have them in a different subnet...? and dont give users any administrative rights
about the website: just adjust the router settings to only route to certain sites and not to any ip on the internet.
Does anyone know of an internet kiosk version of knoppix that is able to be used on a business network (not allowed to browse the network) and only be able to access one or two sites? I am trying to find one for a friend that needs it for his customers. It will allow them to browse his internet page and see his products that aren't in the show room.
If so...
Which one
How do I secure it from being an open door to the local lan
How do I keep it from accessing the rest of the (windows) computers
Make an install on the HDD so it will respond faster
Thanks.
have them in a different subnet...? and dont give users any administrative rights
about the website: just adjust the router settings to only route to certain sites and not to any ip on the internet.
hmm a remaster would be needed i guess.
to begin you might make the "kioskuser" a separate group named "kioskuser" and allow that NOTHING eccept /home/"kioskuser" then as above make all directories not nesesarily read/write read only to kioskuser (as far as i know nothing outside /home), after that perhaps a chown -R root:root to several critical folders (such as /etc /usr/etc, /bin, /sbin, /usr/sbin...).
hmmm, might as well do the reverse chown -R root:root / then open permisions as needed, would take longer but be as safe as could be made.
agree with that. are these clients going to be used for anything else than surfing the mentioned websites? if not, you could just have an "empty" X with mozilla running.
get a router that runs linux like the Linksys WRT54G and a number of iptable rules would be enough. Or just get an unused PC with 2 NIC and run a floppy based firewall.
No need to remaster or whatever.
He already has a router (D-Link DI-614)
I myself am a windows admin (of sorts) and can manipulate windows like it was my own child. Linux is the hard part of this task. I am afraid that if I set up a Linux box, that it could give access to the rest of the network. You see I know that Linux is powerful, and it was born to live on the network (and internet). I have seen my own knoppix box attach to the internet and self detect all the NICs and router and IP information automatically (impressive!).
Now that I know this, I am nervous about allowing a Linux version on the network because of how easy it (could) be to browse the LAN and possibly distroy anything on the rest of the network. Because of the fact that linux is so network amazing, how do I know that the Linux box is safe from the internet cracker jacks! Is linux an open door for them, especially if I don't know how to tinker with it to keep it closed?
Remember I am still new to Linux and there was some things that were said that I can learn (I just don't know how to do them yet!) Te one thing I didn't understand is the "empty X server".
to be honest, if you think anything can keep those really wanting to harm out you are deluded.
the only way to reasonable safety is knowlege. there is always routes around ALL security.
trouble is limiting holes... i would use a plain Debian and instal as little as possible (less risk of bugs, holes...) then i would alow the user to only read the bare minimum from /etc (as others)
then NO KDE, NO gnome... just blackbox and mozilla installed. why? both KDE and Gnome (and some other WM's) have so many "builtins" that they themselves are security risks.
The solution in MY eyes is configuring IPtables to allow acess to only the default gateway by blocking all other adresses on your network.
If you then alow the user to only use mozilla and needed files, user would be even more crippled.
if you wanted you could probably make a alias for logout, a script that empties the /home/user dir from all files then copy them back from a "mirror" somewhare on disk, and chown/chmod them to sensible values before actuall logout.
if i was paranoid i would even remove/break other binaries. why apt-get is not needed to browse. nor is xterm, aterm, ping, wget, make, dpkg... cut everything not needed away.
it might take a few days/weeks depending on your knowledge but it should be possible.
we do this commercially...email me directly zurk AT arbornet DOT org i interested.
Checkout KioskTool - Needs Kde 3.2, you may have to remaster Knoppix to use it. (Or try it with Kanotix)Originally Posted by Hunkah
http://extragear.kde.org/apps/kiosktool.php
http://www.kde-apps.org/content/show...204c047f209c83
Cheers
rob
Couldn't you remove resolv.conf, and then edit /etc/hosts to be able top resolve the sites you want to their IP's....? Install a kiosk mode plugin to mozilla or firefox and set it to launch automatically when KDE starts. Then maybe some editing so that the user is not able to su or sudo.... and also disable KDE hotkeys.
That would be a good start at least, right?
Cisco GLC-FE-100FX-RGD 100BASE-FX SFP Transceiver Module
$17.99
Lot of 10pcs Brocade 57-1000012-01 8Gbps SWL 850nm SFP+ Optical Transceivers
$19.00
Cisco Meraki MA-SFP-1GB-SX 1000BASE-SX SFP Transceiver Module
$24.99
Cisco Meraki MA-SFP-10GB-SR 10G SFP+ SR 850nm 300m LC MMF
$29.99
Genuine Cisco SFP-10G-SR V03 10GBASE-SR SFP+ Transceiver Module 10-2415-03
$8.00
SFP-10G-SR Original Cisco 10GBASE-SR SFP+ V02 Multi mode Transceiver 10-2415-02
$5.00
Brand New Cisco GLC-LH-SMD 1000BASE-LX/LH SFP Module 1310nm 10km SMF LC
$13.89
10Gbps 10GB SFP+SR transceiver for UniFi Switch 16 XG 16port Ubiquiti US-16-XG
$10.99
10 PCS Cisco GLC-LH-SMD 10-2625-01 1310nm SFP Transceiver Module
$85.00
New HP HPE Aruba J9150D 10G SFP+ LC SR 850nm 300m MMF XCVR Transceiver Module
$49.99