Stanford University School of Earth Science
 
Home
News
New Users
Policies
Email
Web Hosting
Get Help
Net Connections
Macintosh
Windows PC
Unix/Linux System
Pangea Server
School Resources
    Use Policy
   Network
   Computer Labs
   Printers
   Security
   Univ Resources
   FAQ
Using Unix

Restricted connections to pangea

Last revision October 16, 2006

Security safeguards:

  1. Minimize network presence
  2. Using strong passwords
  3. Install security patches regularly
  4. Backup computer data
  5. Encrypted login
  6. Network firewall
  7. Switched ethernet
  8. Restricted Connections to Pangea
  

In addition to restrictions on network connections imposed by the Earth Sciences network firewall, the pangea server restricts network access to individual services according to the location of the originator. For example, it allows anyone in the world to access the pangea website, but certain login methods are restricted to the Stanford campus only, or even to the Earth Sciences network only. The full set of allowable connections is configured in the pangea system file /etc/hosts.allow which can be examined from a pangea command login. Some of the restrictions that may affect normal users are highlighted here.

First of all, pangea will refuse any network connection if the originating computer is not properly registered with a network name server. This is to prevent a hacker from pretending to be a computer on the local network when he is not, for example. This can cause problems with legitimate access from home computers of Earth Sciences folks when their Internet Service Provider has an improperly configured name server. This problem is described in more detail in the Networking FAQ. If you experience on-going difficulty connecting to your pangea account from an off-campus computer, contact the pangea system manager to determine if this is the problem.

Unix systems like pangea implement a method for conveniently moving data or running programs on other Unix computers using .rhosts files. Individual users with accounts on multiple systems can set up these .rhosts files so they can jump around from their account on one system to another (via the rlogin command) without having to supply a password. In one sense, this improves security because the user's password is not traveling across the network. But in another sense it is a security risk, because if a hacker breaks into that user's account on one system, he can then also jump over to his accounts on other systems without needing any passwords.

In order to reduce the risk of break-ins to pangea via .rhosts files, the rlogin, rcp and rsh servers on pangea are configured so that they will only allow connections from other computers in Earth Sciences. The modern ssh service is designed to completely replace these "r" commands in a secure manner and can be used from anywhere on the Internet.

The related rexec service does not use .rhosts files but allows a remote computer to execute a command if the username and password are supplied as part of the connection. This service is a favorite entry point for hackers who have managed to obtain a user's password, because logins or connections through rexec do not appear in the normal system logs. For this reason, on pangea, the rexec service has also been restricted to only allow connections from other computers on the local Earth Sciences network. A common legitimate use of rexec is to establish the initial connection from an X window terminal or X window software on a PC or Mac to a Unix system. A better method for accessing X window programs on remote computers is to use an ssh tunnel.

NFS file sharing allows one Unix computer, such as a research group workstation, to mount the disk of a server so that it appears to be locally connected and all programs on the workstation can read and write to that disk. Pangea allows NFS file sharing only to computers within the Earth Sciences network. Even then, the client computer's manager must request authorization for NFS access from the pangea system manager.

 


Comments?

Stanford University    |