Unix/Linux security

Last revision October 28, 2013


Most people who use a Linux operating system on their workstation are expecting to function primarily as a client on the network. That is, you will initiate connections outward to other computers and network services, but will not expect others to connect into your workstation.

However, workstation Linux configurations contain a full array of network services, most of which are initially disabled. These services allow you or others to connect to your Linux workstation for various purposes.

Before enabling any network service, consider these recommendations and the restrictions imposed by the Earth Sciences network firewall rules.

Service Recommended? Firewall restrictions
DHCP or NAT FORBIDDEN! Never enable these "services". These services turn your workstation into a router that tries to force all other computers on the network to send their traffic through your computer!
File Sharing Linux distributions contain the Samba file sharing package, or can easily install it. This package implements the Windows network file sharing protocol called the Common Internet File Ssystem (CIFS). Before enabling this service, make sure all accounts on your Linux system have strong passwords! Best to share specific folders, not the entire disk. Make sure guest access is disabled.
Never enable the FTP protocol - it sends password over the network in clear text! Use "sftp" instead (part of "ssh").
Because of security issues, connections to FTP or SMB are only allowed from the local Earth Sciences network. See "Remote Login" below for sftp restrictions.
Remote Login This refers to ssh (remote command line login) and sftp/scp (remote file transfer) connections to your Linux workstation. These are safe to use if all accounts on your workstation have strong passwords! All ssh connections are fully encrypted. Earth Sciences firewall allows ssh connections from the entire campus network (use VPN if off-campus).
VNC screen sharing This allows remote viewing or control of your workstation from another computer, as if you were seated in front of the monitor. Reasonably secure. Earth Sciences firewall allows VNC connections from the entire campus network (use VPN if off-campus).
Web Sharing Turns your Linux workstation into a web server using the Apache system. Not recommended. Introduces numerous security issues. Use the hosting services provided by the School's professionally managed pangea web server instead. Earth Sciences firewall will not allow web traffic to your Mac. It will only be seen by other computers on Earth Sciences network.

Backup and file integrity

No computer is perfect and all computers will eventually fail. Additionally, malware or user error can cause deletion of important files. For that reason, we strongly recommend backing up important files on your computer such as research data, Ph.D. thesis work, or drafts of professional articles.

The Energy Resources Engineering department provides backed up file storage on its servers for all its faculty, staff, and students.

Faculty and staff in other Earth Sciences departments and programs can use the HelpSU web form to request that their primary workstation be backed up on the School's CrashPlan Pro backup server.

Students in any Earth Sciences department or program can use their home share on the sesfs.stanford.edu file server to keep copies of important work. The default 10 Gigabyte disk quota for home shares can be increased upon request of the student's faculty advisor.

Comments or Questions?