Frequently Asked Questions

This page covers some common first steps for securing systems and recovering from a breach. We've included cautions and suggestions which have been particularly helpful to us, as well as useful links to other sites where security information is carefully maintained.

PREVENTION

Preparing ahead of time will help prevent common forms of attack. An aphorism to remember is, "security is not a product; it's a process". It is not a task that you accomplish once and then check off of your to-do list. System security is an ongoing responsibility.

Make sure all security holes for your system are patched. The US-CERT Alerts Archive is a helpful guide, in addition to the vendor security site for your specific OS.

Where do I begin?
How can I be more secure?
What is a phish?
What kinds of attacks should I be looking for?
What is an intruder's goal?
What tools are are available to help secure my system?
Should I Install a Firewall?
What should I do when I discover my system has been compromised?

Where do I begin?

The US-CERT Security Publicationsare a helpful series of documents on security issues.

How can I be more secure?

Hereare some simple steps to being more secure..

What is a phish?

A phish is an attempt to trick a person into revealing credentials, usually through email. Caltech will never ask for credentials in an email. More info here.

What kinds of attacks should I be looking for?

Some common break-in and root-access techniques that we've seen:

What is an intruder's goal?

This varies depending on the type of system. Common break-in goals that we've seen:

Setting up mail or IRC SPAMbots (for a variety of purposes)
Setting up Denial of Service attacks against other systems, either internal or external to the local network
Disguising the origins of attacks against other systems, such as website defacement, data theft, etc.

What tools are are available to help secure my system?

Vulnerability Scanning -- request a scan from IMSS of your Caltech system to help you identify specific areas of concern in your security setup. Note that we will only scan Caltech systems.

Keep current on patches and updates available for the systems you manage:

  • RPMDiag -- a service to help Caltech sysadmins keep up to date on patch releases for RedHat Linux systems
  • Here are some tools you may consider installing, most of which are available directly from CERT:

  • npasswd -- one of various programs to force users to pick "good" passwords, this one is for Solaris systems
  • crack -- a very useful program that checks for guessable passwords in your password files
  • John the Ripper -- an even better tool to check for guessable passwords on UNIX, DOS, WinNT/Win95 systems
  • tcp wrappers -- Monitor and filter incoming requests for SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services
  • tripwire -- a program that checks regularly to see if important system files have changed. Caltech has a site license available at http://software.caltech.edu.
  • ifstatus -- checks to see if your ethernet card is running in promiscuous mode, i.e., sniffing packets (Solaris)
  • ssh -- secure shell (encrypted interactive logins)
  • PGP -- Pretty Good Privacy (public-key encryption for email and files)
  • NOTE: Security tools like the above can be time consuming to install and maintain. Be prepared to pay attention to their output, and make sure you understand what they do.
  • Should I Install a Firewall??

    If you want to do some experimentation with packet filtering on a Cisco, see Microweb Technology's Basic router filter recommendations and Cisco's Increasing Security on IP Networks.

    RECOVERY

    What should I do when I discover my system has been compromised?

    First, look at the steps given in the IMSS web page, Your Responsibilities as a Caltech Sysadmin.

    If you have discovered a compromised account, you'll want to find out if other systems have been logging into that account (with the "last" command) and also if any systems which have been using the compromised account have been using other accounts on your system.

    You should alert the owners of any remote machines seen logging into the compromised account that their own systems may be compromised, or or that one of their authorized users may be breaking into accounts on other systems.

    Locally, the most important thing is to confirm that the intruder did not manage to get root access. If they did, this is a serious problem, particularly as they may have left behind mechanisms for collecting local passwords, such as trojan horse versions of commonly-used items (e.g., Telnet, login shells, etc.), or network cards set to "promiscuous mode" (packet-sniffing).

    The only certain way to recover from a root break-in is to re-install your system and carefully follow the steps given in the Prevention section.

    ADDITIONAL READING

    IMSS: Additional Security Resources