Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

Version 1 Current »

Hello IT Admin, 

CUIT has contacted IT Leaders around campus about reducing our SSH ( exposure due to the increased activity of ransomware attacks. The CUIT Cybersecurity team is reaching out because you have been identified as a system administrator for your department. Our security monitoring has discovered machines under your ownership which has SSH open to the Internet. Attached is the list of hosts which require remediation. 

Leaving SSH vulnerable from the Internet puts the University at risk for potential ransomware attacks. CUIT is providing recommendations to restrict the SSH protocol to Columbia-owned networks only. Using the Windows built-in Firewall, an IP restriction should be implemented on Port 22. It is also recommended to review all inbound configuration rules to implement the most restrictive configuration as possible. 

We understand that SSH is the primary way some users remotely interact with their campus desktops and servers. In order to balance security and function, we are requesting that you enforce the use of VPN for SSH connections. This provides a level of security with Duo multifactor authentication and reduces our attack surface. Information and user guides on the VPN are available on the CUIT website.

Below are the most commonly used ranges, you should perform verification if any additional subnets are required for your operations. Once the first range of IPs is configured, this will allow you to connect through the VPN. 

Network

Range

Morningside Heights Campus

128.59.0.0/16

CU VPN

10.192.128.0/18

10.192.112.0/21 

128.59.248.0/22

Lamont-Doherty / Nevis / Manhattanville / Wireless

129.236.0.0/16

Columbia-Presbyterian Medical Center

156.145.0.0/16

156.111.0.0/16

Columbia Morningside Heights Campus Secure Wireless

160.39.128.0/23 

160.39.152.0/23

160.39.154.0/23

160.39.156.0/23

160.39.158.0/23

160.39.160.0/23

160.39.162.0/23

160.39.164.0/23

160.39.166.0/23

160.39.168.0/23

160.39.170.0/23

160.39.172.0/23

160.39.174.0/23

160.39.176.0/23

160.39.178.0/23

160.39.130.0/23

160.39.132.0/23

160.39.134.0/23

160.39.136.0/23

160.39.138.0/23

160.39.140.0/23

160.39.142.0/23

160.39.144.0/23

160.39.146.0/23

160.39.148.0/23

160.39.150.0/23

AZURE - Cloud computing - Server Zones

10.196.0.0/16


If you need assistance on how to configure the Windows Firewall, the Microsoft support site has detailed instructions

Overview of Recommendation 

  • Enable and configure the Windows firewall
  • Restrict the SSH Port to only CU IP addresses, deny the rest
    • Double-check your range restrictions before moving changes to production
  • Use the VPN first, then SSH to continue management of desktops or servers
  • Always test your configuration before implementing in production 
  • If your department does not have an anti-malware deployment please review the Malwarebytes webpage, this is another proactive security measure to prevent ransomware
  • Please direct any questions to cybersec@columbia.edu 
  • No labels