[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Safety of Allowing Access from Internet



Todd O'Bryan wrote:
> 
> Forgive the stupid question, but how dangerous is it to have a k12ltsp
> server visible from the internet? (A recent thread has made me
> wonder...)

I'd be very careful about that.  A lot of people have already answered
your question, but I feel compelled to chime in also.

You really need to setup a firewall first.  It should block everything
by default.  Then you should poke holes in it to only allow the services
you want to make available to the internet.  When you think you've got
it configured, run nmap against it from the outside to make sure nothing
is available to the outside except what you've decided should be.

Then make sure you keep your software stays up to date.

Security is not a one-time concern - it is a process.  You've got to
stay on top of it.

As for not having a domain name, that hardly matters.  Most crackers use
robots that scan ip addresses looking for vulnerabilities.  When they
find a vulnerable machine, they crack it and use it to attack more
systems.

One of the prime targets is an open mail relay.  If your box is open to
the internet, make SURE that the SMTP port is closed to the public -
otherwise spammers will be able to use your machine to send their
"goods" to the hapless public.  This will definitely impact your
available bandwidth.  Also, your IP address will be blacklisted by many
mailservers, and legitimate mail you try to send will not go out.

If you've blocked everything & poked holes to allow certian access
types, then you needn't worry about this tidbit: NFS is inherently
insecure.  If someone has root access to another machine on your
network, they can create a user account on that machine using the userid
of someone on your system, mount the NFS volume, and access it as if
they were that user.  In other words, if they find out that Bob's UID is
510, they can create an account on their own machine with UID=510, and
then get access to Bob's files as if they were Bob himself.  DO NOT MAKE
NFS AVAILABLE OVER THE INTERNET!

So... I would recommend against putting a K12LTSP server on the
internet.  Instead, put it behind a firewall, and forward port 22 (ssh)
from the FW to the LTSP box.

Just because you're paranoid doesn't mean they're not out to get you. 
Here's some recommended reading:
http://www.linuxsecurity.com/docs/colsfaq.html

-- 
Jim Thomas            Principal Applications Engineer  Bittware, Inc
jthomas bittware com  http://www.bittware.com          (703) 779-7770
Getting an inch of snow is like winning ten cents in the lottery -
Calvin





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]