Dr Peter C E Moody <pcem1@leicester.ac.uk>

Prev by Date: [ccp4bb]: Security, Firewalls etc.
Next by Date: Re: [ccp4bb]: Security, Firewalls etc.
Prev by thread: [ccp4bb]: Security, Firewalls etc.
Next by thread: Re: [ccp4bb]: Security, Firewalls etc.
Index(es):
- Date
- Thread