Is there a knoppix Web Kiosk?

**Hunkah** · 04-23-2004, 10:24 AM

Does anyone know of an internet kiosk version of knoppix that is able to be used on a business network (not allowed to browse the network) and only be able to access one or two sites? I am trying to find one for a friend that needs it for his customers. It will allow them to browse his internet page and see his products that aren't in the show room.

If so...
Which one
How do I secure it from being an open door to the local lan
How do I keep it from accessing the rest of the (windows) computers
Make an install on the HDD so it will respond faster

Thanks.

**Camel** · 04-26-2004, 01:56 PM

have them in a different subnet...? and dont give users any administrative rights

about the website: just adjust the router settings to only route to certain sites and not to any ip on the internet.

**OErjan** · 04-26-2004, 05:23 PM

hmm a remaster would be needed i guess.
to begin you might make the "kioskuser" a separate group named "kioskuser" and allow that NOTHING eccept /home/"kioskuser" then as above make all directories not nesesarily read/write read only to kioskuser (as far as i know nothing outside /home), after that perhaps a chown -R root:root to several critical folders (such as /etc /usr/etc, /bin, /sbin, /usr/sbin...).
hmmm, might as well do the reverse chown -R root:root / then open permisions as needed, would take longer but be as safe as could be made.

**Camel** · 04-27-2004, 11:09 AM

agree with that. are these clients going to be used for anything else than surfing the mentioned websites? if not, you could just have an "empty" X with mozilla running.

**garyng** · 04-27-2004, 11:12 AM

get a router that runs linux like the Linksys WRT54G and a number of iptable rules would be enough. Or just get an unused PC with 2 NIC and run a floppy based firewall.

No need to remaster or whatever.

**Hunkah** · 04-28-2004, 07:24 AM

He already has a router (D-Link DI-614)

I myself am a windows admin (of sorts) and can manipulate windows like it was my own child. Linux is the hard part of this task. I am afraid that if I set up a Linux box, that it could give access to the rest of the network. You see I know that Linux is powerful, and it was born to live on the network (and internet). I have seen my own knoppix box attach to the internet and self detect all the NICs and router and IP information automatically (impressive!).

Now that I know this, I am nervous about allowing a Linux version on the network because of how easy it (could) be to browse the LAN and possibly distroy anything on the rest of the network. Because of the fact that linux is so network amazing, how do I know that the Linux box is safe from the internet cracker jacks! Is linux an open door for them, especially if I don't know how to tinker with it to keep it closed?

Remember I am still new to Linux and there was some things that were said that I can learn (I just don't know how to do them yet!) Te one thing I didn't understand is the "empty X server".

**OErjan** · 04-28-2004, 09:28 AM

to be honest, if you think anything can keep those really wanting to harm out you are deluded.
the only way to reasonable safety is knowlege. there is always routes around ALL security.
trouble is limiting holes... i would use a plain Debian and instal as little as possible (less risk of bugs, holes...) then i would alow the user to only read the bare minimum from /etc (as others)
then NO KDE, NO gnome... just blackbox and mozilla installed. why? both KDE and Gnome (and some other WM's) have so many "builtins" that they themselves are security risks.
The solution in MY eyes is configuring IPtables to allow acess to only the default gateway by blocking all other adresses on your network.
If you then alow the user to only use mozilla and needed files, user would be even more crippled.
if you wanted you could probably make a alias for logout, a script that empties the /home/user dir from all files then copy them back from a "mirror" somewhare on disk, and chown/chmod them to sensible values before actuall logout.

if i was paranoid i would even remove/break other binaries. why apt-get is not needed to browse. nor is xterm, aterm, ping, wget, make, dpkg... cut everything not needed away.
it might take a few days/weeks depending on your knowledge but it should be possible.

**zurk** · 04-29-2004, 07:13 PM

we do this commercially...email me directly zurk AT arbornet DOT org i interested.

**monkymind** · 04-30-2004, 01:26 AM

Originally Posted by Hunkah

Does anyone know of an internet kiosk version of knoppix that is able to be used on a business network (not allowed to browse the network) and only be able to access one or two sites? .

Checkout KioskTool - Needs Kde 3.2, you may have to remaster Knoppix to use it. (Or try it with Kanotix)
http://extragear.kde.org/apps/kiosktool.php
http://www.kde-apps.org/content/show...204c047f209c83

Cheers
rob

**arkaine23** · 04-30-2004, 01:31 AM

Couldn't you remove resolv.conf, and then edit /etc/hosts to be able top resolve the sites you want to their IP's....? Install a kiosk mode plugin to mozilla or firefox and set it to launch automatically when KDE starts. Then maybe some editing so that the user is not able to su or sudo.... and also disable KDE hotkeys.

That would be a good start at least, right?