David- By default the X server should not allow unauthorized access without the magic cookie. In other words, another user on another terminal logged into the same server can't just export DISPLAY=my_terminal:0.0 and run an application on my terminal. If I ran xhost +server they could, but that's just asking for trouble. Does the company policy require that you can't even scan the port?
If so, the only solution is to get ip_tables running; download the kernel source and copy in the .config file used from the LTSP kernel. You can then make xconfig and enable the ip_tables module, then 'make modules'. You shouldn't have to install the kernel, just copy the module into the kernel tree. IIRC, you'll also need to update the module map with something like: depmod -b /opt/ltsp4/i386/lib/modules 2.6.17.8-ltsp-1 If you've never built a kernel and none of that made sense, let me know and I can walk you through it. Building a kernel is pretty easy once you've done it once or twice. -Todd David Kennel wrote: > I used the instructions located on the LTSP wiki to install the NX > client into the root for the LTSP clients and add the appropriate > screen script to start the NX client on boot. That portion of the > setup is relatively straightforward and appears to be working > beautifully. The instructions are > here http://wiki.ltsp.org/twiki/bin/view/Ltsp/WorkInProgress#LTSP_via_OpenVPN > > > > I have tried limiting access via hosts.allow with no success. I tried > iptables but the 2.6.17.8-ltsp-1 kernel does not have iptables. I get > the following error when trying to do # /sbin/iptables -L I get the > following error: > modprobe: FATAL: Module ip_tables not found. > > iptables v1.2.11: can't initialize iptables table 'filter': iptables > who? (do you need to insmod?) > Perhaps iptables or your your kernel needs to be upgraded. > > Due to company security restrictions we are not allowed to have X on > the network without encryption. Nor can we have Xservers listening to > the network without access control. > > David Kennel > > > On Dec 20, 2006, at 7:12 AM, Todd Shoemaker wrote: > >> David Kennel wrote: >>> I am piloting an LTSP based solution. Due to our security requirements >>> I have had to tweak the configuration quite a bit to harden the >>> system. I have moved the clients to encrypted connections based on >>> FreeNX but the clients are still opening their X11 servers to dog + >>> world. Does anyone know of a good way to shut this down or at least >>> verifiably limit the traffic to the server. >>> >>> I have considered moving all the traffic to an encrypted VPN but >>> cannot find good documentation on this process. >> >> David- >> >> I haven't tried this, but the terminal kernels should be able to use the >> built-in Linux firewall iptables to block all but expected traffic. You >> may have to copy the iptables utils into $LTSP/i386 so they can be run >> by the terminals. Once you get the rules you want (there are web sites >> that can build these for you), add a script to $LTSP/etc/rc.d and call >> it by adding a line to lts.conf like this: RC_FILE=myscript.sh . >> >> My next question is how you "moved the clients to encrypted connections >> based on FreeNX". Does LTSP come with a freenx client already installed >> now? Or do your clients log in to the terminal server and then run >> freenx from the server to the remote server? I would be curious to >> learn what heavy lifting you had to do to get freenx installed on the >> terminal as a default client (like we already have with X11, rdesktop, >> and telnet). >> >> Finally, LTSP is not necessarily intended to be a secure traffic >> solution, but a trusted LAN solution. Any time you have NFS, SMB, or >> any non-ssh file sharing such as we use for LTSP (to run the terminals), >> you need to place some trust on your physical LAN. You could adopt a >> fully encrypted solution for files and X11 traffic, but if you start >> encrypting the X11 traffic using SSH, freenx, RDP, etc, you introduce >> latency that can be felt by the user. It's not so bad when you use it >> over the Internet/WAN, but it can be felt on a LAN versus an unencrypted >> X11 session. >> >> -Todd >> >> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to >> share your >> opinions on IT & business topics through brief surveys - and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> <http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> >> _____________________________________________________________________ >> Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: >> https://lists.sourceforge.net/lists/listinfo/ltsp-discuss >> For additional LTSP help, try #ltsp channel on irc.freenode.net > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > > _____________________________________________________________________ > Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: > https://lists.sourceforge.net/lists/listinfo/ltsp-discuss > For additional LTSP help, try #ltsp channel on irc.freenode.net > ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
