[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [school-discuss] security issues in K12LTSP



Daniel Howard wrote:
When the Ethernet cables are inadvertently swapped in a K12LTSP server, and it proceeds to hand out IP addresses to windows PCs on the school LAN, is it possible for it to also hand out IP addresses to other PCs on the district WAN? Under these conditions, are there any increased security risks from hackers, viruses, etc.?

Depends on the router configurations for your district WAN. Typically the router has to have dhcp helper addresses in place to route DHCP requests to servers on other networks. You probably don't have seriously increased risk from the mistake, if the inside interface of your server is on a private IP, and thus not routed to the Internet. Again that depends on the configuration of the routers etc..


You can probably guess why I'm asking, and since then we have hardcoded the MAC addresses of clients in each room to the server's dhcpd.conf file and turned off dynamic DHCP, in case once again someone comes along after us and rewires the rooms.

I also found a site that referred to the fact that very little security was built into a default LTSP install, is this true for K12LTSP as well? Is there a document for K12LTSP on enhancing security for it? Here's the one I found for LTSP:

http://www.ltsp.org/contrib/ltsp-basic_security.html

That document looks pretty good, there is a bit more that can be done with NFS, setting the ports it's daemons run on to help with firewalling. You can easily check to see if your K12LTSP server has the above measures in place. Fedora has lots of built in security you can take advantage of. I would suggest applying regular updates, running a tripwire of some sort and keeping a good backup as well.


- cameron