LCSR Faculty Services
Updated September 30, 2003
LCSR supports a cluster of Sun and Linux machines for administrative
use of the
Department of Computer Science.
Accounts on this cluster are limited to DCS faculty, staff, and (at
the request of DCS faculty) those involved in teaching and grading CS
courses.
Services provided on this cluster include email (both local and
through POP and IMAP) and HTTPD (allowing for user web sites).
Our goal is to provide
an agreed upon set of software
on this set of machines and to see that those machines are available
99% of the time and are kept secure through regular patching.
To obtain an account
on this cluster it is best to go through a DCS faculty member.
Composition
As of September, 2003, the core of the cluster is 3 SunFire 280Rs with 2 GB
memory each.
About 30 other machines in the cluster are Suns or Linux machines on
faculty desktops.
The
exact set of machines within the cluster
is listed on a
web page
which is updated automatically every morning.
Monitoring
On an hourly basis, a number of things are checked on each machine
including:
- the time
- the amount of disk space available
- a list of processes which should be running
- chances in some configuration files
- runaway processes
- typical signs of intrusion
Each night, other tasks are performed including:
- preserving a record of disk space usage
- removal of old files from /tmp
- more extensive configuration observation and sanity checking
Authentication
Access to the cluster is controlled by username and password.
Password authentication for normal users is done through a central
kerberos server to provide a uniform password system across LCSR
maintained Unix machines while at the same time, removing the
passwords from local servers (making brute force attacks much more
difficult and noticeable).
Passwords for privileged users are by a security card which produces a
different password each time used so that even shoud the typing of a
privileged password be observed, it cannot be reused.
Security and encryption
The vulnerability to commonly available attacks is greatly reduced by
keeping machines on a patching schedule.
We now support encrypted versions of all access programs (eg,
ssh,
sftp,
secure IMAP, etc.) to prevent user passwords from being transmitted
over the network "in the clear."
As soon as is reasonable for users to move to these services,
we will be withdrawing the unencrypted versions of these programs.