Being Security Conscious

Since Unix systems tend to be fairly open, it is important for you to be familiar with security issues. In this Tipsheet we will outline several items to which you should pay particular attention.

Password

Your password is your first line of defense against unwanted use of your account. At the moment, the system on Bama only imposes a two simple rules on passwords; they have to be at least six characters long and there must be at least one number. (Note that this may change to be stricter in the near future.) Following these extra rules will keep it more secure.

Don't use your userid as any part of your password. It only takes a short while for a "hacker" to check through the system to find which passwords are too closely related to the userid.
Don't use words that are associated with you, personally. Anyone with more personal information about you might try guessing your first name, or something else about you.
Don't use common words as your password. If you are trying to find something easy to remember, try taking the vowels out of your word, or inter-mixing caps and lower case (in addition to adding other characters; see next item).
Do use a combination of letters, numbers, and special characters in your password. The more non-alphabetical characters, the better. Acceptable special characters include ">", "<", "&", "-", "%", and "*", as well as the usual punctuation characters. It is not recommended that you use "#".
Don't give your password to anyone else. Even if you call the Help Desk for help, we don't ask for passwords when we help to clear up problems. And certainly, no one should ever legitimately call you and tell you that they need your password to do some computer systems work.

File Security

The subject of file security was first covered in Tipsheet Vol. 1, No. 6 . In that Tipsheet, we discussed the use of "chmod" to affect the read, write and execute permission status of files and directories. This is the only security you have against prying eyes. Note that you can have some areas of your account open for others to see, and other areas closed. An example of an open area would be the directory for html files, "public_html". It must be set readable so that the web server can show it to others.

When files are created, they have a default protection that is set by a Unix command called "umask". By default, new files have the protection rw-r--r-- and directories are set to rwxr-xr-x. If you would like to have more protection for files when they are newly created you need to put a "umask" command into your ".profile" file. Some examples of umask options are:

umask 022 (system default): user gets r, w, x; group and other get r, x
umask 077: user gets r, w, x; group and other get no permission
umask 027: user gets r, w, x; group gets r, x; and other gets no permission

Please remember that if you do set umask to get tighter file security and you are putting web pages on your account, you will have to open up the security on the web pages so the server can show them to others.

Your home directory was given extra protection when it was created. It should have the permissions set to rwx-----x.

Know What Files and Directories You Have

It is quite important that you pay attention to the files and directories in your account so that you will know if something has changed.

New accounts are given the following files and directories: public_html, local.profile, local.cshrc, local.login, and .profile (this is a hidden file, see Tipsheet Vol. 2, No. 6). When you start to receive mail you will have a file called ".newmail". The history of the commands you type is in ".sh_history" (see Tipsheet Vol. 2, No. 7 for more information on command histories). You should only have a ".forward" file if you are forwarding mail off of Bama to some other system.

Since Unix does treat all files and directories that start with a period, ".", as hidden, you should occasionally do an "ls -a" to see all the files on your account.

For The Really Paranoid

If you are worried that one of your legitimate executable files might be overwritten by some hacker with a program that does something not nice, you can keep track of the checksum on the file. There are two commands that are useful for this. They are "sum" and "cksum". To use them you would type the command name and the file name, as in:

cksum my-executable

where my-executable is the file you want to checksum. You would keep the results written down in an alternate location (or hidden somewhere in your file system, although this is not very secure).

What To Do If You Suspect Trouble

If you suspect trouble, please immediately change your password, then come to the help desk in person. We'll want to look at your account to see what activity has been going on.

Finally, you should be aware that if you are the source of trouble with other accounts (i.e. using Bama as a base to try attacks at other users or machines) you will be removed as a user.

© 1998, The University of Alabama. The information included here is for the University of Alabama central computing facility as it was configured on the document date. It may or may not apply to other Unix systems.

October 19, 1998 Vol. 2 Index Back to Vol. 2, No. 7 Ahead to Vol. 2, No. 9		Search:

	E-mail Internet Access Software Assistance Computer Labs Software Licensing Web Publishing Calendaring Computer Security Unix Training

	Being Security Conscious Since Unix systems tend to be fairly open, it is important for you to be familiar with security issues. In this Tipsheet we will outline several items to which you should pay particular attention. Password Your password is your first line of defense against unwanted use of your account. At the moment, the system on Bama only imposes a two simple rules on passwords; they have to be at least six characters long and there must be at least one number. (Note that this may change to be stricter in the near future.) Following these extra rules will keep it more secure. Don't use your userid as any part of your password. It only takes a short while for a "hacker" to check through the system to find which passwords are too closely related to the userid. Don't use words that are associated with you, personally. Anyone with more personal information about you might try guessing your first name, or something else about you. Don't use common words as your password. If you are trying to find something easy to remember, try taking the vowels out of your word, or inter-mixing caps and lower case (in addition to adding other characters; see next item). Do use a combination of letters, numbers, and special characters in your password. The more non-alphabetical characters, the better. Acceptable special characters include ">", "<", "&", "-", "%", and "*", as well as the usual punctuation characters. It is not recommended that you use "#". Don't give your password to anyone else. Even if you call the Help Desk for help, we don't ask for passwords when we help to clear up problems. And certainly, no one should ever legitimately call you and tell you that they need your password to do some computer systems work. File Security The subject of file security was first covered in Tipsheet Vol. 1, No. 6 . In that Tipsheet, we discussed the use of "chmod" to affect the read, write and execute permission status of files and directories. This is the only security you have against prying eyes. Note that you can have some areas of your account open for others to see, and other areas closed. An example of an open area would be the directory for html files, "public_html". It must be set readable so that the web server can show it to others. When files are created, they have a default protection that is set by a Unix command called "umask". By default, new files have the protection `rw-r--r--` and directories are set to `rwxr-xr-x`. If you would like to have more protection for files when they are newly created you need to put a "umask" command into your ".profile" file. Some examples of umask options are: umask 022 (system default): user gets r, w, x; group and other get r, x umask 077: user gets r, w, x; group and other get no permission umask 027: user gets r, w, x; group gets r, x; and other gets no permission Please remember that if you do set umask to get tighter file security and you are putting web pages on your account, you will have to open up the security on the web pages so the server can show them to others. Your home directory was given extra protection when it was created. It should have the permissions set to `rwx-----x`. Know What Files and Directories You Have It is quite important that you pay attention to the files and directories in your account so that you will know if something has changed. New accounts are given the following files and directories: public_html, local.profile, local.cshrc, local.login, and .profile (this is a hidden file, see Tipsheet Vol. 2, No. 6). When you start to receive mail you will have a file called ".newmail". The history of the commands you type is in ".sh_history" (see Tipsheet Vol. 2, No. 7 for more information on command histories). You should only have a ".forward" file if you are forwarding mail off of Bama to some other system. Since Unix does treat all files and directories that start with a period, ".", as hidden, you should occasionally do an "ls -a" to see all the files on your account. For The Really Paranoid If you are worried that one of your legitimate executable files might be overwritten by some hacker with a program that does something not nice, you can keep track of the checksum on the file. There are two commands that are useful for this. They are "sum" and "cksum". To use them you would type the command name and the file name, as in: `cksum my-executable` where `my-executable` is the file you want to checksum. You would keep the results written down in an alternate location (or hidden somewhere in your file system, although this is not very secure). What To Do If You Suspect Trouble If you suspect trouble, please immediately change your password, then come to the help desk in person. We'll want to look at your account to see what activity has been going on. Finally, you should be aware that if you are the source of trouble with other accounts (i.e. using Bama as a base to try attacks at other users or machines) you will be removed as a user. © 1998, The University of Alabama. The information included here is for the University of Alabama central computing facility as it was configured on the document date. It may or may not apply to other Unix systems.
Copyright © 1998-2004 The University of Alabama \| Disclaimer \| Contact: Help.Desk@ua.edu