[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Securing LTSP?

On Mon, 2003-07-28 at 20:05, Eric Harrison wrote:
> On Thu, 24 Jul 2003, Kevin Christensen wrote:
> >1. How secure is the K12ltsp setup by default? 
> Less secure than some, more secure than others ;-)
> K12LTSP is pretty much the same as a stock RH install. One difference
> is that XDM is turned on, which could be considered a security risk.
> >2.I saw on the k12ltsp website about a script that will reset the desktop to
> >the default. I don't understand how this works. The directory (?/skel) is
> >empty. How do you set this up? What determines when the script will run?
> When you log in, you select different "sessions". One of these sessions
> is "Reset Your Desktop". It works by deleting the old settings and copying
> over the defaults. BTW, /etc/skel is not empty, it is just that the files
> you have in there are all hidden (try "ls -la /etc/skel/"). 
> This "reset your desktop" feature is not a security risk, user's can
> only alter their own configuration files.

    And one more thing that need repeating: DON'T USE LTSP as a
firewall.  Ever. Go buy a $40 LinkSys box before you do.  The concept of
NFS, XDMP, and NIS are not intended for use across the internet, and are
frowned upon even when used in a compressed, encrypted tunnel.

    Sure, it's a real firewall. Sure, you can block ports. But mark my
words: you get just one guy in there to send the right string to
qmail/sendmail/etc (a legal port) and he'll ruin you whole day, and
undermine...in a BIG way...your choice to put Linux on the server in the
first place.

    A firewall should have just one, bullet-proofed user login, with
good passwords, and the machine should have the ability to 'flush and
fill' at any time, so as to remove whatever hacks the intruder has put
there.  Think small. Even a 486 has the power...just put a small, 'know
nothing box' between your users and the open sea.  That's all I ask.

Brian Fahrländer          GNU/Linux Zealot, Conservative, and Technomad
Evansville, IN                    My Voyage: http://www.CounterMoon.com
ICQ  5119262

Attachment: signature.asc
Description: This is a digitally signed message part

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]