With the NX client setup as described on the wiki and a user logged
in an Nmap scan on the clients show port 6000 and 6001 open. 6001
requires authorized access but 6000 does not. I'm not sure if it's
exploitable like this but it shows up on our vulnerability scans.
David Kennel
On Dec 21, 2006, at 9:26 PM, Todd Shoemaker wrote:
David-
By default the X server should not allow unauthorized access
without the
magic cookie. In other words, another user on another terminal logged
into the same server can't just export DISPLAY=my_terminal:0.0 and run
an application on my terminal. If I ran xhost +server they could, but
that's just asking for trouble. Does the company policy require that
you can't even scan the port?
If so, the only solution is to get ip_tables running; download the
kernel source and copy in the .config file used from the LTSP kernel.
You can then make xconfig and enable the ip_tables module, then 'make
modules'. You shouldn't have to install the kernel, just copy the
module into the kernel tree. IIRC, you'll also need to update the
module map with something like:
depmod -b /opt/ltsp4/i386/lib/modules 2.6.17.8-ltsp-1
If you've never built a kernel and none of that made sense, let me
know
and I can walk you through it. Building a kernel is pretty easy once
you've done it once or twice.
-Todd
David Kennel wrote:
I used the instructions located on the LTSP wiki to install the NX
client into the root for the LTSP clients and add the appropriate
screen script to start the NX client on boot. That portion of the
setup is relatively straightforward and appears to be working
beautifully. The instructions are
here http://wiki.ltsp.org/twiki/bin/view/Ltsp/
WorkInProgress#LTSP_via_OpenVPN
I have tried limiting access via hosts.allow with no success. I tried
iptables but the 2.6.17.8-ltsp-1 kernel does not have iptables. I get
the following error when trying to do # /sbin/iptables -L I get the
following error:
modprobe: FATAL: Module ip_tables not found.
iptables v1.2.11: can't initialize iptables table 'filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your your kernel needs to be upgraded.
Due to company security restrictions we are not allowed to have X on
the network without encryption. Nor can we have Xservers listening to
the network without access control.
David Kennel
On Dec 20, 2006, at 7:12 AM, Todd Shoemaker wrote:
David Kennel wrote:
I am piloting an LTSP based solution. Due to our security
requirements
I have had to tweak the configuration quite a bit to harden the
system. I have moved the clients to encrypted connections based on
FreeNX but the clients are still opening their X11 servers to dog +
world. Does anyone know of a good way to shut this down or at least
verifiably limit the traffic to the server.
I have considered moving all the traffic to an encrypted VPN but
cannot find good documentation on this process.
David-
I haven't tried this, but the terminal kernels should be able to
use the
built-in Linux firewall iptables to block all but expected
traffic. You
may have to copy the iptables utils into $LTSP/i386 so they can
be run
by the terminals. Once you get the rules you want (there are web
sites
that can build these for you), add a script to $LTSP/etc/rc.d and
call
it by adding a line to lts.conf like this: RC_FILE=myscript.sh .
My next question is how you "moved the clients to encrypted
connections
based on FreeNX". Does LTSP come with a freenx client already
installed
now? Or do your clients log in to the terminal server and then run
freenx from the server to the remote server? I would be curious to
learn what heavy lifting you had to do to get freenx installed on
the
terminal as a default client (like we already have with X11,
rdesktop,
and telnet).
Finally, LTSP is not necessarily intended to be a secure traffic
solution, but a trusted LAN solution. Any time you have NFS,
SMB, or
any non-ssh file sharing such as we use for LTSP (to run the
terminals),
you need to place some trust on your physical LAN. You could
adopt a
fully encrypted solution for files and X11 traffic, but if you start
encrypting the X11 traffic using SSH, freenx, RDP, etc, you
introduce
latency that can be felt by the user. It's not so bad when you
use it
over the Internet/WAN, but it can be felt on a LAN versus an
unencrypted
X11 session.
-Todd
--------------------------------------------------------------------
-----
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to
share your
opinions on IT & business topics through brief surveys - and earn
cash
http://www.techsay.com/default.php?
page=join.php&p=sourceforge&CID=DEVDEV
<http://www.techsay.com/default.php?
page=join.php&p=sourceforge&CID=DEVDEV>
____________________________________________________________________
_
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
---------------------------------------------------------------------
---
---------------------------------------------------------------------
----
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to
share your
opinions on IT & business topics through brief surveys - and earn
cash
http://www.techsay.com/default.php?
page=join.php&p=sourceforge&CID=DEVDEV
---------------------------------------------------------------------
---
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
----------------------------------------------------------------------
---
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to
share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?
page=join.php&p=sourceforge&CID=DEVDEV
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
