User Tools

Site Tools


network-security-and-remote-logins

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
network-security-and-remote-logins [2017/02/28 15:25]
brysonlt ↷ Page name changed from network-security-and-remote-login to network-security-and-remote-logins
network-security-and-remote-logins [2017/02/28 16:52] (current)
brysonlt
Line 5: Line 5:
 === Why did you post this document? === === Why did you post this document? ===
  
-We hope that through this page both students and faculty of the CS department can learn about how to protect themselves on the CS department network.+We hope that through this page both students and faculty of the CS Department can learn about how to protect themselves on the CS department network. 
 === Why should I be interested in security? === === Why should I be interested in security? ===
  
 Your information and privacy can be protected by following a few simple steps. We hope that everyone can become aware of how to do this, so keep reading. Your information and privacy can be protected by following a few simple steps. We hope that everyone can become aware of how to do this, so keep reading.
 +
 === How secure is the CS department network? === === How secure is the CS department network? ===
  
 Right now we have many security measures implemented. We have firewalls installed to block traffic from the outside, logging, and many other security systems. Nevertheless, the system is only as secure as the users make it. We have installed many programs that can help us, so on these pages we will show how you can use these to help secure your privacy and information. Right now we have many security measures implemented. We have firewalls installed to block traffic from the outside, logging, and many other security systems. Nevertheless, the system is only as secure as the users make it. We have installed many programs that can help us, so on these pages we will show how you can use these to help secure your privacy and information.
-=== What is Remote Access, and Why Make It Encrypted? === 
  
-There are two types of operations that you would perform on your CS Department account from a remote machine (like your PC at home): executing commands on the remote machine (telnet does this), and copying files from the remote machine to your local machine (ftp does this). Not all programs perform both of these functions, so you should be aware of the difference. You should also understand that programs like telnet, rlogin, and ftp do not encrypt your password or the data transferred. This means that anyone sniffing the network can see everything you type, download, or upload. They can take the information and then use it. Especially dangerous is if they take your password and use it to log onto the CS network, and then use our machines to perform other illegal activities. You then get blamed for their crimes. This is why you need to use an encrypted login. All the machines in the CS Department support secure logins (SSH) so it should always be used. Telnet is only supported if you would like to connect to an outside computer that does not use SSH, and that is risky business. Here is a general overview of some of the programs for secure remote logins that are popular. +=== What is remote access, and why encrypt it? ===
-=== What are RSA Keys, and Why Does my SSH Program Ask Me About Them? ===+
  
-RSA Keys are used to encrypt and decrypt a communication. When you SSH, SCP, or SFTP into a computer, the remote computer gives you a copy of their public RSA key so that you can encrypt the data you are sending to that machine. Using its private keyonly that machine can decrypt the information you sendRSA keys can be used to identify a machine and make sure that the machine you are logging into really is the one you expect. The first time you log into a machine you will store a copy of the public key, and each successive time you log in the key you receive will be compared with your stored key for that machineIf the key changes that means one of two things: that machine changed its key while it was being upgraded, or someone is pretending to be that machine and get you to send them your informationYour SSH program will alert you to this situation. +There are two types of operations that you can perform on your CS Department account from a remote machine (like your PC at home): executing commands on the remote machine (ssh allows you to do this), and copying files from the remote machine to your local machine (sftp does this)Not all programs perform both of these functionsso you should be aware of the differenceYou should strive to use ssh and sftp whenever possible. Know that programs like telnet, rlogin, and ftp do not encrypt your password or the data transferredThis means that anyone sniffing the network can see everything you type, download, or upload. They can take the information and then use it. This is especially dangerous if they take your password and use it to log onto the CS network, and then use our machines to perform other illegal activities. __You are then held responsible for their crimes.__ This is why you need to use an encrypted loginAll the machines in the CS Department support secure logins (SSH) and SFTP so it should always be used. Here is a general overview of some of the programs for secure remote logins that are popular.
-=== What Computer Do I Log Into for Access to My Student Account? ===+
  
-To access your CS Department Student Account we suggest using the address "schizo.cs.byu.edu". This is a DNS round-robin that will drop you onto one of twelve machines set up specifically for remote access. You can also access any of the linux labs by name ("<labname>.cs.byu.edu"), which will randomly drop you onto one of the computers in that lab. +=== What are RSA keys, and why does my SSH program ask me about them? ===
-=== Are the programs telnet, ftp, and rlogin safe to use? ===+
  
-Answer: **No**. Both programs send passwords as cleartext (no encryption used) so anyone with sniffing program can see them as you typeWe will be disabling the use of these insecure clients within the coming semester(Winter '04), please make changes nowIt is better to use programs such as //ssh// (secure shell) to do remote logins, and programs such as //scp// (secure copyand //sftp// (secure ftp) for file transfersAll of these use encryption so third parties can't read the information that is being sent. +RSA keys are used to encrypt and decrypt communicationWhen you utilize SSH, SCP, or SFTP on a computer, the remote computer gives you a copy of their public RSA key so that you can encrypt the data you are sending to that machine. Using its private key (which only the remote machine has access to), only that specific machine can decrypt the information you sendRSA keys can also be used to identify a machine and make sure that the machine you are logging into really is the one you expect. The first time you log into a machine, you store a copy of the public key, and each successive time you log in, the key you receive will be compared with your stored key for that machineIf the key changes, that means one of two things: that machine changed its key while it was being upgraded, or someone is pretending to be that machine and attempting to get you to send them your information. Your SSH program will alert you to this situation.
-=== What happens if I am caught breaking into computer systems, viewing pornography, or using CS computers for some other illegal activity? ===+
  
-The least that will happen is that you will not be able to register for CS classes for one year and your account will be disabled during that time. You will be reported to the proper authorities at BYU andif necessary, to civil authorities as well. As a warning, there are currently systems in place that check for users visiting and viewing sites that contain pornographic material. +=== Are the programs telnetftpand rlogin safe to use? ===
-=== Password Tips ===+
  
-Poorly chosen passwords are big vulnerability for any systemTo encourage our users to select good passwords, the CS Department has implemented a password checker that will compare passwords against a dictionary and disallow obviously insecure passwordsSome of the following techniques can help you come up with a good password.+Answer: **No**. Both programs send passwords as cleartext (no encryption used), so anyone with sniffing program can see them as you typeWe do not allow these programs to be used on the network. It is better to use programs such as //ssh// (secure shell) to do remote logins, and programs such as //scp// (secure copy) and //sftp// (secure ftp) for file transfersAll of these use encryption so third parties can't read the information that is being sent.
  
-  * First of all, a password is yours. Don't give your password to anyone. +=== What happens if I am caught breaking into computer systems, viewing pornographyor using CS computers for some other illegal or immoral activity? ===
-  * Change your password frequently. +
-  * Use different passwords for different websites and systems+
-  * Choose passwords that are hard to guess and are not found in dictionaries. Remember you can have any combination of upper and lowercase lettersnumbersand characters (ex: $#!-+). Use them. Here are a few examples: +
-    * If your dog's name is snoopy, don't use "snoopy" as a password. Try something like "$n00pY" (those are zeros). They are harder to guess and it is much harder for password cracking programs to figure it out. +
-    * Use acronyms such as "Tiahptg" (This Is A Hard Password To Guess). +
-  * Longer passwords are better. Its better to have "L0ngPa$$" than "Pa$$". Right now, depending on the system, password lengths can vary, but 16 character limits are the normal limit. In the near future longer password lengths will be possible. Modern password cracking systems can crack shorter passwords (<=8) fairly quickly now. +
-  * Avoid obvious passwords like your name, your username, a family member's name, your age, your Social Security Number, anything related to BYU or Utah, or any other word that can be quickly and easily linked to you.+
  
-=== Remote Network operations === +The least that will happen is that you will not be able to register for CS classes for one year and your account will be disabled during that time. You will be reported to the proper authorities at BYU and, if necessary, to civil authorities as well. As a warning, there are systems in place that check for users that are visiting and viewing sites that contain pornographic material.
-== What to use ==+
  
-To use and access the network remotely you will need to use+=== Password Tips ===
  
-sshsftp, or scp.+Poorly chosen passwords are a big vulnerability for any system. For more informationsee [[Account Password Policy]].
  
-Remote Mounting Your Home Directory+=== Remote Network operations ===
  
-If you are familiar with Linux, you can mount your CS Department home directory on your remote machine. These commands should work, but we advise you not to use them without reading the man pages to see how they work. We take no responisibilty for any negative effects caused by these commands: +== What to use ==
- +
-    ssh -N -f -L <port-number>:ranger.cs.byu.edu:139 <open-lab-linux> +
-    smbmount //samba/<username> <mount-point> -o port=<port-number>,ip=127.0.0.1 +
- +
-Where: +
- +
-<port> is a random port number above 1024 +
- +
-<open-lab-linux> is the name of an open lab linux machine +
- +
-<username> is you're username +
- +
-<mount-point> is the directory you want to mount it as +
- +
- +
-Be aware that many systems do not have smbmount or smbumount installed set uid root. You may want to make them set uid root (chmod u+s /usr/sbin/{smbmount,smbumount}) or run these commands as root. If you run them as root, you will need to add a user=<username> where <username> is you're cs username. +
- +
-You should now be able to access you're cs account files in that directory. Over the network, this may be slow. +
- +
-To unmount the directory when done: +
- +
-    smbumount <mount-point> +
- +
-Currently, we do not support remotely mounting your home directory on a Windows machine.+
  
 +To use and access the network remotely you will need to use ssh, sftp, or scp. Many clients exist for all platforms that will aid you in utilizing these programs and protocols.
network-security-and-remote-logins.txt · Last modified: 2017/02/28 16:52 by brysonlt