LTSP Basic Security Primer

James Hammer

jhamme01@hot_no-spam_mail.com

Copyright 2003 James W. Hammer

Distributable under terms of GNU GPL

Version 1.12 20MAR03

This document is distributed on a free basis. The author doesn't guarantee accuracy or results. Use at your own risk or benefit.

Table of Contents:

1. Introduction.

   • What is this document for?

   • What is LTSP?

   • What are the requirements and assumptions of this howto?

2. Secure Graphical (X Window based) Display Managers.

3. Secure NFS.

4. Secure Network servers/services through tcp-wrapers.

5. Secure the machine with an iptables firewall.

6. Security links.

1. Introduction:

   • This document is a starter guide to securing a Linux Terminal Server Project(LTSP) based server. It gives basic security hints, and sets forth a bare minimum that anyone using LTSP should want to implement. There is very little security built into the default install of LTSP. Take these steps to make sure that you aren't leaving the back door open to a Cracker. However, there are more steps beyond this howto that are necessary to completely lock the door.

   • The Linux Terminal Server Project is software that allows you to use slower computers as a means to display and run programs on a larger faster computer. Besides facilitating an easy way to recycle older hardware and put it to use, the terminal approach can save money on deployment and maintenance leading to lower total cost of ownership (TCO).

   • This howto assumes a relatively plain install of LTSP. The Server computer will only run LTSP and user programs, not be a web/dns/ftp/whatever server. Read this howto from the beginning, because it moves from the simplest topics to the hardest. I have only tested on Redhat 7.3 and 8.0, using LTSP version 3, but all of the tips should apply equally well to other Linux distributions. The example also assumes only one network/subnet, and more complex network setups may be more difficult to setup and secure. ALWAYS try out modifications on a test server, and remember, the author will not be fired when your boss can't read his e-mail.

2. Secure Graphical (X Window based) Display Managers: GDM is a grapical login program for the X Window system and the GNOME desktop, using the XDMCP protocol. Use the graphical "gdmsetup" program to set up GDM. On the "security" tab in "gdmsetup" uncheck "Allow root to log in with GDM." You can still use "su" to become root later. While you are at it, uncheck everything. This will help insure that everyone logs in as a regular user, which is good for security. The less programs you run with root privileges, the better. The only one of these that I check is "Show system menu", but if you do, it gives anyone the power to reboot/shutdown the system, which could be used in an attack on your system, or simply be a big nuisance because people restart your server on accident. Don't forget to increase the default "Retry delay" to 3-5 seconds. This makes it much more tedious for someone to try to brute force a password on the keyboard.

   As a general rule, remove all config options to anyone who hasn't logged in. also, add a delay between unsuccessful login attempts. These principals probably also apply to KDM and XDM.

3. Secure NFS: Make sure your "/etc/exports" file specifies access only to your specific network. If you can subnet or further limit access based on this file DO IT! NFS is secured only by IP address, so anyone who has access to the network and is allowed by IP address to access an NFS share, can access ALL of the files on that share. Assuming your network is addressed 192.168.1.0 with a subnet mask of 255.255.255.0, here is an example of an "/etc/exports" file:

   #
   #/etc/exports
   #
   ## LTS-begin ##
   #
   # The lines between the 'LTS-begin' and the 'LTS-end' were added
   # on: Sat Mar 15 23:43:40 EST 2003 by the ltsp installation script.
   # For more information, visit the ltsp homepage
   # at http://www.ltsp.org
   #
   
   #This share is read-only(ro) and holds the kernel and programs necessary to
   # boot a LTSP client machine.
   /opt/ltsp/i386                  192.168.1.0/255.255.255.0(ro,no_root_squash,sync)
   
   #This share is writeable(rw) and holds the swap files (if enabled in 
   # /opt/ltsp/i386/etc/lts.conf)
   /var/opt/ltsp/swapfiles         192.168.1.0/255.255.255.0(rw,no_root_squash,async)
   
   #
   # The following entries need to be uncommented if you want
   # Local App support in ltsp
   #
   #/home                  192.168.1.0/255.255.255.0(rw,no_root_squash,sync)
   
   ## LTS-end ##

4. Secure Network servers/services through tcpwrappers: Tcpwrappers operates at the application level. Programs that use tcpwrappers such as "inetd," "xinetd," and "gdm" have access controls specified in "/etc/hosts.allow" and "/etc/hosts.deny". As in NFS, you can specify access by ip address, but you can also specify by hostname, or you can have it match parts of an ip-address. For more info, type "man hosts.allow" or "man hosts.deny".

   An example using 192.168.1.0 with a subnet mask of 255.255.255.0:

   #
   # hosts.allow   This file describes the names of the hosts which are
   #               allowed to use the local INET services, as decided
   #               by the '/usr/sbin/tcpd' server.
   #
   
   ## LTS-begin ##
   
   #
   # The lines between the 'LTS-begin' and the 'LTS-end' were added
   # on: Sat Mar 15 23:43:40 EST 2003 by the ltsp installation script.
   # For more information, visit the ltsp homepage
   # at http://www.ltsp.org
   #
   
   #It is important to leave bootpd at all zeros, because it needs to 
   # accept all addresses or it will not be able to hand out ip-addresses.
   bootpd:    0.0.0.0
   in.tftpd:  192.168.1.
   
   #Access to portmap is necessary for nfs to run.
   portmap:   192.168.1.
   #Leave the loopback address here, or you may not be able to log on the server!
   gdm:       192.168.1. 127.0.0.
   
   ## LTS-end ##

   Also, an example of "/etc/hosts.deny"

   #
   # hosts.deny    This file describes the names of the hosts which are
   #               *not* allowed to use the local INET services, as decided
   #               by the '/usr/sbin/tcpd' server.
   #
   # The portmap line is redundant, but it is left to remind you that
   # the new secure portmap uses hosts.deny and hosts.allow.  In particular
   # you should know that NFS uses portmap!
   
   #If you loose conectivity, comment out the following lines, for troubleshooting
   # purposes, but don't forget to un-comment them or it allows _ALL_ connections.
   ALL:ALL
   ALL:PARANOID

5. Secure the machine with an iptables firewall: It is still important to add a set of filters for iptables or ipchains to catch any other vulnerabilities that might arise. Iptables and ipchains is capable of accepting or rejecting packets at the socket level.

   Iptables seems to be the preferred method right now. If you want to simplify configuration of iptables, use this php firewall script to do it for you. Make sure you run only one of these methods, as they may cancel each other out. There are much better howto's on iptables and ipchains, so use them.

6. Security Links:

   • LTSP Installation guide: 4. Security Concerns.

   • Linux Networking Overview

   • Linux Security HOWTO

   • Security Quick-Start HOWTO for Red Hat Linux

   • Linux Firewall-HOWTO

   • Netfilter or iptables

   • IPCHAINS-HOWTO

   • Linux XDMCP HOWTO

   • Setting Up Your Own Diskless Workstations with LTSP: A Few Notes About Security from LinuxPlanet.

   • The most current version of ltsp-basic_security(this document).

[Home]