OPAC security info needed

Peter Murray pem at po.cwru.edu
Sun Jun 8 17:11:46 EDT 1997 

On Sun, 8 Jun 1997 11:46:11 -0700 martin at awod.com (Tom Martin) wrote:
> What sorts of OPAC security measures do libraries implement? Are they
> different in small, medium and large library systems?
> Any war stories of system break-ins?

Here are some comments from a medium-sized academic library system...

Our OPAC system runs under UNIX, so I try to keep up with the latest
security patches from the operating system vendor for critical pieces of
software.  Other times (for example, 'sendmail', the most common UNIX Mail
Transport Agent), I replace the operating system vendor's version with the
latest one off of the net because that is the one that is usually the most
up-to-date and bug free.  At one point I wrote a "/bin/login" replacement
for our OPAC system that implemented by-IP-address security and automatic
logins (no "login:" prompt); our library automation vendor has since
incorporated similar features into their main product.  

For these local changes it is important to keep a log of what you have done
to take your system from the stock configuration so that you or perhaps
your replacement in the future can duplicate what you have done.

Also critical is good logging.  We had an incident earlier this year where
a campus PC generated 83 telnet connections to our OPAC in the span of two
minutes.  We were able to determine the IP address of the machine and using
the network limiting tool supplied by the library system vendor disable
access to our OPAC from that IP address to minimize the impact to other
OPAC users.

It is also important to be very security aware when writing software that
the public will be using.  Today that typically means web servers and CGI
scripts, so one important document to become familiar with is "The World
Wide Web Security FAQ" at

  http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html

so that you don't open up your system to problems by the web software you
put in place.

Beyond that, I watch a few security-related mailing list
(BUGTRAQ at NETSPACE.ORG being the most interested but also the lowest
signal-to-noise ratio at times) to keep tabs on new threats.


Peter
--
Peter Murray, Library Systems Manager                      pem at po.cwru.edu
Digital Media Services                   http://www.cwru.edu/home/pem.html
Case Western Reserve University, Cleveland, Ohio            W:216-368-5888

More information about the Web4lib mailing list