LAN

Basic information | Rules for using the network and servers | E-mail

1. Basic information

The network of the Department of Applied Computer Science and the Institute of Physics is a part of Toruń’s urban computer network TORMAN.

1.1 Administrators

• Paweł Binnebesel (email: operator@fizyka.umk.pl, tel. 3265) is responsible for:
  1. supervision over the functioning of the local computer network
  2. supervision over sign and graphic terminals
  3. help in the installation and configuration of computers with Windows (connection to the local computer network, installation of an antivirus program, configuration of the firewall, etc.)
• Jacek Kobus (tel. 3266), Mariusz Piwiński (tel. 3341), Szymon Śmiga (tel. 3277) i Sławomir Zelek (tel. 3295) (email: operator@fizyka.umk.pl) are responsible for:
  1. supervision over servers and services (e-mail, www, ftp, DHCP, DNS, samba, firewall, MySQL databases) service of employee and student accounts
  2. supervision over the operation of the local network installation and maintenance of software
  3. supervision over the functioning and development of the local computer network (including the approval of the location of new connections)
  4. supervision over the connection of a local computer network to the TORMAN (Internet) network

1.2 Servers and services

• Mail servers for the staff, doctoral students and students are managed by UCI. In order to facilitate the distribution of mail to whole groups of users, a number of special addresses can be used, such as students-ifiz or PhD students-ifiz (in the domain @listy.umk.pl); more on the Group Mail addresses page.
• www.fizyka.umk.pl: www server
• samba.fizyka.umk.pl: samba server
• application servers: polon/tor (CentOS 7), uran (CentOS Stream 9), neptun (Fedora36)
  All IF and KIS employees, PhD students and WFAiIS students have access to these servers. After logging on to any of these machines, the user has access to his home directory. These servers are available from anywhere on the Internet via OpenVPN for holders of relevant certificates (see section 1.5)
• ameryk.fizyka.umk.pl: access server: ssh (port 22) ,. ameryk acts as an access server, i.e. people who have access to application servers can log in to it using ssh (possibly clients such as putty for Windows) from ANY location in the world. For transferring files, use the scp program (pscp for Windows users). The americ server allows access only to your own home directory. From this server you can not log in to any machine in the local network.
• moodle.umk.pl/WFAIIS: the Moodle e-learning system is designed to support the classes held at WFAiIS.

The local computer network is connected to the TORMAN network with a bandwidth of 2 Gb/s. Network devices work in the 100/1000/10000 Mb/s standard. The smooth functioning of the network, in which more than 400 hosts work, requires maintaining appropriate rigors in its expansion and connecting new computers. Therefore, any changes and expansion of the network must be agreed and approved by the administrators before they are directed for implementation.

1.3 Changing the password

In order to change the password, please use the website at https://www.fizyka.umk.pl/passwd. On faculty servers, the password is updated four times a day (by 2, 8, 14 and 20). For security reasons, access to this site is only possible from computers working on the local computer network. Anyone who has an account and can register via ssh on the server ameryk.fizyka.umk.pl can access this page by following the following instructions:

• in the browser, enable proxy support via the SOCKS protocol, directing traffic to 127.0.0.1 and port 1080
• as a regular user, execute the command ‘ssh -D 1080 user@ameryk.fizyka.umk.pl‘

The ‘-D’ option used above is responsible for using the so-called ssh dynamic port forwarding.

1.4 Access to the faculty account (with a shell) for students

At the beginning of the academic year 2006/2007, student accounts on the servers of our faculty are not founded independently, but are closely related to the accounts on the university student server. Therefore, in order to gain access to departmental servers it is necessary to first set up an account on the university server using the Account creation form. In addition to the account on the central server, an additional account (with the same identifier and password) is created on the departmental server and becomes available the next day.

1.5 Access to local network resources via OpenVPN

Due to security considerations the access to servers running in the local network (general servers and workgroup servers) is restricted by the proper confguration of the firewall.
The most convenient and secure access to local network resources is provided by the OpenVPN system. In order to use the system, the user should install on his computer the OpenVPN client software and obtain certificates.

Employees and doctoral students shoud contact the administrator of the system to receive the certificates (email: operator@fizyka.umk.pl).

Students must submit an application (OpenVPN-application) to the WFAiIS Dean’s Office in order to obtain the certificates.

Certificates together with the configuration files (for Windows and Linux/MacOS) are placed in the openvpn subdirectory of the user’s home directory.

By default, an OpenVPN client uses the UDP communication protocol to connect to the OpenVPN server. Unfortunately, often in public places access to the IF+KIS LAN is difficult since the Internet connection is only available via HTTP and HTTPS protocols. In order to circumvent this limitation, you need to start the OpenVPN client using client4tcp.conf instead of client.conf configuration file.

For Windows (Linux) users, the contents of the file should be unziped in the c:\Users\(profile)\OpenVPN\config directory (/etc/openVPNconfig). From now on, you can establish an OpenVPN connection using the new “client4tcp” configuration.

Using OpenVPN over TCP is also recommended in case of the unstable/poor connection.

Installing and running the OpenVPN service requires the administrative privileges (Windows – administrator, Linux – root).

Windows users can start the OpenVPN client in the graphical mode, and then by right-clicking on the OpenVPN icon in the taskbar, indicate the client (configuration) and select “connect”. As the administrator you can also run in the console mode start.bat script (located in the appropriate OpenVPN directory). In both cases, after the connection is established, a new logical interface should be created and new entries in the routing table added. This can be verified by running the following commands in console mode (cmd): ipconfig/all and netstat -r. In case of routing tables you should see extra routes to networks 158.75.104.0 and 158.75.4.0. When the OpenVPN client is stopped these entries are automatically removed.

1.6 Access to Internet via Eduroam

Since April 2005, the Eduroam wireless network has been operating on the Nicholaus Copernicus University. It enables authenticated access to the Internet in many scientific institutions in Poland and around the world, including the Institute of Physics premises. Due to the size of the building and its construction (thick reinforced walls), as well as the limited number of access points, the radio signal of adequate quality is available only in frequently used open spaces (the entrance hall, the main corridors and the bar) and large lecture halls (S20 and S26). If the radio signal quality in other areas is unsatisfactory, employees should connect
their computers directly to the cable infrastructure of the local area network (see Section 1.7).

In the case of employees, connecting a computer to the Eduroam network requires the installation of a special certificate.

Students connect their computers to this network by authenticating themselves through their ID and password, which they use when registering on departmental servers (http://eduroam.umk.pl/studenci/instalacja/). More information on the access mode and hardware configuration can be found at http://eduroam.umk.pl/studenci/.

Connecting the computer to the Eduroam network allows unrestricted access to the Internet, but it does not allow access to the resources of the local computer network (except access to the server http://www.fizyka.umk.pl and to your account on the server ameryk). Such access can be obtained only after obtaining the appropriate certificate and installing the OpenVPN system (see the previous item). To this end, students must apply to the dean’s office of WFAiIS with the application signed (OpenVPN-application), which will be the basis for issuing the certificate, which, together with the OpenVPN service configuration file (for Linux and Windows) will be placed in the openvpn subdirectory of the user’s home directory.

1.7 Registration and configuration of a new computer (new network card)

A new computer can utilise the cable local network provided it can aquire a separate IP number from a DHCP server. To this end the computer must be registered beforehand by sending an email to operator@fizyka.umk.pl with information about the computer’s location, its administrator and its network card’s hardware address (so called MAC address, i.e. 1A:60:19:07:1A:F0). When a network card is swapped for another one MAC addresses of both the cards should be provided.

1.8 Antivirus program

WFAiIS employees can use the Eset Smart Security antivirus software; see http://www.uci.umk.pl/pracownicy/esetsmartsecurity/.

2. Rules for using the network and servers

The local computer network of the Institute of Physics and the Department of Applied Computer Science together with computers connected to it (including servers) is used by the employees and students of the Faculty to complete their didactic and scientific tasks. Currently, servers support about 1,200 people. In order to provide everyone with access to servers, good and reliable services and provide the necessary level of
system protection, the following rules for using the servers are introduced (see also the Computer Network Regulations of the Nicolaus Copernicus University).

2.1 Prohibitions and recommendations

The user is prohibited from:

• Installing, running, storing and sharing programs (files) violating the license rules, copyright, etc. In particular, this applies to peer-to-peer programs used to exchange copyright-protected audio/video files.
• Installing, running, storing and sharing programs (files) that infringe the security of computer and network systems or user safety. This applies in particular to malware, such as viruses, Trojan horses and exploits, as well as programs monitoring network traffic.
• Launch password decryption programs, conduct actions to eavesdrop or capture information flowing in the network, violating the privacy of system resources (see below).
• Launching programs that may disrupt or prevent the proper functioning of computer systems and the local / wide area network.
• Connecting network devices, including desktop and laptop computers, to the local computer network without registering them first.
• Sending mass mail, ads (spam).
• Using servers to conduct business (advertisement of goods and services), political and to disseminate content or images that harm the University’s reputation, content and images that are vulgar, obscene, offensive to third parties, violate anyone’s personal rights (in particular, the content of websites ).
• Use cookies as part of the website to track user preferences, give him personalized ads, etc. (it is only possible to remember cookies related to the user session who logged in to the site).
• Lending your own account to third parties.
• Make attempts to use a foreign account and access restricted computer resources.
• Making any changes in the configuration of personal computers serving as public terminals and being the equipment of computer labs and installing their own software on these computers.
• Servers may be used to run long-running tasks but they must be run with the lowest priority, i.e. nice +19 command. If the task was started with the default priority, it can be changed using the command nice +19.

Failure to comply with the above prohibitions and recommendations will result in immediate loss of access to the server and other appropriate sanctions. The Dean of the Faculty will be informed of any significant violation of the rules of using the local computer network.

2.2 Choosing and changing the password

In order to protect your own data and protect the entire system from intrusions, each user MUST use a password that is difficult to guess.

When creating a password, do not use:

• names frequently encountered,
• common nouns,
• digits only at the beginning or end of the password,
• names associated with the place where the account is placed

The password must be at least nine characters long, including at least one capital letter and one number or special character (@!,:; “…).

When creating a password, it is recommended to use:

• numbers inside the password,
• different size letters,
• words not often found in colloquial language.

2.3 Available disk space

Due to the limited disk resources that can be allocated to users’ home directories, as well as a large number of users, one has to use these resources prudently. If it is necessary to store larger amounts of data for a short period of time, the /tmp space should be used.

Home directories are regularly archived. In the event of data loss, it is possible to recover them. Because no system is 100% sure, it is recommended to archive the most important data on your own. The system administrator is not responsible for the loss of data collected by users.

3. E-mail

3.1 Access to mail

Each user can access his mailbox in several ways:

• Unix / Linux system console (alpine, mutt)
• SMTP, POP3, IMAP (Thunderbird, Outlook (Express), Evolution, etc.)
• WWW interface: http://www.umk.pl/poczta

Access to mail in text mode on departmental servers
The alpine and mutt programs are used for e-mail. Changing the default settings is possible by placing them in the local configuration files ~/.pinerc and ~/.muttrc. Windows users can login using, for example, the putty program.

Access to mail via Thunderbird, Outlook (Express), Evolution, etc.
When working on a local computer network, you can use the e-mail service without logging into one of the servers. Electronic mail can be downloaded and sent using any e-mail client, for example, the mozilla-mail program or Outlook Express. When configuring this
service, please indicate as a POP3 server (incoming mail) – pop3.umk.pl and as SMTP server (outgoing mail) – smtp.umk.pl. You can also use the IMAP protocol (imap.umk.pl server) to contact the e-mail server.

The mail server forces the connection between the server and the mail client to be encrypted. Therefore, client programs such as Thunderbird, Outlook (Express) and others must be forced to encrypt the connection:

• Mozilla / Netscape:
  Tools – Account Settings – Server Settings
  Select the Use secure connection (SSL) option
• Polish version of Thunderbird:
  Tools – Account configuration – Server configuration
  Select options: Use secure connection (SSL)
• Outlook Express
  Tools – Accounts – Properties – Advanced
  Select This server requires a secure connection
• Outlook (Office)
  Tools – E-mail accounts – View or change – <select your account and press
  Change> – More settings – Advanced
  For Incoming Server (POP / IMAP) select: This server requires an encrypted connection

Sending mail via the mail.fizyka.umk.pl server is possible not only from the local network, but from any network (eg home network) under the condition of logging in with authentication. This means that when sending mail, you also need to enter the server access password.

In the case of Outlook 2010 (also 2007), the following account settings must be used:

• Name and surname: First name Surname
• E-mail address: ident@fizyka.umk.pl or ident@is.umk.pl or ident@umk.pl
• Account type: pop or imap (the choice belongs to the user)
• Incoming mail server: pop3.umk.pl (or imap.umk.pl)
• Outgoing mail server: smtp.umk.pl
• User name: identifier
• Password: password for access to the account
• Require login using secure password authentication: You must select this option!

Under the “More settings” button it is necessary

• In the tab “Outgoing server” you must select the option “Outgoing server (SMTP) requires authentication”
• In the “Advanced” tab, select “Incoming server: This server requires an encrypted connection (SSL)” [port 995 for POP3, 993 – for IMAP], “Outgoing server (SMTP):
  Use an encrypted connection of the following type: SSL” [port 465].

Access to e-mail through WWW
You can also use the e-mail service using a web browser for this purpose. All you need to do is go to http://www.umk.pl/poczta, choose IMP and log in with your e-mail address as your identifier on the departmental server. Detailed information on how to use this service can be found at http://www.uci.umk.pl/studenci/poczta/pocztawww/.

3.2. How to deal with unwanted mail (spam)?
Recently, the number of unsolicited e-mails has increased significantly, i.e. spam messages that reach our mailboxes every day. Therefore, an antyspam program has been installed on the mail server. It looks at the headline and contents of each letter and, based on fairly sophisticated rules, determines whether the letter is spam. If the message is classified as spam, a letter with modified ‘Subject:’ field is received in the mailbox, viz.

Subject: *** SPAM *** ….

It allows you to automatically delete spam from the main mailbox and transfer them to a separate mailbox.

How to do it?

Variant 1 (for those logging in to polon/tor servers to read the mail)

In order to automatically forward all letters qualified as spam to a separate file (a separate mailbox), you should create (using an editor) a file ~/.procmailrc containing the following four lines:

MAILDIR $ = $ HOME/Mail
: 0
* ^ Subject: \*\*\*Spam\*\*\*
Mail/spam

If the mail is kept in a different directory, e.g. mail, then you need to make a proper change to the .procmailrc file.

Variant 2 (for users who use Outlook Express or similar software to download mail from the server)

Outlook Express allows filtering of mail downloaded from the mail server (POP server) according to the content of the Subject field. You need to activate this option and send mail automatically marked as *** Spam *** to a separate folder.

Outlook Express (OE) allows you to connect to the mail server using the IMAP protocol (when creating an account you must indicate that the incoming mail server should be mail.fizyka.umk.pl, and IMAP should be used for mail transmission, not POP ). After configuring the e-mail account in OE, select Account-Properties-IMAP. In the “Folders” section, enter “mail” in the “Main folder path” field (without quotes). After connecting to the server, there is no automatic transfer of mail from the server to the personal computer, but Outlook Express allows you to view the contents of the mailbox, delete letters and transfer only selected items to the personal computer. You can also browse other mailboxes located in the home directory (or in any of the subdirectories that you specify by selecting the IMAP tab (Tools-Account-Properties-IMAP). In particular, you can view the mailbox Mail/SPAMY if you indicate the Mail directory as an additional place to
view e-mail. In this directory you can collect your spam messages by following the instructions given above (see Option 1).

Option 3 (people who want to gain fuller control over the fate of letters that reach them)

The anti-spam program modifies the header of each checked-out letter by adding lines to the form:

X-Spam-Level: ****************************

Please note that each letter receives penalty points and an appropriate number of *. At the moment, only those lists for which the number of penalty points exceeds 5 are classified as spam (this parameter is configurable and may change). Of course, you can filter mail based on the number of penalty points. If you want to only send letters marked with at least two, three, etc. asterisks to the Mail/SPAMY file, then you need a row

* ^Subject: \*\*\*Spam\*\*\*

replace with a line

* ^X-Spam-Level: \*\*+

or

* ^X-Spam-Level: \*\*\*+

etc.