Phase-out of NFS access to DXUL/fortress.rcac

In order to improve its stability and availability, RCAC will be phasing out NFS access to the DXUL archival storage system running on fortress.rcac.purdue.edu over the next 12 months. You have received this letter because our records indicate some of the systems you manage NFS mount this archive. Please take a moment to review the information below, and feel free to forward this note to other system managers you think should know about it. As always, please contact rcac-help@purdue.edu if you have questions or comments.

• NFS access has been a contributing factor in several unplanned DXUL outages recently, and maintaining an exports list across the entire campus causes system management problems and is not recommended by the DXUL vendor. Additionally, NFS access encourages certain types of user behavior that are incompatible with the archival nature of the system and can cause several serious performance and stability issues.

• NFS access to DXUL/fortress will be phased out in a tiered approach. RCAC will be discontinuing this access on its systems by December 31, 2008. Access will be phased out across campus by July 1, 2009. By discontinuing access on its systems first, RCAC hopes to find and solve any problems you may encounter when this access is discontinued on your systems later.

• While not strictly necessary, we encourage you to remove the DXUL shares from your fstab or automount maps prior to July 1, 2009. On that date, we will stop exporting this share and any remaining client mount entries will no longer work.

• Access to DXUL will remain available from your machines, just not via the NFS protocol. All other protocols used for accessing DXUL (e.g. scp and sftp) will continue to be available.

• RCAC will develop and distribute tools as needed to ease the transition from NFS access to other protocols while maintaining both ease of use from automated or non-interactive jobs and optimal functionality and performance. Please send comments or suggestions about tools that might be needed to rcac-help@purdue.edu.

Cluster Reminder

Amdahl has recently been subject to memory overutilization (forcing a reboot) because of this.

Important Security Notice for users of X-Windows

The following is a recent security notice from ITaP.  

PCN takes these notices very seriously and will be implementing ITaP recommended changes
as quickly as possible.  Users of X-windows (including Hummmingbird users) are advised to 
immediately discontinue forwarding unencrypted X sessions and verify host access controls are not 
overly permissive.

To securely forward X sessions, follow the directions for configuring Hummingbird exceed 
and ssh at the following link:  
https://engineering.purdue.edu/ECN/Resources/KnowledgeBase/Docs/20030911153407


==========================================================================


Continued Eavesdropping Threat to X-Windows Users

**** NOTICE ****
This is an updated, republication of ITSP Advisory ITSP-2006-011301
originally released on January 13th, 2006.  The advisory is being reissued
because the activity described in the advisory continues to be observed by the
STEAM-CIRT.
****************

==OVERVIEW==

Users running X-Windows server software with improperly configured
access controls are at risk of malicious users snooping their X-Windows
sessions and obtaining sensitive information such as account passwords.

This activity is on-going and has been observed on the Purdue University
West Lafayette campus network.

==SYSTEMS AFFECTED==

Any system running an X-Windows server which is configured to allow connections 
from any host.  This includes Microsoft Windows systems running Exceed Hummingbird
or the Cygwin X11 server, as well as UNIX hosts running an X11 server.   

==DETAILS==

Users using X-Windows servers that were configured to allow any remote user to 
connect to their X server may have exposed or are at risk of exposing sensitive 
or restricted information including personal sensitive information such as
passwords.  Attackers that connect to such misconfigured X-Windows servers
can:
 
  * Control a remote X session
  * Read keyboard strokes and/or
  * Read all X session screen contents

==SOLUTIONS==

Information on properly configuring Exceed Hummingbird can be found at:

https://engineering.purdue.edu/ECN/Resources/KnowledgeBase/Docs/20030911153407

X-Windows servers should be properly configured to deny access to unauthorized
hosts.  On UNIX systems, this can be done with the xhost[1] and xauth[2] commands.  
It is also recommended that all X-Windows servers be configured to not listen on a 
public interface, if remote connectivity is not needed.  STEAM-CIRT also encourages
the use of SSH X-forwarding for remote X sessions.

[1] http://www.die.net/doc/linux/man/man1/xhost.1.html
[2] http://www.die.net/doc/linux/man/man1/xauth.1.html


Note: Operation of these commands may differ based on version, vendor, or OS 
distribution.  Consult your local man pages for proper usage information.

If remote access is required, firewalls should be configured to restrict remote 
access to the X-Windows server to only known hosts or a restricted subset of 
networks as appropriate.

==FURTHER INFORMATION AND RESOURCES==

X11 SSH forwarding:
http://tldp.org/HOWTO/XDMCP-HOWTO/ssh.html

Further information on X authentication:

http://pangea.stanford.edu/computerinfo/unix/xterminal/xauthentication.html
http://ciac.llnl.gov/ciac/documents/ciac2316.html

==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to: 
  itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:
  http://www.purdue.edu/securePurdue/incidentReportForm.cfm

Macintosh Support for MacOS < 10 ended!

POP3 Support Ended

Instructions on configuring IMAP mail can be found on the WWW at http://www.physics.purdue.edu/PCN/olddoc/email/mozilla/.