The need for pro-active security
Computer systems that are on a global network like the Internet are accessible from almost every country in the world. While operating systems are designed to prevent unauthorized use, not all vulnerabilities are known when released. Also, the users of our systems can inadvertently or intentionally compromise the security of a system. Even the best secured system in the world is only as secure as its weakest vulnerability. And, there are people on the net out there who actively look for vulnerable machines to invade. Sometimes, these are harmless compromises, but there are also serious compromises that, even if they aren't seriously malicious, must be assumed so, requiring HOURS of your time and sometimes thousands of dollars of human and computer time wasted. Don't let this happen to you! Take the extra time to install pro-active security programs to supplement your OS.
If the operating system is actively supported, patches to security vulnerabilities will usually be available free soon after a vulnerability is discovered. Sometimes beyond the control of the administrator. For example, users should be explicitly informed when receiving an account that they should not divulge their passwords. However, people frequently share passwords or inadvertently disclose them. Someone then takes advantage of this to break into your system. Or, as happened recently to me, a system at another University was poorly maintained and someone was able to "sniff" the passwords for one of my user's accounts and break in, costing me and the user and his group much wasted time.
There are a number of security programs that monitor for vulnerabilities/compromises, and/or minimize them once they've occurred. There are many out there that are very good and recommended. The programs below are ones I recommend using for security amplification.
Tripwire
Tripwire monitors for any changes in your system's
files. This is useful for detecting the subtle activity of hackers, particularly
changes to system binaries. It takes a snapshot of a presumed clean
system. You can then run it to report any changes to the snapshot.
It is highly configurable as to which files to monitor, and you usually
need to inform it which ones to monitor. It was developed at Purdue
University as a free UNIX security aid, that is still available in version
1.2. A software company was started to market higher versions, although
the academic version of 1.3 is free at this writing. A beta version
of Tripwire 1.2 is available in SGI inst format, and it should be ready,
I'm told, for inclusion in the May 1999 Freeware CD from SGI.
Click here to see how to implement it on an
SGI.
TCP Wrappers is a program that controls access to TCP/IP services on your system. It also logs the use of these services by foreign hosts. Important services such as telnet, ftp, http, finger, bootp, tftp, remote commands and more use TCP/IP to communicate. They can usually be invoked by any Internet host, leaving vulnerabilities in these services a potentially serious problem. TCP Wrappers allows you to restrict the hosts to which these services are invokable. For example, you can decide that, in the interest of system security, no one should be able to telnet in from outside the University of Pennsylvania. TCP Wrappers has an expressive language for controlling fine points of which services should be allowed/disallowed to which hosts.
TCP Wrappers is available on the November 98 SGI Freeware CD. It might be difficult to configure in this format, although it will eliminate compilation problems.
Click here to see how to implement TCP Wrappers
on an SGI.
SGI System Administration Chemistry Computer Facility Chemistry Department Home page
Last updated 990326, Martin McCormick, martinm@sas.upenn.edu