Physics Security Policy

See http://www.phy.syr.edu/~dkirk/private/linuxsecurity.html for unix security checklist
 

Physics Department Security restrictions (draft policy & currently in place):

Access to physics server:

• NO direct logins allowed (use cluster machines)
• imap (email) allowed from anywhere
• remote access to print server allowed
• samba drive access allowed internally
• (ftp should be done to cluster machines)

Main login machines (306 cluster)

• ssh (login) and ftp allowed from anywhere
• telnet allowed from *.syr.edu and *.twcny.rr.com
• contact me if you need the names of these machines

Access to research servers:

• ssh allowed either from *.phy.syr.edu or from anywhere
• insecure access (telnet, ftp) allowed from *.phy.syr.edu and *.twcny.rr.com
• individual static hostnames can also be granted access
• full domains rarely allowed, but may be for a specific need

Access to individual unix clients in offices:

• prefer to have all services turned off for outside access
• if anything is enabled, access allowed from *.syr.edu only
• individual hosts that can be tied to one name can be allowed access on a case-by-case basis (contact me!)
• disable all unnecessary/unneeded daemons (imap, pop, etc)
• if acccessing from outside, SSH required instead of telnet and should be done through department machines, not individual machines
• Automatic updates should be setup
• must install department tripwire script

Remote email access options…

• IMAP can be used globally from clients such as Netscape Messenger
• Web based access: http://MailAndNews.com (use secure connection!)  You can create a new mailbox or access existing IMAP4 or POP3 mailbox from anywhere with just a web browser.
• Or without having to setup a client machine, login through SUNIX first, then ssh to our server to use pine (SUNIX may not be accessable from anywhere, check if access is allowed)
• Or make sure SSH is installed on your PC or server, and SSH to our server (telnet is not allowed outside of Syracuse University).
• Or forward email to an account which can be accessed
• Or forward to a free web based email account, such as http://www.hotmail.com

(To forward email to another account, create a file called ".forward" in your home directory and the contents of the file should be the email address you want email forwarded to.  To stop forwarding, simply delete that file.)

Freeware ssh for PC's:

For an updated list of how to get SSH, see:
If you find additional or updated clients for this list, please let me know.

For an updated list of how to get SSH, see:
http://www.employees.org/~satch/ssh/faq/ssh-faq-2.html or http://www.tigerlair.com/ssh/faq/ssh-faq.html

for Unix:
ftp://ftp.ssh.com/pub/ssh/

for Windows:

• Robert O'Callahan's TTSSH, SSH1 extension to TeraTerm client - http://www.zip.com.au/~roca/ttssh.html
• Gorden Chaffee's command line port of ssh1 and scp1 - http://bmrc.berkeley.edu/people/chaffee/winntutil.html
• Sergey Okhapkin's SSH1 and SSH2 servers and clients port to 32-bit Windows - http://www.lexa.ru/sos/
• Corinna Vinschen has ported OpenSSH to Cygwin- ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Corinna/V1.1.1
• PuTTY, Simon Tatham's 32-bit Windows SSH1 client - http://www.chiark.greenend.org.uk/~sgtatham/putty.html
• FiSSH, Mass Confusion's 32-bit SSH1 client for Windows - http://mit.edu/ssh/FiSSH
• Cynus Win32 port of SSH 1.2.2 by Raju Mathur - http://reality.sgi.com/raju/software.html
• PenguiNet SSH and Telnet client - http://www.siliconcircus.com/penguinet (Shareware)