Thank you for your detailed reply, I especially like #4! No worries, I had no plans to chmod /etc...
The kids are 14 to 19years-- and I try not to underestimate them-- I'm practically still a kid myself, and I know <b>many</b> personally at other schools that have gained priveleges that they shouldn't have; for every ten kids that makes a wannabe threat there's usually a quiet 11th that can actually do it :-) The open open office perusal of files outside their home dir still scares me though... I really am a paranoid, controlling person. Maybe Freud was right... [EMAIL PROTECTED] writes: >> Does anyone out there have some advice they could share with me on >> security? My first real exposure to linux was this summer when we >decided >> to go all out and run all our school's dorm computers as LTSP >stations... >> >> Specifically my concern is this: On all our the PCs (yes, I'm paranoid, >> and yes it's been justified many times over :) in our system i have used >> registry hacks to hide the C: drive, disable command prompts, etc... >This >> year especially we have actually had THREATS from students to try and >hack >> our servers. The gall! >... >I guess maybe what I'm asking is what can I chmod 770 (?) to lock it down; >the less they can read of my config files the better... I don't want to do >something however like chmod 770 /etc and then have my system not startup! >... > >*** Well first off don't blanket chmod 770 anything unless you know >exactly what you're doing (which files will be affected). Chmod 770 /etc >will break your system instantly (files like passwd, group, and a whole >bunch more need to be readable by everyone). So I would forget about the >chmod thing on /etc. Security is an ongoing thing and a system is only as >secure as the system admin makes it. So it's a good idea to start reading >up on security. Also it's a good thing to join a couple of security >mailing lists so that you are informed of the latest vulnerability that >needs to be fixed. How old are the kids? I find 'threats' of hacking and >kids who call themselves hackers are nothing more than script kiddies or >wannabees - there's only a rare few that truly would understand. Windows >is insecure by default and if that's all the kids were exposed to in the >past then they will find Linux more difficult to mess with. AnyWays here's >a couple of suggestions. I would research them thoroughly: > >- TripWire (or similiar). Lets you know which files on the system have >been changed. > >- chkrootkit. Run this program periodically to see if your system has been >compromised. > >- Mark /home, /tmp partition "noexec"...If you have a /var/tmp directory >then I would symbolic link /var/tmp to /home/var_tmp. "noxec" can be >by-passed but you have to know how. > >- Recompile your kernel with BSD STYLE ACCOUNTING enabled. This will >record every command/executable a user runs. You can query the entire >database for particular commands or query all commands by a user - Very >useful. > > > > > ________________________________________ David M. Leuser, II Assistant Network Administrator New Hampton School (603) 744-3182 x121 [EMAIL PROTECTED] ________________________________________ "Picture the root account as a magic hat that gives you lots of power, with which you can, by waving your hands, create or destroy entire cities. Because it is easy to wave your hands in a destructive manner, it is not a good idea to wear the magic hat when it is not needed, despite the wonderful feeling. " -- Gnome User's Guide ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.openprojects.net
