On Tue, 2007-03-06 at 09:20 +1000, Greg Vickers wrote: > Hi all, > > I am building a couple of PCs which will be used for public Internet > access in a small library. These PCs will also be on the same physical > network as the 'office' PCs. Obviously I'd like these PCs to have > seriously restricted access to the local network, what I'd like to know > is can anyone recommend a resource to me on locking down public access > Debian-based Linux computers? > > Thanks, > -- > Greg Vickers > IT Security Engineer & Project Manager > IT Security, Network Services, > Information Technology Services > Queensland University of Technology > L12, 126 Margaret St, Brisbane > > Phone: +61 7 3138 9536 > Mobile: 0410 434 734 > Fax: +61 7 3138 2921 > Email: [EMAIL PROTECTED] > IT Security web site: http://www.its.qut.edu.au/itsecurity/ > > CRICOS No. 00213J > i don't know exactly how to do all of the following, I'm just brainstorming: 1. disable ttys other than 1 and 7 (main and X), or can you disable 1 as well? 2. Don't bring up gnome-panel or gnome-desktop or anything that could give the user a menu or xterm, or ability to launch a program. Maybe just run 'metacity' instead of 'gnome-session,' but perhaps 'gnome-session' would help with kiosking browser or something? 3. automatically bring up a web browser, maximized, when the user is loggged in. 3.1 (I hate to recommend proprietary software, but) Opera has some sort of Kiosk mode, I'm not sure about Firefox or Epiphany. 3.2 Epiphany would be great if you could keep it from being able to launch commands, or having it's settings altered. 3.3 restrict the browser to only use http:// or https:// (no SFTP or FTP) 3.4 Don't install java plugins or Flash. 4. On the network switch/router whatever, deny the IP of the kiosk computers from the web-based router config. 5. Put yourself in the locked-down environment you've created, and try to get out. 6. Keep logs in case you notice someone else has gotten out, so maybe you can track what they've done.
That's all I've got for now. -- Matthew K Poer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
