Security Basics mailing list archives
Re: Securing Linux based public access terminals
From: Michael Rice <michael () riceclan org>
Date: Mon, 19 Jul 2004 09:11:47 -0500
I wouldn't run a window manager at all, I probably would use linux. 1. have no valid logins on the box (don't put passwords on it for someone to get to). 2. do put a grub or lilo password and a bios password on them. 3. set up bios to boot from HD only. 4. have no software loaded that doesn't pertain to web browsing -- you will have to question whether to load flash and java. 5. start X as the user 'nobody' via a startup script with something like 'startx mozilla'. You may want to tweak this a bit so that the browser can have a config and cache directory. 6. configure iptables on the box to only allow browsing and only to where you want (i.e. point it at your proxy server, or disallow your intranet). 7. build an image and set the boxes up to re-deploy from a server based image on reboot. Then you can just reboot if something happens to one and it will get a fresh image. You may consider whether to just have them reboot nightly anyway. One way I've seen this done is to have two images, one small linux install to pull the image and deploy it. You might consider toms root/boot CDs or customize your own. In this case you'd have to have CD drives and the bios to allow booting from CDs. On the up side this media could be made immutable. 8. set up a syslog server and watch the logs with something like logwatch or swatch to alert you when anything unexpected happens. 9. put them on a shared media (hub) or a smart switch with port forwarding and snort/ntop the traffic. On Fri, 2004-07-16 at 13:15, Ant wrote:
Give the Blackbox window manager a try. Not sure about non interventive logins though. On Thu, 15 Jul 2004 12:48:33 +0100, Andrew Shore <andrew.shore () holistecs com> wrote:Hi I have a project where I need to give access to the internet to groups of users who do not work for the company running the workstations. Hence, the company do not want the users to access any other part of the network. For reasons too complicated to go into here I can't hive this portion of the network off onto a DMZ or even a secure vlan. What I would like to is run a Linux workstation (RedHat probably 9 even though it's out of support) but when the user logs into the windows session all they get is the browser. No menus no right click on the desk top just a basic single application "dumb terminal". I've seen this done before but it was too well secured for me to see how it was done! Also I'd like to the workstation to log straight in as a local user with out user intervention. Any ideas how I can achieve this or perhaps secure it in another way, I remember with windows 3.x you could change the windows manager settings in win.ini and it did exactly what I want. I just really don't want to use Windows 3.1 ;) TIA Andy --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------------------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
-- Michael Rice <michael () riceclan org> --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Securing Linux based public access terminals Andrew Shore (Jul 16)
- Re: Securing Linux based public access terminals Ant (Jul 16)
- Re: Securing Linux based public access terminals Michael Rice (Jul 19)
- Re: Securing Linux based public access terminals Brett Anderson (Jul 17)
- Re: Securing Linux based public access terminals Jay Fougere (Jul 20)
- Re: Securing Linux based public access terminals Brett Anderson (Jul 20)
- Re: Securing Linux based public access terminals Jim McCullough (Jul 21)
- Re: Securing Linux based public access terminals Jay Fougere (Jul 22)
- Re: Securing Linux based public access terminals Jay Fougere (Jul 20)
- Re: Securing Linux based public access terminals Ant (Jul 16)
- Re: Securing Linux based public access terminals Brett Anderson (Jul 20)
- RE: Securing Linux based public access terminals Rocky Heckman (Jul 21)
- RE: Securing Linux based public access terminals Brett Anderson (Jul 21)
- RE: Securing Linux based public access terminals Rocky Heckman (Jul 21)