Security Practices and Resources at LBL and DSD

1
Security Practices and Resources at LBL and DSD

• July 10, 2001

2
Overview of DSD security practices

• Remote access to machines only by secure methods
• Cfengine does distributed administration
  including installing security patches
• Enforce strong passwords
• Crack is run once a week on our password data
  base
• Turn off unneeded services, e.g. sadmin, CDE,
  sendmail (except portnoy)

3
Secure Access Methods

• No passwords passed unencrypted over the WAN
• Access coming from a trusted client
• Home machine
• Laptop
• Running an SSH client that you have downloaded
• Running MindTerms SSH applet signed by us

4
Remote Access to our Machines

• SSH keys or password
• Skeys - how to on DSD sysadmin page
• Mindterm SSH applet
• We try to minimize any implied trust relations
  between our machines
• No rsh
• No NFS root access
• But shared accounts on all our machines

5
SSH

• F-secure SSH1 client from the Lab download page
  for Windows and Macs
• Copy /usr/local/bin/ssh, ssh-keygen, scp,
  ssh-agent and ssh-add for Unix. Generate a host
  key. We currently run SSH V2.
• If you just run ssh, it will prompt for your
  password, but the connection will be encrypted.
• Always run ssh on the machine you are sitting at,
  but beware of trojaned ssh binaries.

6
Using SSH keys

• Ssh-keygen generates a public and private key
  id_dsa_1024_identity.pub and id_dsa_1024_identity.
  
• Use a passphrase to encrypt the private key.
• Put the public key in home/.ssh2 on the target
  machine to use the key rather than password for
  authentication.
• .ssh2/authorization on target contains the names
  of the public keys that will be accepted
• .ssh2/identification on client side contains
  names of the private keys you want to use

7
Skeys

• A solution to being logged in on an untrusted
  machine and wanting to access a DSD machine.
• Allows you to telnet to skey.itg.lbl.gov using a
  one-time password, and from there you can ssh to
  any other DSD machine, using a known and secure
  version of ssh.
• Instructions for generating skeys are at
  http//www-itg.lbl.gov/Private/Skey.html

8
Skey overview

• From a DSD machine, ssh to ftp.itg.lbl.gov, su to
  root, or be root on portnoy and \rsh to ftp.itg
  and generate the skeys, which will be printed out
  by default on itg2.
• If you dont have root access, ask some who does
  to generate the skeys for you.
• Generate an ssh key pair on ftp.itg and copy the
  public key to your home/ssh2 directory. Thus
  you will not need to type a password when using
  this method to login.

9
SSH applet

• If you are running on a remote machine and trust
  the browser you can use the Mindterm ssh applet
  to connect.

10
Cfengine

• A tool for administrating a set of hosts
• You can define classes of hosts to which to apply
  specific actions
• Maintains software consistency and integrity
• Distributes new versions of software (at
  midnight)
• Compares MD5 checksums of critical programs
  against a data base, e.g. sshd, ps, csh, su,
  et.al.
• Edits configuration files
• Does system patches (Saturday at midnight)

11
Cfengine (cont.)

• Maintains system integrity
• Checks to see that servers are up (especially
  sshd)
• Checks that unwanted servers are not up (e.g.
  volmgt, sendmail)
• How
• Runs hourly as a root cron job on all our hosts
• Each DSD host runs cfd
• Configuration files in /etc/DSD.config/UNIX/cf.
• Any machine on the 131.243.2 lan must have an
  entry in these files and be running cfengine.
• More info see http//www.itg.lbl.gov/Private/itg-c
  fengine.html

12
Other measures

• Keith periodically does port scans of all our
  machines to look for unexpected daemons.
• Expected daemons should be registered on the web
  page at
• http//www-itg.lbl.gov/Private/Servers.html
• Educate our users

13
Secure your laptop and home machines

• Install OS and then run all the security patches
  
• Windows service packs
• Linux RPMs
• Turn off all unnecessary servers
• Get virus software from the Lab download page.
• There are inexpensive hardware firewalls now for
  home machines.

14
BRO Adaptive Intrusion Detection System

• Written at LBL by Vern Paxton
• Monitors all network traffic between the lab and
  the Wan
• Looks for port scans and shuts them down
• Looks for relay traffic
• Looks for unexpected traffic
• Root access from odd addresses
• Looks for known attack modes.
• Buffer overflows, known back doors

15
LBL Security Resources

• Software downloads http//www.lbl.gov/ICSD/CIS/So
  ftware/
• SSH1 clients for Windows and Macs
• Service Packs and security hot patches for
  Windows systems
• Norton Anti Virus programs for Windows and Macs
• Security Banner
• Spamwall - filters out spam

16
LBL Computer security resources

• LBNL Computer Protection Program
  http//www.lbl.gov/ITSD/Security/index.html
• see site map
• Link for fighting SPAM
• cp_alert_at_lbl.gov - Jim Rothfuss forwards the
  relevant security bulletins from CIAC
• CPIC Lab-wide committee, Steve Lau is the NERSC
  Representative
• NERSC committee Keith and Jason Lee are our
  reps.
• Policies mixed blessing

17
External Security Resources

• CIAC DOE Computer Incident Advisory Committee
  http//www.ciac.org/ciac
• CERT Run by Carnegie Mellon Software
  Engineering Institute under federal funding.
  Started after the first internet worm attack to
  act as a first response for computer security
  incidents. http//www.cert.org/