[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Securing a K12LTSP box



I think a key piece, at least in terms of protecting the server from bad guys on the internet, is that you have a firewall--that is, a separate box--between the LTSP box and the internet. With the firewall, you can control what, if any, connections from the outside world can even get to the LTSP server. You might even consider using two firewalls to create a DMZ for any boxes that need to be accessible to the outside world. I suspect that most people don't allow any outside connections, as there isn't really any need; perhaps an opening for SSH so you can remotely admin, but I suggest doing this on a different port than 22 (the default) just to add a bit of 'security by obscurity' and mostly to keep your logs from filling up with failed attempts by script kiddies to login as Administrator, etc.

Internal security is more a matter of protecting the server from curios/mischievous kids, which presents some different problems, which I'll leave to others.

Petre

Bryant Patten wrote:
I have been asked by a couple of elementary schools to set up a K12LTSP demo. One server, 4 terminals - so that people at the school can try it out. Simple word processing, some image stuff and Internet access are the planned uses. Sound and thumb drive usability are particularly important.

My question for the collective list is:

After a vanilla, default-accepting install of K12LTSP (5.0 beta 7 is what I am currently exploring) onto a new server box, what should one do (if anything) to additionally secure or harden the box?

Do people recommend running something like Tripwire or Bastille? I have done some reading about both of these but haven't yet tried using either and I didn't find anything in the LTSP wiki about either program. The wiki does offer the following warning - "Trying to run an LTSP service over a public network such as the internet without any security precautions is foolhardy in the extreme". I am beginning to teach myself about network security issues but do not yet have a sense of 'how much is enough' regarding hooking servers to the Internet.

In this type of situation, I am often not sure about the security set up for the school's network. Phrases such as "...I'm not sure what we do about security - Joe set that up and he is gone now..." or "our consultant installed a Sonicwall but I don't anything about it..." are often used. I explain to people that this box will not function as a firewall but I would like to make it as secure as functionally possible against being taken over by evil doers in this ambiguously secured environment.

Bryant Patten
White Nitro, LLC



_______________________________________________
K12OSN mailing list
K12OSN redhat com
https://www.redhat.com/mailman/listinfo/k12osn
For more info see <http://www.k12os.org>



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]