| View previous topic :: View next topic |
| Author |
Message |
Mr.Grim
Tux's lil' helper
Joined: 28 Nov 2003
Posts: 124
|
 Posted: Fri Aug 27, 2004 8:46 pm Post subject: Need security tips for a school comp |
 |
|
Hey everyone, i'm setting up a Gentoo computer at the high school I work at and would like to know what I could do to make it as secure as possible, because there will be a ton of high school kids trying all they can to break it.
Anyone know what kind of steps I need to take? |
|
| Back to top |
|
 |
armandocerna
n00b
Joined: 18 Jun 2004
Posts: 22
Location: Reseda, CA
|
| Posted: Fri Aug 27, 2004 9:45 pm Post subject: |
|
|
| To start off two words.. Optical Mouse. Regular mouse balls tend to not last long. I would also try to lock the case away so it can't be accessed. As far as software goes just use gnome or kde and don't put a link to anything they shouldn't be using. |
|
| Back to top |
|
|
nightblade
Guru
Joined: 20 Jul 2004
Posts: 368
Location: back from SE Asia
|
| Posted: Sat Aug 28, 2004 6:54 pm Post subject: |
|
|
1 - emerge only necessary packages. Don't leave around useless daemons to play with
2 - emerge iptables, and set up a policy paranoid enough to block unwanted traffic
3 - keep the software constantly updated
4 - install the grsecurity patches (http://www.grsecurity.net). Your box will be MUCH harder to exploit (5cr1pt k1dd13z won't have any success in running the latest exploit they have just downloaded)
5 - run Bastille (it's in the portage tree). It's an interactive program that helps you harden your linux box from ground up (firewall rules, unnecessary services, suid progs, ...)
And that will keep away the 98% of the bad guys out there 
_________________
In God we trust. All the others must provide a valid X.509 certificate |
|
| Back to top |
|
|
lwithers
Guru
Joined: 31 Dec 2003
Posts: 300
Location: Reading, UK
|
| Posted: Sat Aug 28, 2004 11:30 pm Post subject: |
|
|
And, of course, make sure that you never leave consoles logged in and always lock the X screen when you're away!
You probably want to set up your iptables to reject all input traffic (except perhaps on ssh) and all ICMP input traffic. |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Tue Aug 31, 2004 6:18 pm Post subject: |
|
|
| lwithers wrote: | | You probably want to set up your iptables to reject [...] all ICMP input traffic. |
DON'T EVER DO THAT! ICMP messages are absolutely needed packats to get the internet going!
Off cource, you might want to block packets that are very seldom used for real and mostly used for exploits, but at the very minimum allow the destination-unreachable-family through! |
|
| Back to top |
|
|
Mr.Grim
Tux's lil' helper
Joined: 28 Nov 2003
Posts: 124
|
| Posted: Mon Sep 06, 2004 2:48 pm Post subject: |
|
|
| nightblade wrote: |
4 - install the grsecurity patches (http://www.grsecurity.net). Your box will be MUCH harder to exploit (5cr1pt k1dd13z won't have any success in running the latest exploit they have just downloaded)
5 - run Bastille (it's in the portage tree). It's an interactive program that helps you harden your linux box from ground up (firewall rules, unnecessary services, suid progs, ...)
And that will keep away the 98% of the bad guys out there |
Thanks, those are some really good ideas i didnt think of. |
|
| Back to top |
|
|
|
Networking & Security
