On 03-May 06:14, Brian Furry wrote: > > Hello: > > I am in the process of getting a debian server in the high school that I > teach in. The network admin is concerned about the security of the > exsisting Novell Server, border manager, etc. Our ISP is very picky > about not hogging more bandwidth than we are suppossed to use. > > I have been carefully pushing for a debian linux server for about 3 years > and now I am very close to getting one for my students to program on. The > network admin is the last person I need to sign off on.... > > > Below is a message from him, that I need to reply to in order for him > to sanction the machine. I would like some help in creating a reponse > to sooth his anxiety and fears. > > > ********************************************** > > I have described the Linux project, its uses, and its physical placement > within our network, to four knowledgeable people, and asked for their > thoughts and recommendations. > > A. Partner in a consulting company based in Hunterdon County. Their > mission is to encourage Linux use in small/medium companies. > > B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process > compliance and Unix network administrator) > > C. Network technician. This person builds wide-area networks for > corporations and financial institutions > > D. Computer consultant. This person has extensive employment experience > (programming, documentation, database, networking) with HP, Agilent, and > others. Husband and brother also do design work for top computer firms. > > > They all insisted that a dedicated firewall is a requirement. They are > unanimous in their exhortation that the server be properly secured. "B" > gave specific items to examine in this regard, and "A" offered to scan it > from inside and outside our building. > > "A," "B," and "C" state that, even if it IS properly secured, this does > not prevent some types of malicious behavior. "A" and "B" think that the > risk is no greater than our current setup, while "C" has reservations that > we should not increase our susceptibility, and that the 24-hour > availability of this server leaves us open to mischief. > > I share "C"'s concern. In-school computer use is subject to various > controls, not the least of which is teacher oversight. By design, a > publicly accessible server on which students can run their own programs at > 3 a.m. lacks this important security. There are pam settings that disallow users based on time of day. (see pam documentation.) > In light of this last point, let me pose a situation: A student loads and > runs a program onto this Linux server which then launches attacks on other > computers or routers on the Internet. Such attacks could be as simple as > participating in a Denial-of-Service attack. In our earlier meeting, you > said that proper settings, permissions, and restrictions could prevent that. > > Since this is one of the situations for which I am most concerned, can you > give me (in excruciating detail) the steps which would prevent this? If this is of great concern, setting up cron jobs to take the machine off line at the end of the school day, and returning it online in the morning is not difficult. Refining filewall rules to allow only "good" access is also a possibility. Using apt-get to stay up-to-date lessens the chance that bugs leave this machine open to general attack for long, and lessens support time spent just keeping software patches straight. Also, If you feel upto it, the grsecurity patch allows you to "lock down" the kernel more, and disallow run-of-the-mill expolits. This does have some performace impact, but it's not really noticable on todays hardware (new stuff). Thomas > ====================================================================== > Brian R. Furry fbrian@nac.net > ============== =============== > > The Power of Open Source can only give the people what > they so richly deserve ... > > stable and flexible computing > > > ================ =============== > Debian/GNU Linux www.debian.org > ======================================================================= > > > -- > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Attachment:
pgpVbOzxlq7qE.pgp
Description: PGP signature