Ubuntu in the University: dangerous installed applications?
Scott J. Henson
shenson at mix.wvu.edu
Thu Oct 26 18:21:08 UTC 2006
Daniel Allen wrote:
> Hi,
>
> We've deployed a set of Ubuntu servers to act as X11 servers in a
> university setting for Computer Science students.
>
> It's come up that... some of the packages that are installed by default
> probably shouldn't be, both by policy and to reduce undergrads'
> opportunities for mischief. Right now we're looking at netcat and
> bittorrent. Suggestions for other mischief tools? (Yes, I know this
> could be a loaded question based on definitions- we're not removing ssh
> or firefox, obviously. I'd prefer keeping this discussion to specific
> packages that are high or reasonably high risk for abuse by crafty
> students; from these, we can select the minimal number to remove to
> reduce the greatest amount of headache for us admins. Thanks.)
As a person who works for a university computer science
department, your looking at this wrong. We use Ubuntu
extensively and give our students access to many tools above
the default install. The default install of Ubuntu is
generally very secure. We install ssh and allow students to
access X11 that way. Doing X11 over xdmcp can be dangerous,
so X11 forwarding over ssh is much safer.
As for things like netcat and bittorrent, your going to
drive yourself crazy trying to track down things like this.
Removing netcat gets you nothing as I can create a
replacement in python in probably less than 10 lines of
code, and the desktop requires python for some pretty major
parts. If you want you could use firewalls on the machines
themselves and on the routers to restrict network access.
Like shutting down bittorent and access to ports you don't
want the students to have access to. In all honesty, going
any further than that makes the computers less useful
(especially to CS students) and you would be fighting a
losing battle.
The two best things you can do is to make sure the students
can't get root access(aka keep up to date on security and
watch what additional packages you install) and lock down
the network to limit damage. If you already have windows
hosts on this network, then its probably already
sufficiently locked down. In my experience as a system
admin, Ubuntu machines will cause less problems.
Oh, also you might want to look into a syslog host if your
really paranoid. That way if someone does do something bad
you can look at using the traditional university punishment
system to curtail the malicious activity. Remember, the
students aren't the enemy by default and you shouldn't
assume they are going to be trying to bring down the intarweb.
--
Scott Henson
LCSEE Systems Staff
WVU MAE Undergraduate
Ubuntu User
More information about the ubuntu-users
mailing list