GOALS:

The primary goal of this HOW-TO is twofold. It should assist users in the CS department (and the general population, should they come across this page) by providing a very straightforward guide to getting secure services up and running on their personal computer. The second goal is to assist CRF in providing a more secure environment on the cluster machines by raising user awareness.

Jump here for the topics covered in this set of pages.

There is no silver bullet for security, especially in a networked environment.

The word 'secure' is a hard to define and relative term at best. The most you can do to protect yourself is to limit your degree of exposure by using the technologies suggested below.

Even 'secure' services may have implementation bugs in them, but using these services is a step in the right direction - and it's much easier than you might imagine. The primary benefit of using these services (as opposed to their counterpart technologies) is the degree of privacy you regain and a certain level of assurance that your data is not being observed or corrupted.

The wonderful Linux Security HOW-TO covers many related topics in great detail. It is definitly worth reading.

TOPICS:

Each topic link (e.g., the 'howto' link) brings you to a short and sweet set of instructions on how to get the software, install it, and set it up for your environment. Most services will work exactly like the ones you are accustomed to. Some have many more features and capabilities. Click the 'learn more' link for more complete information on each service.

• howto choose a password [learn more...]
• howto ssh (replacement for telnet,rlogin,rsh) [learn more...]
• howto secure your FTP session [learn more...]
• howto secure your e-mail/POP/SMTP [learn more...]
• howto digitally sign and encrypt (PGP) your e-mail [learn more...]
• howto secure webmail [learn more...]
• howto run a secure Windows box [learn more...]
• howto run a secure Linux box [learn more...]
• secure web browsing [learn more...]

Following these suggestions will give you a heightened degree of security on the network, but there is no replacement for prudence, caution, skepticism, and a healthy bit of paranoia. Most of us can't afford the paranoia in the course of our daily work - that is what these services assuage.

Choosing a Password

Basic passwords are the foundation of most security today because they authenticate a user to a service. It is important to choose a password that is easy to remember, but difficult to guess. Because most security is based on having a correct password, a 'weak' password can be computationally guessed in less than a second and compromise a whole system (potentially affecting many more people than just yourself). Below are some common guidelines.

• Make sure the password is long (more than 8 characters). Longer passwords are harder to guess.
• Do not use personal data (names, pets, loved ones, HAM radio call letters, dates, SSN, phone #'s)
• Mix case (use both upper and lower case letters).
• Do not use any word found in a dictionary (this cannot be stressed enough).
• Mix in numbers.
• Mix in special symbols (&,*%$!@#)({}][). Some systems will not allow certain of these.
• Weak passwords have low entropy (most characters in it belong to a similar class). Good passwords have high entropy.
• Do not write your password down.
• Do not tell anyone your password. You took a long time coming up with it. It's special - it's yours. A surprising number of passwords aren't guessed - they are asked for and given.
• Change your password if you suspect your account has been compromised.
• Change your password at a good interval (every 6 months). Some systems force you to.
• If you log into a remote server, it often tells you the last time you logged in and the IP address you logged in from. Check this information frequently.
• Remember your password! (use a mnemonic)

There is an additional caveat to choose a different password for every account you have. For most people, this recommendation just isn't feasible. You have too much to remember already. There are some attempts at compromise.

SSH

Besides passwords, SSH (secure shell) is probably the next most powerful tool in your arsenal. SSH encrypts all communication that it processes, and is most commonly used to remotely log in to a machine and execute commands from a prompt (just like telnet).

SSH comes in two parts: client and server. As you'll see below, SSH has a powerful capability that lets you do more than just type at a command prompt. It can wrap (and thus encrypt) a lot of other traffic (e.g., e-mail). This mechanism is called an SSH tunnel (or port forwarding) and is very useful for quickly encrypting an arbitrary communication channel without serious changes to your client or server software.

[mail client]-->[ssh client]-e-n-c-r-y-p-t-e-d->[ssh server]-->[mail server]

If you are using Linux or another UNIX variant some SSH client (and probably the SSH server) is already installed on your system. If it isn't, you can obtain them from any number of sites: openssh.org is a good place. Note that you don't need the SSH server to use the SSH client (but the server you are trying to connect to does). SSH also relies on having some cryptography library installed on your system. Most distros already have this. Make liberal use of the 'man ssh' command for full options. More (and a sample man entry) information is here.

SSH is usually invoked by typing 'ssh -l username machinename'
(e.g., ssh -l jdoe cluster.cs.columbia.edu). SSH then verifies that the machine you are connecting to is actually the machine you trust, asks you for your password, sets up an encrypted session with it, and returns you to a command prompt.

If you are on a PC that runs the mighty Windows operating system, you have a few choices for SSH clients.

• Putty (free) - they also distribute other secure tools (sftp) My personal favorite. Putty is used in the following examples, along with Unix command line ssh (openssh).
• SSH.com (costs $$)
• CRF also recommends TTSSH

Putty:

• just download the putty.exe file to some place in your file system ( let's say c:\ssh\putty\ )
• create a shortcut if you want and put it on your Desktop or Quick Launch Bar.
• Advanced configuration is discussed here, basic configuration instructions follow.
• Clicking the shortcut will give you a screen that looks like this:

• Type a new session name (cluster.cs.columbia.edu), enter the Host Name, and choose the SSH radio button. Then hit 'Save'. There are tons of other configuration options - explore as you like, and remember to save them to a session so you can reuse them!
• Other important configuration options are at this screen:
• AES, Blowfish, 3DES, and DES are encryption algorithms. The first three are considered 'more secure' against known attacks than DES. I have set my preferred SSH protocol version to 2. Some early SSH v2 servers have an implementation bug that forces Putty to terminate the connection. That can be worked around by selecting the checkbox next to "Imitate SSH 2 MAC bug ... " Remember to save these options. You may also wish to change keyboard and window appearance parameters to suit your taste in terminal emulation. :-)
• Hit the 'Open' button and Putty will start your session. The first time you connect to a machine, you will be prompted to accept the machine's RSA public key as proof of the machine's identity. You should obtain this information from your system admin so you can compare. If the key changes or your connection is hijacked, Putty will complain to you.

Securing FTP

If you use any file transfer software (Ipswitch/WS_FTP, ftp, CuteFTP) you may find it hard to believe that FTP is a security nightmare (it can greatly complicate setting up firewalls). FTP has always been a valuable tool. If you want to secure (encrypt) your FTP sessions, sftp has traditionally been the way to do it. However, most SSH clients also have the capability of supporting the SFTP protocol. The two listed here are command line style FTP programs. There are a number of supported commands (basically just like command line FTP).

• UNIX/Linux - openssh.org
• Windows - Putty supports sftp via the PSCP and PSFTP clients

For the curious, here is the SFTP Internet Draft.

The tradeoff is that using these tools doesn't give you a pretty GUI. But you can search for packages that do (or write your own and submit it back to the developers!) Also, there is no anonymous FTP - a user account is required. Just because it doesn't have a GUI is no cause to despair - I used it quite easily to upload this page and supporting materials, and it didn't hurt a bit!

PSCP (and scp in general) is meant for a single copy and terminate session. On the other hand, sftp/PSFTP is much like a traditional FTP session. The Putty website has complete instructions for using PSFTP.

A standard PSFTP session may begin like so:

C:\usr>psftp
psftp: no hostname specified; use "open host.name" to connect
psftp> open optimusprime@cluster.cs.columbia.edu
Using username "optimusprime".
optimusprime@cluster.cs.columbia.edu's password:
Remote working directory is /n/opus/u/bet/optimusprime
psftp> help
...

A standard openssh sftp session may run like so:

jdoe@disco myfiles[116]$ sftp jsmith@play.cs.columbia.edu
Connecting to play.cs.columbia.edu...
jsmith@play's password:
sftp> help
...
sftp> bye
jdoe@disco myfiles[117]$

Securing E-mail (with port forwarding)

First, we need to understand what an SSH tunnel can provide to our e-mail services. The SSH client will encrypt your communication with your mail server. This encryption mainly protects your password. It does not protect the integrity and privacy of your e-mail on the rest of the Internet! Your e-mail is still shuffled around in the clear. If you want to encrypt your e-mail, you should be reading the section on PGP and e-mail

Now, we need to understand what port forwarding is. Port forwarding is the process of inserting the SSH client and SSH server in the interaction between your normal client and server for softwareXYZ. You instruct your regular client software to view a localhost/127.0.0.1 port as the regular server software. In fact, your SSH client is listening to this port. When it gets traffic, it passes (forwards) that on to the SSH server. The SSH server will pass that traffic (after decrypting it) to your regular server software and send back replies via the same 'tunnel.'

The one 'extra' requirement is that you must be logged in via your SSH client for port forwarding to work. Without you logging in, your SSH client cannot set up the port forwarding (because you are not authenticated for the services you are requesting). You must also set up your client software with some configuration. There is an example below, and the procedure will vary from software client to software client.

So, you must:

• set up your SSH client to forward a certain local port
• set up your software client to send to that local port instead of the software server
• open your SSH client and log in to the remote server to authenticate yourself

Directions for PuTTY's port forwarding. Complete directions from the distributers.

Understanding port forwarding (Putty).

The quintessential example with SSH port forwarding is POP mail. Here, we have set up a rule for Putty to listen to local port 110 ( 127.0.0.1:110 ) and then encrypt and redirect that traffic to the SSH server at pop.myserver.com. The SSH server will then pass that traffic (after decryption) to the POP server at port 110 (and vice-versa).

We are only half done. We have inserted the SSH client and server in between the POP client and server, but we need to tell the POP client to send POP mail requests to our SSH client and not the POP server.

With Outlook Express, the procedure is as follows:

• Open Outlook Express
• Choose Tools > Accounts in the menubar
• Select the mail account you want to forward over SSH
• Hit the Properties button
• A dialog box like the following should appear:
• Replace your POP3 servername with localhost or 127.0.0.1
• It does not matter if the 'My server requires...' checkbox is checked or not.
• The same process can be used for SMTP.
• Goto the Advanced tab. Make sure your ports are set to the correct local ports (the ones you set up in your SSH client)
• Hit Apply.
• Send yourself an e-mail, make sure your Putty session is active, and retrieve the e-mail Cool, huh?

You may have noticed that Outlook has some options for using SSL and digitally signing messages with a certificate. You can use an SSL connection for your POP and SMTP only if your server directly supports it. Simply check the checkbox under the appropriate port entry under the Advanced tab and enter the correct port number (your system admin should give this to you). You will need to get a certificate to digitally sign your e-mail

For UNIX:

Using a UNIX or Linux SSH client, you can set up a tunnel like so:

ssh -L 110:your-mail-server.cs.columbia.edu:110
ssh -L 25:your-mail-server.cs.columbia.edu:25

You may need to add the -l switch if your local and CS cluster usernames are not the same.

johndoe@disco myfiles[133]$ ssh -l jdoe -L 110:your-mail-server.cs.columbia.edu:110

A [port in use] message means that you have a service running on your local machine at that port. Stop it or pick another port. It may be a good idea to pick a local port >1024 so you don't run into root permission problems.

Make sure you set your UNIX e-mail client up in the equivalent way.

Encrypting E-mail (PGP)

Phil Zimmerman invented PGP to help encrypt e-mail. Today it is used to secure many other things. PGP is an acronym for Pretty Good Privacy. It is an asymmetric key (public key) encryption scheme. The end result is that you can encrypt a message so that people know you send it, and mail sent to you can only be read by you. More information on how this mechanism works can be found here.

A good page from MIT on PGP. You can also obtain PGP for a number of platforms (Mac, Windows, UNIX, Linux), both source code and binary versions. Because part of PGP includes some software based on a patented encryption technique, you have to agree to use PGP for noncommercial purposes (using it for personal e-mail is considered noncommercial).

When you send e-mail, your e-mail is tossed around the web between mail servers on its way to the recipient's e-mail server. One way to stop people from reading it in transit (and after it is stored) is to use PGP.

To Setup PGP:

• Download PGP from the MIT site. (Documentation and help is included with the release).
• For Windows, unzip the install file and execute it. After standard licensing agreements and installation locations, the program will guide you through generating a public and private key pair. You may then send your public key to a central server so people can find you and use PGP to communicate with you.
• Your Outlook Express e-mail client will plug-in the new PGP tools.
• For UNIX/Linux, download the tar file and install it.

Secure Webmail

Securing your webmail is pretty much out of your hands. If your network administrator has enabled a web application like IMP or SquirrelMail, they are probably using the HTTPS protocol and SSL to secure the transaction between the mail server and your browser. The most you can do is make sure your browser has an adequate 'cipher strength'. Most new browsers come with '128-bit cipher strength.' Key length really isn't a measure of security, but a longer key is better than a shorter key, all other things being equal.

Note: If you do not see something like https:// in the URL you are using to view webmail, you are probably not having an encrypted conversation with your mail server. The https:// is usually accompanied by a port number ending in 443.

Secure Windows

Securing your Windows box is sometimes a very depressing exercise. It seems Redmond releases another security alert every six hours. But, there are some common things you can do to beef up your protection.

• Do not run IIS - a web server (not running IIS) I know still gets ~20 Code Red-type hits/day from folks attached to cable and DSL modems who don't even know they are running IIS.
• Do not run Active Directory
• Do not run SQLServer
• Do not use Outlook or Outlook Express
• If you do use Outlook/Express, turn off the preview pane. It automatically opens the e-mail at the top of your queue. This feature is a comfort to virus writers.
• Do get an SSH client for Windows.
• Do monitor your network connections with netstat -an at the command line.
• Do use passwords and read-only mode if you do file sharing (CIFS/SMB)
• Try to keep it behind a firewall and not directly attached to the Internet.
• Shut it off when you are done with it.
• Get virus software.

It's easy to bust on Windows, but many of the things I've said above apply to Linux and UNIX boxes. The main lesson? Don't run services you don't need, and be prudent about what you do run!

Secure Linux

Securing your Linux box may be a never-ending and fun exercise. Some companies are engaged in creating and distributing a "Secure Linux" - but keep in mind we said 'secure' was a relative term.

The main thing to keep in mind is to reduce the number of services you are running (modify your /etc/rc.d/init.d/ linked scripts as necessary) and turn of some network services with xinetd.

• Turn off the finger daemon. It's a personal box - you should be the only one logged in, and no one really needs to know that.
• Turn off telnet. Require SSH to get in.
• Keep up to date with new releases.
• Make sure you patch/update your Apache as necessary.
• Don't create a bunch of useless accounts with weak passwords.
• You can set up a firewall pretty easily with ipchains. Do so. It's a great first line to drop malicious traffic. There are many HOW-TOs and books on this topic.
• Use shadow passwords.
• Disable anonymous ftp.
• Use tripwire to detect possible malicious changes to sensitive files.
• Turn off tftp.
• Be sensible about your permission bits.
• Don't use root.
  

Secure Web Browsing

The Internet is a wonderful place to explore, but many people abuse the HTTP protocol to exploit both standard and non-standard features included in many popular browsers. Technically, you can limit your definition of 'secure' web browsing to viewing pages that begin with https:// - but that is only a guaranteed that your conversation with the server is encrypted - and encrypted!=secure. Secure web browsing involves a lot of common sense and a warning about some popular exploits.

You are probably quite familiar with the phrase " XXX has a serious flaw that may allow a malicious attacker to execute arbitrary code in the user's browser." See what you can do to avoid being a victim.

• Cookies are small files that websites store on your computer to identify you. Sometimes these are harmless, but other times they are invade your privacy. You have to decide how to handle them. Your browser typically has settings to control cookies.
• Know where you are browsing - you can probably trust big merchants (amazon.com) or popular sites (cnn.com) but are you sure www.joescrackerkingdom.net is the place to be surfing?
• Avoid SPAM - annoying e-mail is often the result of giving out your real e-mail address on websites. Just don't do it, unless it is your bank or a site you have business with.
• Javascript, Active-X controls, Java applets, and other browser plug-ins are cool, but sometimes a serious flaw is discovered in them.
  

Most of all, just use your head.