Re: [K12OSN] Securing a K12LTSP box

[Petre Scheie <petre maltzen net>]

I think a key piece, at least in terms of protecting the server from bad guys on the 
internet, is that you have a firewall--that is, a separate box--between the LTSP box and 
the internet.  With the firewall, you can control what, if any, connections from the 
outside world can even get to the LTSP server. You might even consider using two 
firewalls to create a DMZ for any boxes that need to be accessible to the outside world. 
I suspect that most people don't allow any outside connections, as there isn't really 
any need; perhaps an opening for SSH so you can remotely admin, but I suggest doing this 
on a different port than 22 (the default) just to add a bit of 'security by obscurity' 
and mostly to keep your logs from filling up with failed attempts by script kiddies to 
login as Administrator, etc.

Internal security is more a matter of protecting the server from curios/mischievous 
kids, which presents some different problems, which I'll leave to others.

Petre

Bryant Patten wrote:
> I have been asked by a couple of elementary schools to set up a K12LTSP 
> demo.  One server, 4 terminals - so that people at the school can try it 
> out.  Simple word processing, some image stuff and Internet access are 
> the planned uses.  Sound and thumb drive usability are particularly 
> important.
>
> My question for the collective list is:
>
>         After a vanilla, default-accepting install of  K12LTSP (5.0 beta 
> 7 is what I am currently exploring) onto a new server box, what should 
> one do (if anything) to additionally secure or harden the box?
>
> Do people recommend running something like Tripwire or Bastille?  I have 
> done some reading about both of these but haven't yet tried using either 
> and I didn't find anything in the LTSP wiki about either program.  The 
> wiki does offer the following warning - "Trying to run an LTSP service 
> over a public network such as the internet without any security 
> precautions is foolhardy in the extreme".  I am beginning to teach 
> myself about network security issues but do not yet have a sense of 'how 
> much is enough' regarding hooking servers to the Internet.
>
> In this type of situation, I am often not sure about the security set up 
> for the school's network.   Phrases such as "...I'm not sure what we do 
> about security - Joe set that up and he is gone now..."  or "our 
> consultant installed a Sonicwall but I don't anything about it..." are 
> often used.  I explain to people that this box will not function as a 
> firewall but I would like to make it as secure as functionally possible 
> against being taken over by evil doers in this ambiguously secured 
> environment.
>
> Bryant Patten
> White Nitro, LLC
>
>
>
>     
>
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>