Campus Linux Offerings

Campus Linux Offerings

So you want to put linux on a box. You need to be aware that Linux is a powerful networked operating system, and if improperly configured and maintained, hackers may be able to take over your linux box and either destroy your data or launch attacks on other systems. Therefore, it would behoove you to give some consideration to following items.

  1. Physics Computing Services, through OIT's Glue Project, is willing to install and maintain Glued Red Hat Enterprise Edition Linux on university owned machines in the department. Currently, only single boot installs are really supported, but we are working on a supported dual Windows/linux boot solution. Only desktops are supported as Glued boxes require network connectivity to campus machines to function properly.

    Your box will behave similarly to the departmental login boxes, and will seemlessly integrate with your departmentally supplied Glue homespace. PCS and/or OIT will take care of all security related issues including maintaining the machine at appropriate patch levels, and will assist with any problems. Unfortunately, we can only take limitted responsibility for supporting every hardware device, as most desktops are not certified to run with linux and may contain hardware which simply is not supported under linux (you would face these issues regardless of who supported your box). PCS/OIT will also ensure that standard Glue applications work on the system.

    Because the Glued linux image is based on Red Hat Enterprise Edition WS, there is an annual licensing fee of $50/machine which we must pass on to you or your research group. This is the standard academic rate for RHEL WS. On top of the packages supported by RHEL WS, Glue manually maintains a number of packages which would normally be found in AS. Because these are manually maintained, the additional $50/machine/year for AS is not required.

  2. If you do not opt to go with the PCS supported linux described above, please be sure that you are running a version of Linux that is supported by some group which makes at least security related patches for the system available whenever security issues are uncovered. This generally means fairly recent versions of whatever distribution you choose. E.g., Redhat Linux versions 7.x, 8.x, and 9 are basically no longer supported by anyone. Also make sure that all of your systems obtain and automatically (or at least very regularly) apply these updates. Timely and proper application of security patches is essential for the security of your machine and in turn the departmental network.

    For Redhat users, there is a special academic license for Red Hat Enterprise Linux, which only costs $25/year/machine for the desktop edition, and $50/year/machine for the workstation (WS) and advanced server (AS) editions. In addition, campus has a proxy server for the RHN up2date server, which allows for faster updates over the campus LAN. See campus software licensing's page on ordering RHEL academic versions, and for information about using the campus proxy server.

    Suse Linux is now owned by Novell, and apparently is covered under some of the existing Academic Licensing Agreements campus has with Novell (which were mainly to cover Netware). I believe some access to an update subscription service is available through this for free or a modest cost, but PCS does not have details on this at this time. Also note that campus ALAs with Novell are somewhat in flux, so pricing may change. Please contact PCS and/or campus Office of Software Licensing for more information.

    I believe all other major linux distributions also have some sort of patch/ update service, some for free, some for a charge. You should investigate what is offered and how to set it up for the distribution you choose. NOTE: The departmental network gets scanned multiple times every day by people probing for security holes. An unpatched linux system will eventually get broken into. Recall that under the campus Acceptable Use Guidelines , you are responsible for all network activity originating from your data jack".

  3. Every network accessibly service you run on your system is a potential entryway for a hacker. Although there are at times valid reasons for running services on your desktop, most of the time this is a bad idea and you are better off contacting Physics Computing Services for information regarding departmentally offered services. In addition to the security implications, there are often reliability and longevity issues as well. For example, while it might be cool to run your own mail server on your desktop, email is becoming increasingly critical, and changing email addresses (and getting everyone who corresponds with you to use the new address) is difficult at best. What will happen when you leave this campus and someone else takes over your desktop and/or IP address? PCS spends a lot of effort to ensure continued validity of supported email domains long after the original equipment is gone, which you are unlikely to get on do-it-yourself systems. So turn off all non-essential services on your systems, and reconsider whether the essential services really are essential or if you would be better served using departmental services. Most modern linux distributions do a reasonable job now of not turning needless services on, but you should verify.
  4. The recent linux kernels (2.4 and above) have a nice, stateful firewall available. Although firewalls should not be relied on to provide security, it is good to have fairly tight firewall rules as this provides some protection, and in particular can protect against some mistakes elsewhere in your system configuration. E.g., a firewall blocking port 80 may protect you if you accidentally started up a web server without meaning to do such. Some tips on configuring firewalls under linux.

    Main Physics Dept site Main UMD site