Note about security

By: Richard Glaser - Revised: 2006-06-07 devin

A short note about Security
Note this is by no means is this a complete list on how to protect your server!!!

Lock you Server in  a Secure Room
No one should have physical access to a server. If someone else has physical access to a server, then forget about trying to make the server secure, you will not be able to.
    
Firewall
Setup a firewall to protect your intranet and servers.

Disable ClearText logins on the Clients
See below for instructions on how to create an AppleShare client that does not support cleartext, then PUT IT ON ALL of your workstations. This is not a perfect solution, but it will at least make it harder for hackers/crackers. Here is a good example from Ron Chmara on how to use clear text to get passwords.
    
Scout Out Site
Set up a linux laptop with netatalk, and sniffers on the wire. Find out the name of the ASIP server (Appleshare is silly enough to _broadcast_ the name to all askers. Feature is Security Hole. Sheesh.) Set up laptop with same name as server, same IP as server. Find unobtrusive way of jacking into the LAN, an easy thing to do in a computer lab, or a "wired" school... they seem to have lots of "live" jacks. If necessary, just use computer lab machine jack, keep laptop in backpack, and pretend to be working. For offsite work, just put it in the ceiling to "bug" the LAN.
      
Denial of Service Attack
Perform standard denial of service attack on server, anything to overload it or crash it. These are network security holes, so there's not much you can do about 'em. ICMP the bugger to death, SYN it into silence, whatever's fashionable this week. This should be timed right before a new class/lab session, for maximum effect.
      
As users initially try to connect via aliases, and fail, some will go to the chooser. They will select the "ASIP" server name, which, unfortunately is now a netatalk server, which *doesn't support* randnum. Which means it's now open season, as every password used to connect to the fake server is passed in cleartext. To the sniffer. If I'm lucky even the admin. will try to log in remotely, if not the first time, maybe the second or third (to keep from having to walk back to the server room)"