|
System break-ins on campus in the past have pointed out the difficulty that the security and network support groups have in monitoring stand-alone machines, in particular in the midst of an actual attack on a machine (or by an internal machine).
Several procedural changes have been instituted to correct this access problem:
- (New in 2007) Configure your system's syslog utility to send logs to the Lab's union log.
Add the following line to the host's /etc/syslog.conf file:
*.info @loghost.jlab.org
Restart the log daemon using appropriate system commands. For Redhat-based Linux, the following is appropriate:
/etc/rc.d/init.d/syslog restart
- (New in 2007) Any machines running host-based firewalls must allow full access by machines on the 129.57.71.0/24 subnet to allow our standard vulnerability scans to complete.
- The secure shell (ssh) will be installed on all systems capable of supporting it.
- Each administrator of a machine that is capable of providing network logins will install a specific non-privileged user account (see instructions below) that will give routine access to the machine via the secure shell (ssh). This account will allow remote automatic monitoring of critical system files and interfaces to determine whether a break-in has occurred. While the non-privileged access will not permit complete assessment of the state of a machine, it will go a long way toward early warning of an attack on a system.
Installing the non-privileged user account
The purposes of this account are to:
- allow automated checks of system integrity
- allow checks for suspicious (cracker) activity
- allow checks for system vulnerability to known security holes
- provide quick access for analyzing log files when tracking down known intruders
This account will not be used to invade the privacy or interfere with normal administration of the machine. The service provided by this account should only be considered an addition to (not a replacement of) the normal system security measures that are the responsibility of the system adminstrator. It is a service, which (as it evolves) should build confidence of both the computer center and the machine's administrator that the box is set up in a secure way.
The following procedure will set up the non-privileged account to be used by the security group for routine and emergency checking of your machine's status. An attempt is being made to make this account as anonymous as possible, so please do not annotate janed's records with special notes like "security monitoring account", etc.
Note: A script to do this setup on a Red Hat system is available here.
Use your operating system's standard methods to add the following user to your machine:
userid janed uid generate as needed gid standard for your machine's non-privileged users name Jane Dougherty home dir standard for your machine shell cshOnce the account is set up, disable the password by putting an asterisk in the password field of /etc/passwd, /etc/security/passwd, or wherever is appropriate. This will disable all standard telnet/ftp/rlogin sessions for this user.
Next, set up janed's ssh access.
mkdir ~janed/.sshPaste the following two lines into ~janed/.ssh/authorized_keys without adding any line breaks. The first line contains 604 characters and the second, 332. Each ends with "Jane Dougherty". These are the public portions of ssh version 2 and version 1 keys used by this account to log in.
ssh-dss AAAAB3NzaC1kc3MAAACBANVSk0wufy98S1JXOEfWTqAX/5od3Uw5BogCavS8gbueUZKLPTH/eDd3SHwA8Hm9848A2FgsmpTZD0PVdv7QvIhLKEjf52SsjerFfJ5832Lmq0PJtXrSiAmat2k/nnOk7kIclhmXaqFcrUMAvB74FKvixcs0soxWdFuPuJa3P31zAAAAFQDAVZhcqfwEiZDhQuP2lQiz4LUw8wAAAIAgty7yaBHpTkl0rUaFgWA8hXk7CJeJ+04BooZNJtafFZE5ZgRj33JeuK7DtwybRbXsYp5xMhBngRNXwzyPmX4ZxoOb9GiFGZs3WIJcckuhn+pE6P5iBNh1kTULp9/Bck3CIRevYvwH2cJl+R4W5u04fGSwCqfxDwInBpA4U1JeVgAAAIA0n40kQsLDCZJuVfoPMJIFVQvJjPlctfvKbD6ev1h1UlvqetY8PDx/V9xYpf01ENbyPEYjcMVP1QAdTiLM8SH0tdmtgPcstkay6JSwmVHM+Ql16pPvdRLxCCO4fNufZfixfQIs6uezxFT1bgETyxvvkCWcaCbpjHNBEIKbv0bbbA== Jane Dougherty 1024 37 83492707834534824837943715581749416897971685108116251518029058796400530670444033436317581817472707937202111109433691784423158479168310535162118544604478998503209162383581238526519732780996254902816363666032793572346218388604574353542149948400415284373423553670312408858520010284678292061631469038367196888343 Jane DoughertySet appropriate restrictions on the contents of ~janed/.ssh:
chown -R janed ~janed chmod -R go-rwx ~janed chmod 700 ~janed/.ssh chmod 400 ~janed/.ssh/authorized_keysNotify Bob Lukens (x6376) when the account is ready for testing.
If you need help with this setup, please contact
Bob Lukens (x6376), or
Thank you for your cooperation.
This document is maintained by {helpdesk@jlab.org}
Copyright Jefferson Lab 2007