have them in a different subnet...? and dont give users any administrative rights
about the website: just adjust the router settings to only route to certain sites and not to any ip on the internet.
Does anyone know of an internet kiosk version of knoppix that is able to be used on a business network (not allowed to browse the network) and only be able to access one or two sites? I am trying to find one for a friend that needs it for his customers. It will allow them to browse his internet page and see his products that aren't in the show room.
If so...
Which one
How do I secure it from being an open door to the local lan
How do I keep it from accessing the rest of the (windows) computers
Make an install on the HDD so it will respond faster
Thanks.
have them in a different subnet...? and dont give users any administrative rights
about the website: just adjust the router settings to only route to certain sites and not to any ip on the internet.
hmm a remaster would be needed i guess.
to begin you might make the "kioskuser" a separate group named "kioskuser" and allow that NOTHING eccept /home/"kioskuser" then as above make all directories not nesesarily read/write read only to kioskuser (as far as i know nothing outside /home), after that perhaps a chown -R root:root to several critical folders (such as /etc /usr/etc, /bin, /sbin, /usr/sbin...).
hmmm, might as well do the reverse chown -R root:root / then open permisions as needed, would take longer but be as safe as could be made.
agree with that. are these clients going to be used for anything else than surfing the mentioned websites? if not, you could just have an "empty" X with mozilla running.
get a router that runs linux like the Linksys WRT54G and a number of iptable rules would be enough. Or just get an unused PC with 2 NIC and run a floppy based firewall.
No need to remaster or whatever.
He already has a router (D-Link DI-614)
I myself am a windows admin (of sorts) and can manipulate windows like it was my own child. Linux is the hard part of this task. I am afraid that if I set up a Linux box, that it could give access to the rest of the network. You see I know that Linux is powerful, and it was born to live on the network (and internet). I have seen my own knoppix box attach to the internet and self detect all the NICs and router and IP information automatically (impressive!).
Now that I know this, I am nervous about allowing a Linux version on the network because of how easy it (could) be to browse the LAN and possibly distroy anything on the rest of the network. Because of the fact that linux is so network amazing, how do I know that the Linux box is safe from the internet cracker jacks! Is linux an open door for them, especially if I don't know how to tinker with it to keep it closed?
Remember I am still new to Linux and there was some things that were said that I can learn (I just don't know how to do them yet!) Te one thing I didn't understand is the "empty X server".
to be honest, if you think anything can keep those really wanting to harm out you are deluded.
the only way to reasonable safety is knowlege. there is always routes around ALL security.
trouble is limiting holes... i would use a plain Debian and instal as little as possible (less risk of bugs, holes...) then i would alow the user to only read the bare minimum from /etc (as others)
then NO KDE, NO gnome... just blackbox and mozilla installed. why? both KDE and Gnome (and some other WM's) have so many "builtins" that they themselves are security risks.
The solution in MY eyes is configuring IPtables to allow acess to only the default gateway by blocking all other adresses on your network.
If you then alow the user to only use mozilla and needed files, user would be even more crippled.
if you wanted you could probably make a alias for logout, a script that empties the /home/user dir from all files then copy them back from a "mirror" somewhare on disk, and chown/chmod them to sensible values before actuall logout.
if i was paranoid i would even remove/break other binaries. why apt-get is not needed to browse. nor is xterm, aterm, ping, wget, make, dpkg... cut everything not needed away.
it might take a few days/weeks depending on your knowledge but it should be possible.
we do this commercially...email me directly zurk AT arbornet DOT org i interested.
Checkout KioskTool - Needs Kde 3.2, you may have to remaster Knoppix to use it. (Or try it with Kanotix)Originally Posted by Hunkah
http://extragear.kde.org/apps/kiosktool.php
http://www.kde-apps.org/content/show...204c047f209c83
Cheers
rob
Couldn't you remove resolv.conf, and then edit /etc/hosts to be able top resolve the sites you want to their IP's....? Install a kiosk mode plugin to mozilla or firefox and set it to launch automatically when KDE starts. Then maybe some editing so that the user is not able to su or sudo.... and also disable KDE hotkeys.
That would be a good start at least, right?
DELL PowerEdge R630 10 Bay SFF 2x E5-2620v4 2.1GHz =16 Cores 32GB H730 4xRJ45
$248.00
Dell PowerEdge R620 Server 2x E5-2660 v1 2.2GHz 16 Cores 256GB RAM 2x 300GB HDD
$89.99
Dell R630 Server 2x E5-2620 V4 2.1GHz =16 Cores 128GB DDR4 1x 960GB 2x 1G 2x 10G
$210.00
Dell PowerEdge R730XD 28 Core Server 2X Xeon E5-2680 V4 H730 128GB RAM No HDD
$389.99
Dell PowerEdge R720XD Xeon E5-2680 V2 2.8GHz 20 Cores 256GB RAM 12x4TB
$510.00
Dell PowerEdge R630 8SFF 2*E5-2695 v3 2.3GHz 64GB No HDD H730 iDrac Ent Server
$129.99
Dell PowerEdge R640 Xeon Silver 4114 2.20GHZ 128GB PC4-2666V H740P RAID NO SSD
$649.99
Dell PowerEdge R415 2x 8-Core AMD Opteron 4284 3.00GHz 64GB RAM 1x 480W No HDDs
$70.00
Dell PowerEdge R430 3.5 1U 2x E5-2666 v3 2.9ghz 20-Cores 128gb 4x Trays 2x 550w
$364.99
Dell Poweredge R730xd 2.5in 2x E5-2690 v3 2.6ghz 24-Cores 64gb H730 2x 750w
$189.99