Re: sysadmin won't allow linux - PLEASE HELP
On Wed, Jul 11, 2001 at 03:50:18PM -0400, Brian Stults wrote:
> Hello,
>
> In the fall, I will be starting a new position as Professor of Sociology
> at the University of Florida. When I interviewed, one of my
> requirements was that I be allowed to run linux on my office computer.
> They said it would not be a problem. However, now that I have signed
> the contract and am soon to arrive, they have attached some conditions.
> The most serious condition is that I must sign a document stating that I
> am financially responsible for any cost incurred by the University if
> someone hacks into my computer and causes damage to their network.
> Although I have philosphical objections to this kind of policey, I am
> willing to sign this if that is what it takes because I am quite
> confident about my knowledge of security issues.
I would think twice before signing an agreement like that. not arguing
your knowledge, every(!!) system is breakeable.
>
> Anyway, here is the reason for this call for help. Tomorrow, I must
> talk on the phone with the sysadmin of the College of Liberal Arts and
> Sciences and explain two things: 1) they want to know why I need linux
> instead of using their unix system and having MS Windows on the desktop;
> and 2) they want to know that I am conscious of security issues. If
> anyone has any suggestions for the kinds of things to stress, I would be
> happy to hear them. I plan on emphasizing the fact that I disable most
> services in inetd. The only servers I run are an ssh server and an ftp
> server. I do not allow anonymous ftp, and I tunnel all my ftp transfers
> through ssh. I am the only person with an account on my box. I will
> also emphasize the fact that security updates are available on a daily
> basis through debian's dpkg system.
there are many things you have to remember to disable (except for the
stuff in inetd).
1. as many people stated, DON"T use ftp. it's the most dangerous
protocol. use scp instead.
2. remember to close dhcp (don't install it) because if there are 2 dhcp
servers on a network neither one will work.
3. remember that almost everything in unix is client/server basis, so
remember to give access only to localhost to some servers that surely
run on your computer (for example X server - opens a few ports
besides 6000).
4. disable exim/postfix/sendmail. this will mean that you won't be able
to send mail locally (some applications like mutt rely on local MTA
to send their mail). another option is to close port 25 (sendmail
also uses another port, I don't remember which) from the outside
using ipchains/iptables.
5. run nmap (or some other monitoring tool) from the outside. remember
not to use the default scanning but a more thorough one (you'll need
root access to do that). consult the nmap manpage (e.g.using the -sS
switch).
>
> Here is one concern of theirs, though, that I don't understand. They
> said one problem with linux is that it will trick their network into
> thinking that my linux box is the main server, thus bringing down a
> system of over 2000 users. I cannot imagine how this would happen. The
> only thing I can think of is the issue of the master browser in samba.
> If it is "elected", I suppose my machine could force itself to be the
> server. I don't know enough about samba, though, to know if this is
> possible. However, if I don't run a samba server, it wouldn't be a
> problem, right? Can anyone else think of why this might happen?
you can easily disable your samba server from participating in the
elections with these options
domain master = no
local master = no
you can also give a very low os level (20).
>
> Thanks and sorry this message was so long,
> Brian
> --
>
> Brian J. Stults
> Doctoral Candidate
> Department of Sociology
> University at Albany - SUNY
> Phone: (518) 442-4652 Fax: (518) 442-4936
> Web: http://www.albany.edu/~bs7452
>
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Good Luck
--
Haim
>
Reply to: