Local area network

1 LAN: basic information
The computer network of the Department of Informatics and the Institute of Physics is an element of the municipal network called TORMAN.

1.1 Administrators

  • Paweł Binnebesel (email: lan, phone: 3265) is responsible for the supervision and maintenance of:
    1. the functioning of the local computer network,
    2. znakowymi and graficznymi graphic terminals,
    3. computers in classrooms and labs.
    4. He also helps in the installation and configuration of Windows-operated computers (their connection to LAN, anti-virus program installation, the configuration of a firewall, etc.)
  • Norbert Jankowski (phone: 3307), Jacek Kobus (phone: 3266) (email: operator, lan) are responsible for:
    1. server maintenance and services (e-mail, WWW, ftp, DHCP, DNS, samba, firewall, databases, MySQL)
    2. student and staff e-mail accounts
    3. administration, maintenance and the development of the local network (decisions on the situation of new connections)
    4. installation and maintenance of software
    5. administration of the LAN - TORMAN connection (the Internet)

1.2 Change of password

Faculty and doctoral students
To change your password, go to http://www.fizyka.umk.pl/passwd. Passwords on our Faculty servers are updated four times a day (at 2 a.m., 8 a.m., 2 p.m. and 8 p. m.).
Students
To change your password, you need a special WWW form. Student passwords on our Faculty servers are updated once a day (at 2 a.m.).

1.3 Student access to the Faculty of Physics account

Since 2006/2007 student accounts on our servers have been interconnected to general NCU student accounts; they are not independent. In order to have access to our servers, you have to have a generic university account open. To do this, use a special WWW form and go to Zakładanie konta. As a result, you will have a main server account and another account on our local server (your username and password remain the same).

1.4 Access to LAN resources (OpenVPN, Eduroam, IFKIS)

For security reasons, access to LAN servers (general and workgroup) is limited through a special configuration of the access router. However, there are two ways of accessing the servers from outside the LAN.

  1. Access from a given PC via OpenVPN 

    Note! This service is available only to staff and doctoral students of the Faculty of Physics and Astronomy and Informatics; students have a limited access to it (see below).The easiest access to LAN resources is through OpenVPN on hel server, which provides the so-called virtual private network, a safe connection from outside.After registration, a user of a stationary or laptop computer receives and installs a special program with a certificate. This certificate is needed for the authorization of a connection from anywhere on the Internet. After a connection is established, a home PC has the same access rights as any computer physically connected to our LAN. To learn more about this service or software / hardware requirements, go to OpenVPN-HOWTO.A certificate is indispensable; therefore, one needs to contact the administrator (email: lan).

  2. Radio network access

    Since April 2005 NCU has a wireless network, which gives authorized access to the Internet from a number educational institutions worldwide. In the Institute of Physics building there are some hotspots, which means that Internet access is limited to some places. As far as staff are concerned, they need to have a special certificate installed (http://eduroam.umk.pl/pracownicy/instalacja/). Students gain access using their local server usernames and passwords (http://eduroam.umk.pl/studenci/instalacja/). To learn more about access and hardware configuration, go to www.umk.pl/eduroam.Eduroam connection gives one an unlimited access to the Internet, but it does not permit access to the local LAN resources, with two exceptions: www.fizyka.umk.pl server and one’s own account on ameryk server. A wider access is possible with a special certificate and OpenVPN system installation (see above).Unfortunately, not all WiFi cards on all portable computers support the authorization method required by Eduroam, and not always will Internet connection be possible. Working on Eduroam hardware, another network called IFKIS  was open as a test. IFKIS gives access to LAN and the Internet if OpenVPN system is used after a special certificate has been obtained. Staff can get this certificate when they send a message lan address (see above). Students have to sign a form (OpenVPN-form) and leave it in the Dean’s office; in return they will get a six month certificate, together with a configuration file for OpenVPN service (for Linux and Windows) (this will be put into openvpn subfile of the user’s home directory.OpenVPN student certificate makes it possible to connect to chosen local servers through IFKIS or Eduroam networks (in the case of the latter, no matter where you are on the campus), but it does not allow access to LAN from any given location in the world. Because of the variety of software and hardware types available, the administrators cannot help in driver installation and card configuration or testing; each user is responsible for them. After you have installed OpenVPN client (see OpenVPN-HOWTO), in order to connect to IFKIS you have to:

    • For Windows
      • from among the available radio networks choose IFKIS network
      • run OpenVPN system client
    • For Linux
      • from among the available radio networks choose IFKIS network(iwconfig wlan0 essid IFKIS)
      • obtain the IP address from DHCP server (/sbin/dhclient wlan0)
      • run OpenVPN system connection (/etc/openvpn/rc.vpn)
  3. Modem access

    Connecting to the Internet through for instance TP SA phone company, calling 0-202122, you can only connect to ameryk server (158.75.5.43) using ssh (scp) and check your mail using ameryk as a POP3 server. Sending mail is possible only from another e-mail server (this service is provided by portals like wp, onet, or interia). Information on Internet modem access in PPP mode can be obtained from www TORMAN,  PC configuration for PPP connections. TP SA-provided Internet modem access is also described on WWW TPNET (Dostęp komutowany do sieci TPNET). If after log in there is a problem with your cursor movement, check the setting of term environment variable, which should be equal to vt100. To change the variable, type: set term=vt100.

    Windows system users: please note! To log in and to send files use putty or winscp3 (or pscp) (see above).

1.5 A new computer (a new network card) registration and configuration

A new computer can be connected to the network on condition it is provided with an individual IP number. A computer registration requires that information is sent to the lan address on where it is, its administrator, and hardware address of its network card (the so-called MAC address, or the  1A:60:19:07:1A:F0 address format). A change of a network card should be always reported with a new computer IP and a new MAC address. These pieces of information are necessary for the update of the DHCP server database, which makes it simpler to configure a computer. When you register, you should configure your computer in such a way that network settings are sent automatically from the DHCP server (these include the IP address, gate addresses and the addresses of domain name servers).

1.6 Servers and services

  • mail.fizyka.umk.pl: e-mail server (SMTP, POP3, IMAP3)
  • www.fizyka.umk.pl: WWW server
  • samba.fizyka.umk.pl: samba server
  • serwery aplikacji: ferm, nobel, tor and uran All Institute of Physics and Department of Informatics staff, all doctoral students and all students of the entire Faculty have access to these servers. After logging on any of these machines a user gets access to his or her home directory.
  • ameryk.fizyka.umk.pl: access server (ssh i pop3)

    ameryk plays a role of an access server, which means that people having access to application servers can log on using ssh (or clients like putty for Windows) from any given place in the world. To send files, use scp software (pscp when you are a Windows user). Ameryk server makes it possible only access one’s own home directory; one can use e-mail services only after logging in. It is possible to get e-mail using also POP3 protocol. It is not possible to log from this server onto any LAN machine, nor is it accessible from inside of the LAN.Our LAN is connected to TORMAN by 1 Gb/s connection. The network hardware works in the 10/100/1000 Mb/s standard. A flawless functioning of a network with 400 hosts requires discipline in its growth and new computer connection. That is why any decisions regarding the change or the growth of LAN must be discussed with the administrators and approved by them before they are implemented.

 

1.7 Antivirus software

Our faculty are allowed to use BitDefender antivirus software. The license conditions stipulate that it can ONLY be installed on university computers. To install Bitdefender Professional Plus go to:

https://netsecure.az.pl/windows/desktop/professional/final/pl bitdefender_prof_v9.exe

or

http://download.bitdefender.com/windows/desktop/professional/final/pl/bitdefender_prof_v9.exe

After installation, you will see a window informing you of a limited period of use, so click [Rejestracja] button (low right side of the window) and type in the key, after you have received it from the administrator. The key can be entered later (after you run the program, click: [Ogólne] -> [Rejestracja] tab-> link Wprowadź nowy klucz... (enter new key)

Note 1: When you install this program, it will suggest that each time a virus is found, a report should be sent to the company. This can be done when you click:[Ogólne] --> [Ustawienia] tab --> un-check {Wyślij raport o wirusach}

Note 2: This program has its own firewall, which seems to be better than a Windows firewall; it is recommended that the latter is deactivated: [Panel sterowania] --> [Zapora systemu Windows] --> zakładka [Ogólne]--> zaznaczyć {Wyłącz (nie zalecane)}.

2 Network and server rules and regulations

Institute of Physics and Department of Informatics LAN and its computers serve research and study purposes of 1200 people. To provide everyone with access, error-free functioning and the required security level of the system, the following regulations are introduced (also compatible with NCU general computer regulations).

2.1 Regulations and recommendations

A user is not allowed to:

  • Install run, keep or make available programs or files which would violate license conditions or copyrights. This relates primarily to peer-to-peer type of software, designed to exchange copyright protected audio/video files.
  • Install run, keep or make available programs or files which would compromise the security of computer networks, systems or users. This relates primarily to malware: computer viruses, Trojan horses, exploits, or network traffic monitoring software.
  • Run password cracking software or use procedures the purpose of which is to eavesdrop, spy or capture information or violate the privacy of system resources (see below).
  • Run programs that could disturb or make impossible the correct functioning of computer systems and the local or wider area networks.
  • Connect network devices to LAN, including stationary computers or laptops, without registering them.
  • Spam or mass-mail other users.
  • Use servers in order to promote goods and business services, political causes or to disseminate obscene or vulgar content, insulting to the third party or infringing on anybody’s moral rights (this relates primarily to the contents of WWW pages).
  • Make available your account to unauthorized people.
  • Attempt to use a third party account to try to gain access to restricted resources.
  • Change the configuration of computers that are used as public access terminals or classroom equipment. Install on them any private, unauthorized software.
  • Run tasks that are very time consuming. Any time consuming task should be given a low priority; use nice +19 command.

    If a task has been initiated with a default priority, this can be changed by a snice +19 command.

Disregard for the above-mentioned rules will result in the immediate loss of access to a server and further disciplinary sanctions. Each case of rule violation will be reported to the Faculty dean.

2.2 Password choice and change

In order to protect an individual user’s data and the entire system, you MUST use a password that is difficult to guess. Creating a password, you should avoid: 

  • popular names,
  • common nouns,
  • digits placed only at the beginning or the end of a password,
  • names associated with the location of your account.

A password has to have at least nine elements, including at least one capital letter, one digit or special character (@ ! , : ; " ...).

Creating a password, you should use:

  • digits mixed with letters,
  • capital and small letters,
  • low frequency words.

2.3 Available disk space

Because of limited disk space and a high number of users, you need to use it wisely. If a large amount of data needs to be kept for a longer period of time, /tmp space should be used. For students’ accounts there is a soft limit of 100 MB in home directory and a hard limit of 120 MB. You should check and prune your e-mail content by archiving messages in your home directory so that its size does not exceed 10 MB (to check how big your in-box is, use ls -la /var/spool/mail/userid, where userid is your username. When you constantly exceed the limit, your e-mail in-box content will be compressed and sent to the ~/Mail subdirectory. The content of e-mail in-boxes and home directories is archived daily: when lost, it can be retrieved. Because no system is 100% dependable, it is recommended that you archive your vital data yourself. The system administrator cannot be held responsible for any potential data loss.

3 Electronic mail

The system has been configured in such a way that the correct e-mail address is: < username > @fizyka.umk.pl, for example, abc@fizyka.umk.pl. This means that and address disclosing the name of a server, like < username > @ferm.umk.pl is illegal. When you use it, most probably you will never receive an answer to your letter. Sending a letter to somebody who has an account on the same server, it is enough to write this person’s username only. Each user can access his mailbox in a number of ways: 

  • konsola systemu Unix/Linux (pine, mutt)
  • SMTP, POP3, IMAP (Outlook (Express), Evolution, etc.)
  • WWW interface: poczta.umk.pl/horde2/imp

Periodically, mailboxes are cleaned and messages older than 2 months are moved to a separate letter file. This file is available on Faculty servers in ~/Mail/mail/INBOX-ARCH. This box is available also through IMAP service; for instance, it can be seen as a separate folder (INBOX-ARCH) in the poczta.umk.pl/horde2/imp service. It is possible to move messages freely between the current INBOX and the archive (INBOX-ARCH).
Text-only access to e-mail on Faculty servers

To serve e-mail purposes, there are pine and mutt, whose configuration files are /etc/pine.conf and /etc/Muttrc respectively. To change default settings, you should place them in the local configuration files of ~/.pinerc and ~/.muttrc. Windows system users can log on using putty software. 

E-mail access through Outlook (Express), Evolution, etc.

Working in a LAN, you can use the e-mail service without having to log on a server. You can send and receive mail using any e-mail program, like Mozilla-mail or Outlook Express. To configure this service, use mail.fizyka.umk.pl for POP3 server (incoming mail) and SMTP server (outgoing). To contact e- mail, service use IMAP protocol (server mail.fizyka.umk.pl). Our E-mail server requires that a server-client connection be encrypted (that is POP3 and IMAP protocols). That is why in client programs like Thunderbird, Outlook (Express) and others you must choose secure connections: 

  • Mozilla/Netscape:

    Tools - Account Settings - Server SettingsChoose: Use secure connection (SSL)

  • Thunderbird / Polish version:

    Narzędzia - Konfiguracja kont - Konfiguracja serweraChoose option: Używaj bezpiecznego połączenia (SSL)

  • Outlook Express

    Narzędzia - Konta - Właściwości - ZaawansowaneChoose: Ten serwer wymaga bezpiecznego połączenia(Tools>accounts>properties>advanced>This server requires secure connection)

  • Outlook (Office)

    Narzędzia - Konta e-mail - Wyświetl lub zmień - < choose your account and click Zmień > - Więcej ustawień - Zaawansowane(Tools>e-mail accounts>display or change>(choose your account and click Change)>more>advanced)For Serwer przychodzący (POP/IMAP) choose: Ten serwer wymaga zaszyfrowanego połączenia

When you import your mail for the first time, you must accept a server certificate. mail.physics.umk.pl A server certificate is signed by the NCU certificate authority, so it is a good idea to download, accept and then install the NCU certificate (to do this go to http://www.umk.pl/cert.php).

3.1 WWW e-mail

You can use e-mail using a network browser. Go to poczta.umk.pl/horde2/imp, choose IMAP and log on @fizyka.umk.pl staff server or @fizyka.umk.pl student server.

3.2 Re-directing mail

3.2.1 ~/.procmail file

To redirect e-mail use procmail program. This program is necessary for e-mail to reach servers requiring SPF authorization (like wp.pl). To use it, you have to create .procmailrc file in your home directory and write the following as its content: 
:0 c* !^FROM_DAEMON! foo@domain
where foo@domain is the address to which a letter is to be delivered. A copy will be sent to your mailbox on the faculty server.

When you remover letter 'c' from the first line above, no copy will be left in the user’s local mailbox.

3.2.2 ~/.forward file

To forward your mail with a copy on your server, use ~/.forward file, in which you should put the following two lines: 
\user’s_username_on_serverthe_other_e-mail_address
note that the first character in the first line is a backslash.

3.3 How to deal with spam?

Recently everyone has had a problem with the growing amount of spam, unwanted e-mail messages that reach our e-mail boxes daily. That is why our e-mail server has spamassassin software. It reads the subject line and the content of each letter and, using some sophisticated rules, decides whether or not it is spam. If a message is categorized as spam, it reaches the mailbox with a modified subject line: Subject: Spam? .... This makes it possible to remove spam from the mail mailbox and move it to a separate file. How to do this? Method 1 (for nobel or ferm mail server users) In order to send all mail classified as spam to a separate file, you have to create a special file ~/.procmailrc , using an editor. This file is to contain the following 4 lines: 

$MAILDIR=$HOME/Mail:0* ^Subject: \{Spam\?\}Mail/SPAMY

The same can be achieved typing this:

cd; cp /etc/skel/.procmailrc .
(note the full stop at the end; it does matter!)

If your mail is kept in a different directory, like mail, you need to modify the .procmailrc. file.Method 2 (for users of Outlook Express or any other analogous program) Outlook Express makes it possible to filter messages coming from POP server according the Subject field. This has to be activated in order to send messages marked Spam? to a separate folder. Outlook Express (OE) allows IMAP protocol connections with e-mail servers (when you start your e-mail account, you must indicate that mail.fizyka.umk.pl is to be the incoming mail server and that IMAP (instead of POP) protocol is to be used for data transmission. When you have configured your OE e-mail account, go to Narzędzia-Konta-Właściwości-IMAP. When it says "Foldery", in the field "Ścieżka folderu głównego",  type "mail" (no inverted commas). When you establish a connection with a server, there is no automatic transfer of messages from server onto a PC, but Outlook Express makes it possible to browse the mailbox, remove messages and send the selected letters to your PC. It is possible to browse other mailboxes form the home directory (or any other subdirectory selected by the choice of IMAP tab (Narzędzia-Konto-Własności-IMAP). It is possible to browse Mail/SPAMY, if Mail directory is indicated as an extra place for viewing e-mail. In this directory, you can collect spam messages if you proceed according to Method 1 described above. The antispam system is not completely dependable: sometimes legal messages get classified as spam. That is why it is recommended that the Mail/SPAM content should be browsed for good e-mail. Conversely, sometimes clear spam messages do not score enough penalty points and get through. Method 3 (for those who want fuller control over their incoming mail) The antispam software modifies the heading of each letter adding the following lines: 

X-MailScanner-SpamCheck: not spam, SpamAssassin (score=2.9, required 5, PORN_3 0.52, DATE_IN_FUTURE_06_12 2.38) X-MailScanner-SpamScore: ss

or

X-MailScanner-SpamCheck: spam, SpamAssassin (score=6.4, required 5, LARGE_HEX 2.50, DOUBLE_CAPSWORD 1.05, UPPERCASE_25_50 1.94, SUPERLONG_LINE 0.38, FORGED_HOTMAIL_RCVD 0.50) X-MailScanner-SpamScore: ssssss
Note that each letter receives penalty points and a given number of S’s. Now only those with more than 5 penalty points are classified as spam (this is a changeable parameter and can be modified). Mail can be filtered based on penalty scores. If you want to direct letters with two, three, or more S’s to Mail/SPAMY, you have got to replace 

* ^Subject: \{Spam\?\}
with the following line
* ^X-MailScanner-SpamScore: ss+

or

* ^X-MailScanner-SpamScore: sss+
ect.

3.4 Automatic response: a holiday response
If for the period of business or leisure travel you are unable to check you e-mail regularly, it is easy to arrange for a server to send an appropriate response. To activate this, log on (via ssh or putty) and place two files in your home directory

  1. .vacation_mesg (full stop is necessary) including your holiday message and
  2. .procmailrc (full stop is necessary) with the following content

LOGFILE=/dev/null VERBOSE=off VACATION_MESG=$HOME/.vacation_mesg DOMAIN_NAME=fizyka.umk.pl :0 * ^FROM.* * !^FROM_DAEMON * !^FROM_MAILER * !^X-Loop: $LOGNAME@$DOMAIN_NAME | (formail -rkt -A "X-Loop: $LOGNAME@$DOMAIN_NAME "; \ cat $VACATION_MESG ) | $SENDMAIL -t -oi
If you already have .procmailrc file in your home directory, modify it. It is a good idea to check the settings by sending a test message (of course from a different account).To disconnect this feature, log on again and type in your home directory the following:
mv .procmailrc .procmailrc-vacation

3.5 Grupowe adresy pocztowe
Grupowe adresy pocztowe