Configuring your own Computer Securely (alias: how not to get hacked)
A few notes for those connecting computers to the network
and not asking a technician to do the difficult bits for
them. These notes do not stand on their own, and should be read with
other documents (such as the relevant rules).
Computers are nowadays much cheaper than a few years ago, network
connections much easier to obtain, and Windows / Linux much easier to
install and configure. And that is the Bad News. Yes, the Bad News.
The Problem
Athough debates about how warped one's mind must be before one becomes
a virus writer or hacker are interesting, in the Real World hackers
and virus writers exist. One must therefore limit the damage such
people can readily do, in the hope that they will find softer targets
elsewhere. Note that securing your machine is much akin to neighbourhood watch; it
doesn't so much prevent crime as hopefully drive it elsewhere where pickings are easier.
A single insecure computer, device or user account can result in a major
security incident.
Currently malicious people scan the network looking for potential
weaknesses about once every two hours. Several times a week an attempt to
exploit a potential weakness is made. A gratitously insecure machine is unlikely
to survive a whole day connected to the DFDN before it is hacked, and
very unlikely to survive a week.
Probes, breakins and attempted breakins should be reported to the network
administrator. Details of the latest fashion in probes are reported on local newsgroup
dfdn.security.
Viruses come in at least as frequently, and it is important to
avoid sending them out again...
The Potential Impact?
Dealing with a hacked machine is (relatively) easy. In a sense. After any
analysis that the administrator and others may want, one simply wipes the disks
of all data, reinstalls the operating system and applications,
restores one's own files from the last backup which provably predates the
hack, and, of course, removes whatever vulnerabilty was used to hack
the machine in the first place. A mere (!) couple of days work for a
single machine, and several weeks work for a more extended
network. Mind-numbingly boring too.
As machines in the DFDN tend to be more trusted by other
machines in the DFDN than external machines, once one machine falls,
others may fall rapidly due to attacks from it. Thus an insecure laptop may
be the route into a chain causing many hundreds of pounds
worth of downtime and inconvenience. This may upset your colleagues.
Viruses need similar treatment, and can be similarly expensive.
If one is spectacularly unlucky, one's hacked laptop is used to
launch attacks on US military computers. This can be hard to explain away.
The Advice: UNIX
According to some slightly old pages on the DFDN server, (in the local users only area)
`"So, you need to keep your Unix System
Secure do you?" ', which starts `This document is just to get you started; it is not
exhaustive' the time investment involved is:
"Spend at least a fortnight getting familiar with your
system. Understand what the files and commands really
do. This will take a huge chunk out of your time, but that's
too bad; it's the price you have to pay for the convenience of a
system on the Internet."
and
"Expect to spend two to three hours every week looking
after your machine."
One could argue that this over-estimates the time involved in
securing a single-user UNIX machine (though not a multi-user
one!). However, to argue thus one must ensure that the machine is fairly
securely configured:
- Does it need to offer any services to the world?
- Does it need to offer any services to anyone else?
Obviously if you do not install telnet, ftp, mail, WWW and IRC
servers, you will not be vulnerable to any security issues discovered
with them. It is hard to see why a personal machine in the DFDN needs
more than an sshd listening to connections from other DFDN
addresses only.
Of course, do check your machine occassionally: I have often found
services running which I had previously intended to turn off, and failed (or that a patch
kit had helpfully turned back on). It is for this reason that the administrator runs
automated weekly scans of the network (much as the hackers do); this is
known as friendly probing.
The Advice: Windows
With Windows viruses are a much greater issue than under UNIX, and
IIS (the default WWW server on Windows) is a complete disaster: don't use it. One
should remember that viruses can be caught from infected WWW sites as
well as from emails.
Do run a virus scanner. Do keep the
virus scanner up-to-date, either manually, or, better, automatically.
The Advice: General
You must read the relevant fora for security information for the
system you are running, and you will need to patch the thing (un)fairly
frequently. Windows has an automatic update system, as do most Linux
distributions, and there are various other resources that exist.
You should check these sources more than once a week: a serious new
hack or virus can spread a long way in a couple of days. If you don't
know how to read newsgroups, are you sure you should be running your
own computer connected to the network? Indeed, you should be familar
with the differences between server-side and client side
authentication, plain-text and encrypted protocols, and, for UNIX
people, privileged and unprivileged ports. But that is all learnt in
about two hours, a small fraction of your time really.
Once the OSes manufacturer no longer releases security patches for
an OS, running it safely becomes (much!) harder. Ancient versions of
Windows (7 and earlier), Linux (especially RedHat), Irix and the rest do really
need upgrading.
Common Sense!
If a man in a dirty raincoat and a thick accent accosted you on a
street corner, pulled a disk from an inside pocket, and said
"Pssst. Put a load of this on your computer at work" most people would
refuse. If an email full of forged headers turns up reading "Click
here to download and install this excellent piece of high-quality free
software" many happily do so. I have never understood why.
(If the email claims to be from someone whom you trust, you do
check the headers for obvious forgery, or ask yourself whether you
were expecting the software, (don't you)? Note that Microsoft does not
send out unsolicited patches by email, though a recent virus did so in its name.)
Private Addresses / Firewalls
You may well be given a 'private' IP address (one which permits
connection only to other machines within the institution), or your
computer may be firewalled. Indeed, at present,
the administrator does do some basic port blocking
automatically. Although such measures do improve security, they are no
substitute for keeping your machine intrinsically secure, and they do
not imply that the person running the firewall has taken over all (or
any!) responsibity for your machine's security.
What operating systems are supported?
If run by the DFDN, the version of our choice of an O/S we currently
support. Requests to support things we do not currently run are
unlikely to be well received.
If run by you, anything you like. So long as it is supported and kept up to date.
Note that in particular Microsoft no longer update or support Windows 7 or earlier. Machines bought
before the release of Windows 7 (October 2009) are probably not worth upgrading and we
strongly recommend purchasing a new PC.
What do the DFDN provide?
Currently a direct connection to the the DFDN network, so the
question is more `what can the DFDN provide?' In the future, some
form of firewall may appear, which may impose some restrictions,
particularly on protocols other than TCP and UDP.
What will the DFDN not permit?
We will not support, or permit any device to be connected, if it presents a security risk.
How should any machine connected be configured?
Securely.
It is important that people
outside the DFDN cannot use your machine to inject
traffic onto our network (or syphon it off).
Do keep the machine patched and up to date (for Windows this means using
windows automatic update at the very minimum) with security patches.
Windows 7 (and later) Security
In their wisdom M$ have enabled by default things that you should really have
turned off. In particular fast user switching. You shouldn't still be running 7
or earlier anyhow, as noted above.
Network Services permitted
For those who run systems which offer significant
external services (typically UNIX), the list of the good, the bad and the ugly is:
We like: ping, identd.
We can ignore: talkd, tftpd, quote, daytime, time, echo, discard,
sshd, rshd, lpd, rlogind.
We absolutely cannot tolerate: mail servers (pop, imap, smtp or
sendmail, other than the official DFDN server), news servers (nntp), netstat,
bind, IRC, NFS servers (except with permission), anonymous
ftp, passwordless accounts.
We don't like: daemons running as root whose functioning you cannot
explain and justify.
We might permit, after negotiation: telnetd, ftpd, httpd,
gopher servers, xdm listening, 3rd party accounts.
To put it another way, we do not mind (much) what services are
available from the physical computer (console), we mind a lot what
services are offered to the world.
The only other way of causing major upsets is by excessive use of
broadcasts or by emitting malformed packets. It is trivially easy to stop the
whole DFDN network like this...
Have fun
And try to find that elusive balance between running a computer and
actually doing some work.
The Bottom Line:
Your computer was not designed to be connected to a hostile global
network (like the internet!). By doing so you are using it in a manner for which
it was not designed. There is nothing wrong in this, except that it is your
responsibility to understand in some detail what you are doing. For
intelligent people the excuse 'I can't get my head around computers' is likely to raise
questions about whether you can cope with intellectually similar areas, such as many
other aspects of working life.
The ultimate sanction:
Any machine which is
persistently found in an insecure state will, after a reasonable
number of warnings, be disconnected, possibly permanently. This
group is far too attached to its computers to permit anything to
remain that poses a threat to them. We also owe this service not only to the rest of
the DFDN but indeed the world at large. One person's recklessness can easily
cost another substantial sums, both in financial terms and their time.
To recap: If your computer causes trouble, it will be disconnected from the
network. Possibly permanently. If its owner is the greater source of trouble, he too can
be suspended, possibly permanently.
The purpose of this document was to remind you all that a computer on a
public network needs proper servicing, just as a car driven on a
public road does. There is no absolute requirement to involve oneself
in the hassle and expense of car ownership, or that of dealing with computers
on public networks. However, some enjoy the experience, and it would
seem unfair to stop them, whilst they act safely.