have them in a different subnet...? and dont give users any administrative rights
about the website: just adjust the router settings to only route to certain sites and not to any ip on the internet.
Does anyone know of an internet kiosk version of knoppix that is able to be used on a business network (not allowed to browse the network) and only be able to access one or two sites? I am trying to find one for a friend that needs it for his customers. It will allow them to browse his internet page and see his products that aren't in the show room.
If so...
Which one
How do I secure it from being an open door to the local lan
How do I keep it from accessing the rest of the (windows) computers
Make an install on the HDD so it will respond faster
Thanks.
have them in a different subnet...? and dont give users any administrative rights
about the website: just adjust the router settings to only route to certain sites and not to any ip on the internet.
hmm a remaster would be needed i guess.
to begin you might make the "kioskuser" a separate group named "kioskuser" and allow that NOTHING eccept /home/"kioskuser" then as above make all directories not nesesarily read/write read only to kioskuser (as far as i know nothing outside /home), after that perhaps a chown -R root:root to several critical folders (such as /etc /usr/etc, /bin, /sbin, /usr/sbin...).
hmmm, might as well do the reverse chown -R root:root / then open permisions as needed, would take longer but be as safe as could be made.
agree with that. are these clients going to be used for anything else than surfing the mentioned websites? if not, you could just have an "empty" X with mozilla running.
get a router that runs linux like the Linksys WRT54G and a number of iptable rules would be enough. Or just get an unused PC with 2 NIC and run a floppy based firewall.
No need to remaster or whatever.
He already has a router (D-Link DI-614)
I myself am a windows admin (of sorts) and can manipulate windows like it was my own child. Linux is the hard part of this task. I am afraid that if I set up a Linux box, that it could give access to the rest of the network. You see I know that Linux is powerful, and it was born to live on the network (and internet). I have seen my own knoppix box attach to the internet and self detect all the NICs and router and IP information automatically (impressive!).
Now that I know this, I am nervous about allowing a Linux version on the network because of how easy it (could) be to browse the LAN and possibly distroy anything on the rest of the network. Because of the fact that linux is so network amazing, how do I know that the Linux box is safe from the internet cracker jacks! Is linux an open door for them, especially if I don't know how to tinker with it to keep it closed?
Remember I am still new to Linux and there was some things that were said that I can learn (I just don't know how to do them yet!) Te one thing I didn't understand is the "empty X server".
to be honest, if you think anything can keep those really wanting to harm out you are deluded.
the only way to reasonable safety is knowlege. there is always routes around ALL security.
trouble is limiting holes... i would use a plain Debian and instal as little as possible (less risk of bugs, holes...) then i would alow the user to only read the bare minimum from /etc (as others)
then NO KDE, NO gnome... just blackbox and mozilla installed. why? both KDE and Gnome (and some other WM's) have so many "builtins" that they themselves are security risks.
The solution in MY eyes is configuring IPtables to allow acess to only the default gateway by blocking all other adresses on your network.
If you then alow the user to only use mozilla and needed files, user would be even more crippled.
if you wanted you could probably make a alias for logout, a script that empties the /home/user dir from all files then copy them back from a "mirror" somewhare on disk, and chown/chmod them to sensible values before actuall logout.
if i was paranoid i would even remove/break other binaries. why apt-get is not needed to browse. nor is xterm, aterm, ping, wget, make, dpkg... cut everything not needed away.
it might take a few days/weeks depending on your knowledge but it should be possible.
we do this commercially...email me directly zurk AT arbornet DOT org i interested.
Checkout KioskTool - Needs Kde 3.2, you may have to remaster Knoppix to use it. (Or try it with Kanotix)Originally Posted by Hunkah
http://extragear.kde.org/apps/kiosktool.php
http://www.kde-apps.org/content/show...204c047f209c83
Cheers
rob
Couldn't you remove resolv.conf, and then edit /etc/hosts to be able top resolve the sites you want to their IP's....? Install a kiosk mode plugin to mozilla or firefox and set it to launch automatically when KDE starts. Then maybe some editing so that the user is not able to su or sudo.... and also disable KDE hotkeys.
That would be a good start at least, right?
A-Tech 8GB DDR3 1600 PC3-12800 Laptop SODIMM 204-Pin Memory RAM PC3L DDR3L 1x 8G
$13.99
Crucial DDR3L 16GB 1600 2x 8GB PC3-12800 Laptop SODIMM Memory RAM PC3 16G DDR3
$21.50
HyperX FURY DDR3 8GB 16GB 32GB 1600 MHz PC3-12800 Desktop RAM Memory DIMM 240pin
$16.50
Samsung 8GB 2Rx8 DDR3 PC3L-12800S LAPTOP SODIMM RAM MEMORY
$8.00
Crucial DDR3L 16GB 1600 2x 8GB PC3-12800 Laptop SODIMM Memory RAM PC3 16G DDR3
$13.50
32GB ECC DDR3 RAM 2x16GB PC3L-12800R Desktop/Server Memory
$11.99
A-Tech 32GB 2x 16GB PC4-21300 Laptop SODIMM 260-Pin DDR4 2666 MHz Memory RAM Kit
$59.99
16GB DDR4 Corsair Vengeance LPX 3000 Mhz 1.35V Desktop Computer PC Memory RAM
$26.99
A-Tech 128GB 8x 16GB 2Rx4 PC4-19200R DDR4 2400 ECC REG RDIMM Server Memory RAM
$175.92
A-Tech 128GB 4x 32GB 2Rx4 PC4-21300R DDR4 2666 ECC REG RDIMM Server Memory RAM
$199.96